Web Applications Vulnerabilities
This tool automates the process of auditing a web application for common security vulnerabilities such as SQL Injection, Cross-Site Scripting (XSS), and missing HTTP security headers. The results of the audit are stored in an HTML report for easy review.
- Automatically scrape all forms and input fields.
- Test for SQL Injection vulnerabilities using SQLMap.
- Test for XSS vulnerabilities by injecting payloads.
- Check for missing HTTP security headers (like
Strict-Transport-Security,X-Content-Type-Options, etc.).
- Python 3.x
requests,beautifulsoup4,sqlmap(installed viapip)
Clone this repository and install the required dependencies
Starting security audit for https://example.com...
Scraping forms and input fields...
Testing for SQL Injection vulnerability on parameter: username...
SQL Injection vulnerability detected on username. Result: Vulnerable to SQL Injection.
Testing for SQL Injection vulnerability on parameter: password...
No SQL Injection vulnerability detected on password.
Testing for XSS vulnerability on parameter: username...
XSS vulnerability detected on username. Result: Cross-site scripting found.
Testing for XSS vulnerability on parameter: password...
No XSS vulnerability detected on password.
Checking for missing security headers...
Security audit completed. Report generated: security_report.html<html>
<head><title>Security Scan Report</title></head>
<body>
<h1>Security Scan Report</h1>
<h2>Vulnerabilities Detected</h2>
<p>SQL Injection vulnerability detected on username. Result: Vulnerable to SQL Injection.</p>
<p>XSS vulnerability detected on username. Result: Cross-site scripting found.</p>
<p>Missing security headers: X-Frame-Options, Strict-Transport-Security</p>
</body>
</html>- Input: The script starts by running a security audit on a target URL (
https://example.com). - Form Scraping: The script scrapes all forms and input fields from the target URL.
- SQL Injection Test: It checks each form parameter for SQL Injection vulnerabilities.
- In this example, the parameter
usernameis found to be vulnerable to SQL Injection, butpasswordis safe.
- In this example, the parameter
- XSS Test: The script tests each form parameter for XSS (Cross-Site Scripting) vulnerabilities.
- The
usernamefield is found to be vulnerable to XSS, whilepasswordis safe.
- The
- Security Header Check: The script checks for missing security headers (like
X-Frame-Options,Strict-Transport-Security).- Missing headers are added to the report if detected.
- Report Generation: After completing the audit, the results are saved to an HTML report, which details all detected vulnerabilities.
- Output: The script generates a report in the file
security_report.html.