A lightweight web application vulnerability scanner for finding reflected XSS, SQL injection, insecure cookie configurations, missing security headers, and other common web vulnerabilities.
Only scan applications you own or have explicit permission to test. Unauthorized scanning is illegal and unethical. This tool is for educational and authorized security testing purposes only.
- Web Crawling: Discovers endpoints and forms on target websites
- XSS Detection: Tests for reflected and stored Cross-Site Scripting vulnerabilities
- SQL Injection Testing: Detects error-based and anomaly-based SQL injection
- Cookie Security Audit: Comprehensive cookie analysis including missing flags, lifetime issues, and configuration regressions
- Security Headers Audit: Checks for missing or weak security headers (CSP, HSTS, X-Frame-Options, etc.)
- Concurrent Scanning: Fast scanning with configurable concurrency
- Multiple Output Formats: HTML, CSV, and JSON reports with detailed vulnerability information
- Robots.txt Support: Respects robots.txt by default (can be disabled)
- Python 3.10 or higher
- pip
- Clone or download this repository
- Install dependencies:
pip install -r requirements.txtOr install as a package:
pip install -e .python -m vectorguard.cli https://example.compython -m vectorguard.cli https://example.com \
--max-pages 100 \
--concurrency 10 \
--output-dir ./reports \
--output-format all \
--timeout 15 \
--rate-delay 0.5target: Target URL to scan (required)--max-pages: Maximum number of pages to crawl (default: 50)--concurrency: Number of concurrent requests (default: 6)--timeout: Request timeout in seconds (default: 10)--rate-delay: Delay between requests in seconds (default: 0.3)--no-robots: Do not respect robots.txt--output-dir: Output directory for reports (default: current directory)--output-format: Output format: html, csv, json, or all (default: all)--no-xss: Skip XSS testing--no-sqli: Skip SQL injection testing--test-command-injection: Test for command injection (use with caution)--no-stored-xss: Disable stored XSS testing (enabled by default)--user-agent: Custom User-Agent string
python -m vectorguard.cli https://example.com --max-pages 20python -m vectorguard.cli https://example.com \
--max-pages 100 \
--concurrency 10 \
--output-dir ./reports \
--output-format allpython -m vectorguard.cli https://example.com --no-robotspython -m vectorguard.cli https://example.com --no-sqliStored XSS testing is enabled by default. To explicitly disable it:
python -m vectorguard.cli https://example.com --no-stored-xssTo focus on stored XSS for a target that you know is vulnerable (e.g., a lab app), keep XSS enabled and limit pages:
python -m vectorguard.cli https://example.com \
--max-pages 10 \
--concurrency 2The scanner generates reports in the following formats:
- HTML Report (
scan_report.html): Visual report with detailed findings, severity scores, and confidence levels - CSV Report (
scan_report.csv): Machine-readable format for analysis and integration - JSON Report (
scan_report.json): Structured data with full vulnerability details including context, evidence, and HTML snippets
Note: Security headers and cookie audits are performed automatically on all endpoints, even when XSS or SQL injection testing is disabled.
For safe testing, you can use a deliberately vulnerable application like OWASP Juice Shop:
# Run Juice Shop in Docker
docker run --rm -p 3000:3000 bkimminich/juice-shop
# Scan it
python -m vectorguard.cli http://localhost:3000 --max-pages 20This repository also includes a tiny Flask app with obvious stored XSS vulnerabilities for quick end-to-end testing:
# In one terminal: run the vulnerable demo app
python testing_for_stored_xss/stored_xss_demo.app.py
# In another terminal: scan it with VectorGuard
python -m vectorguard.cli http://localhost:8000 \
--max-pages 5 \
--concurrency 2 \
--output-dir ./demo-reportIn the generated HTML report (demo-report/scan_report.html), you should see:
- Summary by Vulnerability Type: a non-zero Stored XSS count.
- Detailed Findings: one or more
Stored XSS/Stored XSS (Potential)entries with evidence showing where the payload was injected and where it was later stored.
vectorguard/
├── vectorguard/
│ ├── __init__.py
│ ├── cli.py # Command-line interface
│ ├── crawler.py # Web crawler
│ ├── injector.py # Payload injection
│ ├── detectors.py # Vulnerability detection
│ ├── report.py # Report generation
│ └── payloads.py # Test payloads
├── examples/
│ └── run_scan.sh # Example script
├── requirements.txt # Dependencies
├── setup.py # Package setup
└── README.md # This file
- Tests for payload reflection in responses
- Detects HTML-encoded reflections
- Uses multiple XSS payload variations
- Enhanced detection with context analysis and severity scoring
- Injects payloads into forms that are likely to store data (comments, posts, profiles, etc.)
- Supports API endpoints (REST/JSON) for modern SPAs
- Tracks injected payloads (with unique
VGXSS_...markers) and checks if they appear on pages after injection - Automatically identifies storage forms based on method/fields, and scans common API storage endpoints (
/api/feedbacks,/rest/comments, etc.) - Supports both JSON and form-encoded payloads
- Error-based Detection: Identifies SQL error messages in responses
- Anomaly-based Detection: Detects response differences (status codes, length changes)
- Parameter Testing: Tests both GET and POST parameters
- SQL Error Disclosure: Passively scans for SQL errors in page content without injection
- Missing Flags: Checks for missing Secure, HttpOnly, and SameSite attributes
- Configuration Issues: Detects SameSite=None without Secure flag
- Domain Scope: Identifies overly broad cookie domain scopes
- Lifetime Analysis: Flags excessive cookie lifetimes (>365 days)
- Session Cookie Detection: Special checks for session-related cookies
- Regression Detection: Identifies inconsistent cookie configurations across endpoints
- Content-Security-Policy (CSP): Checks for missing or weak CSP configurations
- Strict-Transport-Security (HSTS): Validates HSTS max-age and includeSubDomains
- X-Frame-Options: Verifies clickjacking protection
- X-Content-Type-Options: Ensures nosniff is properly set
- Referrer-Policy: Evaluates referrer policy strength
- Permissions-Policy: Checks for overly permissive feature policies
- Inconsistency Detection: Identifies header configuration regressions across endpoints
This is an MVP scanner with the following limitations:
- Basic payload testing only
- No DOM-based XSS detection
- Stored XSS detection is best-effort and tuned for common comment/review/profile/storage patterns
- No time-based SQL injection testing
- Limited command injection testing
- No authentication handling
- No CSRF token handling
- DOM-based XSS detection
- Stored XSS detection
- Richer heuristics for complex workflows and DOM-based sinks
- Time-based SQL injection
- Authentication support
- CSRF token handling
- More sophisticated payloads
- Plugin architecture
- Async/await for better performance
- Integration with bug tracking systems
Contributions are welcome! Please ensure you:
- Follow the code style
- Add tests for new features
- Update documentation
- Respect security best practices
MIT License - See LICENSE file for details
This tool is provided for educational and authorized testing purposes only. The authors are not responsible for any misuse of this tool. Always ensure you have proper authorization before scanning any target.