Web Vulnerability Scanner

Python, Flask, BeautifulSoup, Requests, HTML/CSS, Render

I developed this web-based educational vulnerability scanner to provide a safe and controlled environment for demonstrating common web security flaws. Built with Flask and Python, the tool allows users to scan predefined demo targets for vulnerabilities like SQL Injection (SQLi) and Cross-Site Scripting (XSS).

Live Demo

Github Repo

Inspiration

I wanted to create a hands-on tool that helps students and aspiring security researchers understand how vulnerabilities are detected at the code level. I realized that many people find “black-box” scanning intimidating, so I built this scanner to be transparent and ethical—restricting it to safe demo environments so users can learn without the risk of harming live production websites.

Demo

What it does

I designed the scanner to focus on the most common web-based attack vectors found in the OWASP Top 10:

• SQL Injection (SQLi) Detection: I implemented logic to identify forms that are susceptible to malicious SQL queries.
• Cross-Site Scripting (XSS) Scanning: The tool analyzes how web pages handle user-supplied data to detect potential script injection points.
• Target Verification: For safety, I built a verification system that restricts scans to predefined targets like “Juice Shop” or “Localhost.”
• Real-time Results: I created a clean, intuitive web interface that displays simulated vulnerability results immediately after a scan.

How I built it

• Core Logic: I wrote the scanning engine in Python, utilizing BeautifulSoup to parse HTML and identify input forms and Requests to simulate interactions with the target server.
• Backend: I used Flask to handle the web routing and the communication between the UI and the scanning core.
• Security layer: I developed a security.py module specifically to act as a whitelist, ensuring that the scanner cannot be used for unauthorized activities.
• Deployment: I deployed the final application on Render, configuring it to automatically bind to the correct ports for seamless web access.

Challenges I ran into

• Safe Scoping: One of my biggest challenges was ensuring the scanner couldn’t be “tricked” into scanning non-whitelisted sites. I had to refine my URL parsing logic to prevent bypass attempts.
• Parsing Complex Forms: I found that many modern web applications use dynamic forms that are difficult for basic scrapers to read. I spent extra time optimizing my BeautifulSoup selectors to ensure accurate form detection.
• Deployment Port Mapping: I initially struggled with getting the Flask app to communicate correctly with Render’s environment variables, which required a deep dive into gunicorn and port binding.

Accomplishments that I am proud of

• I successfully created a functional, ethical hacking tool that is accessible directly through a web browser.
• I maintained a strict security posture by successfully implementing a robust whitelist system.
• I delivered a project that serves as a practical educational resource for understanding web security.

What I learned

• I gained a much deeper understanding of how automated vulnerability scanners “see” the web.
• I learned how to manage security-sensitive Python applications in a cloud-hosted environment.
• I improved my skills in ethical software design, specifically how to build tools that prevent misuse while still being useful for learning.

What is next for my Scanner

• I plan to add more vulnerability checks, such as Insecure Security Headers and Command Injection.
• I want to enhance the UI/UX with better result visualization, perhaps using D3.js for interactive threat reports.
• I am looking to Dockerize the entire application to allow for more consistent and isolated local deployments for classroom settings.

• 2025 3
• 2024 4
• 2023 2
• 2022 1