URLVulnerabilityScanner_Python/main.py at main · taleblou/URLVulnerabilityScanner_Python · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
import requests
import pandas as pd
from urllib.parse import urljoin, urlparse
import socket
import ssl

def check_url_vulnerabilities(url, output_file="vulnerability_report.csv"):
    """
    Check if the given URL has common vulnerabilities and log the results to a CSV file.
    :param url: URL to check
    :param output_file: CSV file to save the results
    """
    print(f"Scanning {url} for vulnerabilities...\n")

    results = []

    def send_request(target_url):
        try:
            return requests.get(target_url, timeout=10)
        except requests.RequestException as e:
            print(f"[Error] Could not access {target_url}: {e}")
            return None

    # Check for SQL Injection
    sql_payloads = ["'", "\"", "1=1", "' OR '1'='1", '" OR "1"="1']
    for payload in sql_payloads:
        test_url = f"{url}?test={payload}"
        response = send_request(test_url)
        if response and ("SQL" in response.text or "syntax" in response.text):
            results.append({
                "URL": test_url,
                "Vulnerability Type": "SQL Injection",
                "Payload": payload
            })

    # Check for XSS
    xss_payloads = [
        "<script>alert('XSS')</script>",
        "<img src=x onerror=alert(1)>",
        "'><script>alert('XSS')</script>",
    ]
    for payload in xss_payloads:
        test_url = f"{url}?test={payload}"
        response = send_request(test_url)
        if response and payload in response.text:
            results.append({
                "URL": test_url,
                "Vulnerability Type": "XSS",
                "Payload": payload
            })

    # Check for Directory Traversal
    traversal_payloads = ["../../", "../etc/passwd", "../windows/system32"]
    for payload in traversal_payloads:
        test_url = urljoin(url, payload)
        response = send_request(test_url)
        if response and response.status_code == 200 and "root:" in response.text:
            results.append({
                "URL": test_url,
                "Vulnerability Type": "Directory Traversal",
                "Payload": payload
            })

    # Check for Open Directories
    response = send_request(url)
    if response and response.status_code == 200 and "Index of" in response.text:
        results.append({
            "URL": url,
            "Vulnerability Type": "Open Directory",
            "Payload": "N/A"
        })

    # Subdomain Discovery
    subdomains = ["admin", "test", "dev", "staging", "api"]
    parsed_url = urlparse(url)
    domain = parsed_url.netloc
    scheme = parsed_url.scheme
    for sub in subdomains:
        sub_url = f"{scheme}://{sub}.{domain}"
        try:
            response = requests.get(sub_url, timeout=5)
            if response.status_code == 200:
                results.append({
                    "URL": sub_url,
                    "Vulnerability Type": "Exposed Subdomain",
                    "Details": "Subdomain is accessible."
                })
        except requests.RequestException:
            pass

    # Port Scanning
    ports = [21, 22, 80, 443, 8080]
    hostname = domain.split(":")[0]
    for port in ports:
        try:
            with socket.create_connection((hostname, port), timeout=2):
                results.append({
                    "URL": f"{url}:{port}",
                    "Vulnerability Type": "Open Port",
                    "Details": f"Port {port} is open."
                })
        except (socket.timeout, ConnectionRefusedError, socket.gaierror):
            pass

    # Check Common Sensitive Endpoints
    endpoints = ["admin", "login", "config", ".env", "backup", "phpinfo.php"]
    for endpoint in endpoints:
        test_url = urljoin(url, endpoint)
        response = send_request(test_url)
        if response and response.status_code == 200:
            results.append({
                "URL": test_url,
                "Vulnerability Type": "Exposed Endpoint",
                "Details": f"Accessible endpoint: {endpoint}"
            })

    # Analyze HTTP Security Headers
    response = send_request(url)
    if response:
        security_headers = ["X-Frame-Options", "Content-Security-Policy", "X-Content-Type-Options", "Strict-Transport-Security"]
        for header in security_headers:
            if header not in response.headers:
                results.append({
                    "URL": url,
                    "Vulnerability Type": "Missing Security Header",
                    "Details": f"{header} is missing."
                })

    # Check for Command Injection
    command_payloads = ["; ls", "&& whoami", "| cat /etc/passwd"]
    for payload in command_payloads:
        test_url = f"{url}?input={payload}"
        response = send_request(test_url)
        if response and ("root:" in response.text or "bin/" in response.text):
            results.append({
                "URL": test_url,
                "Vulnerability Type": "Command Injection",
                "Details": f"Payload: {payload}"
            })

    # Check for CSRF Token
    response = send_request(url)
    if response and "<form" in response.text and "csrf" not in response.text.lower():
        results.append({
            "URL": url,
            "Vulnerability Type": "CSRF",
            "Details": "Forms found without anti-CSRF tokens."
        })

