This Python-based vulnerability scanner is designed to test for common web vulnerabilities in the Damn Vulnerable Web Application (DVWA). It automates the process of crawling through web pages, identifying forms, and testing for vulnerabilities such as XSS, SQL injection, command injection, CSRF, and file inclusion.
- XSS Detection: Identifies Cross-Site Scripting vulnerabilities in forms and URLs.
- SQL Injection Detection: Tests for SQL Injection vulnerabilities in forms and URLs.
- Command Injection Detection: Checks for Command Injection vulnerabilities in URLs.
- CSRF Detection: Identifies forms that lack Cross-Site Request Forgery (CSRF) tokens.
- File Inclusion Detection: Tests for Local and Remote File Inclusion vulnerabilities.
-
Clone the Repository:
git clone https://github.com/Lakshminarayan-p/vulnerability_scanner.git cd vulnerability-scanner
-
Install Dependencies: Ensure Python 2.7 is installed along with the required libraries:
pip install requests BeautifulSoup
-
Configuration:
- Update the
target_url
andlinks_to_ignore
variables inscanner.py
andvulnerability_scanner.py
to match your DVWA instance URL and any URLs you want to ignore (e.g., logout links).
- Update the
-
Run the Scanner: Execute
vulnerability_scanner.py
to start scanning:python vulnerability_scanner.py
This script will log into DVWA, crawl all accessible links, and test for vulnerabilities as configured.
- Customization: Modify the scanner to add additional vulnerability tests or customize existing ones.
- Logging: Monitor console output for vulnerability alerts and investigate reported issues.
Upon running the scanner, you will see output similar to:
[+] Testing form in http://192.168.44.101/dvwa/vulnerabilities/xss_r/
--------------------------------------------------
[*****] XSS discovered in http://192.168.44.101/dvwa/vulnerabilities/xss_r/ in the following form:
<form method="post" action="xss_r.php">
<input type="text" name="name">
<input type="submit" value="Submit">
</form>
--------------------------------------------------
[+] Testing form in http://192.168.44.101/dvwa/vulnerabilities/sqli/
--------------------------------------------------
[*****] SQL Injection discovered in http://192.168.44.101/dvwa/vulnerabilities/sqli/ in the following form:
<form method="post" action="sqli.php">
<input type="text" name="id">
<input type="submit" value="Submit">
</form>
--------------------------------------------------
For any queries, please reach out to Lakshmi Narayan.P.