    # Check SSL/TLS Configuration
    try:
        with socket.create_connection((hostname, 443), timeout=5) as sock:
            with ssl.create_default_context().wrap_socket(sock, server_hostname=hostname) as ssock:
                cert = ssock.getpeercert()
                # Basic check for certificate expiration
                import datetime
                cert_not_after = cert['notAfter']
                cert_not_after_date = datetime.datetime.strptime(cert_not_after, "%b %d %H:%M:%S %Y %Z")
                if cert_not_after_date < datetime.datetime.now():
                    results.append({
                        "URL": url,
                        "Vulnerability Type": "SSL/TLS Configuration",
                        "Details": "Certificate has expired."
                    })
    except Exception as e:
        print(f"[Error] SSL/TLS check failed: {e}")

    # Check for Open Redirects
    redirect_payloads = ["/redirect?url=http://evil.com", "/login?next=http://evil.com"]
    for payload in redirect_payloads:
        test_url = urljoin(url, payload)
        try:
            response = requests.get(test_url, allow_redirects=False, timeout=5)
            if "Location" in response.headers and "http://evil.com" in response.headers["Location"]:
                results.append({
                    "URL": test_url,
                    "Vulnerability Type": "Open Redirect",
                    "Details": f"Payload: {payload}"
                })
        except requests.RequestException:
            pass

    # Check for File Upload Vulnerabilities
    # Note: This is a basic check and may not work for all scenarios.
    file_upload_url = urljoin(url, "/upload")
    files = {'file': ('test.php', '<?php echo "Vulnerable"; ?>', 'application/php')}
    try:
        response = requests.post(file_upload_url, files=files, timeout=5)
        if response.status_code == 200 and "Vulnerable" in response.text:
            results.append({
                "URL": file_upload_url,
                "Vulnerability Type": "File Upload",
                "Details": "Uploaded PHP file executed."
            })
    except requests.RequestException:
        pass

    # Directory Enumeration
    directories = ["admin", "backup", "test", "api", "config", "uploads"]
    for directory in directories:
        dir_url = urljoin(url, directory)
        response = send_request(dir_url)
        if response and response.status_code == 200:
            results.append({
                "URL": dir_url,
                "Vulnerability Type": "Exposed Directory",
                "Details": f"Directory found: {directory}"
            })

    # Check for Weak Session Management
    response = send_request(url)
    if response and "Set-Cookie" in response.headers:
        cookie_flags = response.headers["Set-Cookie"]
        if "HttpOnly" not in cookie_flags or "Secure" not in cookie_flags:
            results.append({
                "URL": url,
                "Vulnerability Type": "Weak Session Management",
                "Details": "Missing HttpOnly or Secure flags in cookies."
            })

    # Check for Exposed API Endpoints
    api_endpoints = ["api/v1/users", "api/v1/orders", "api/v1/login"]
    for endpoint in api_endpoints:
        api_url = urljoin(url, endpoint)
        response = send_request(api_url)
        if response and response.status_code == 200:
            results.append({
                "URL": api_url,
                "Vulnerability Type": "Exposed API Endpoint",
                "Details": f"Accessible API endpoint: {endpoint}"
            })

    # Check for Access Control Flaws
    restricted_urls = ["admin", "dashboard", "config"]
    for restricted in restricted_urls:
        restricted_url = urljoin(url, restricted)
        response = send_request(restricted_url)
        if response and response.status_code == 200:
            results.append({
                "URL": restricted_url,
                "Vulnerability Type": "Access Control Flaw",
                "Details": f"Unauthorized access to: {restricted}"
            })

    # Check for Parameter Tampering
    tamper_params = {"price": "0", "role": "admin", "id": "-1"}
    response = send_request(url)
    if response and ("admin" in response.text or "unauthorized" not in response.text):
        results.append({
            "URL": url,
            "Vulnerability Type": "Parameter Tampering",
            "Details": "Modified parameters affected server behavior."
        })

    # Check for Rate Limiting
    try:
        for i in range(10):
            response = send_request(url)
            if response and response.status_code == 200 and i == 9:
                results.append({
                    "URL": url,
                    "Vulnerability Type": "Rate Limiting",
                    "Details": "No rate limiting detected for repeated requests."
                })
    except requests.RequestException:
        pass

    # Save results to CSV
    if results:
        df = pd.DataFrame(results)
        df.to_csv(output_file, index=False)
        print(f"\nVulnerability results saved to {output_file}")
    else:
        print("\nNo vulnerabilities found.")

# Example usage
target_url = "https://www.taleblou.ir/"  # Replace with the target URL
check_url_vulnerabilities(target_url)