DEV Community

jaafar_soufiane22
jaafar_soufiane22

Posted on

How I Built an Automated Web Vulnerability Scanner with Python and OWASP ZAP

I recently completed my MSIT Capstone project at the University of the People an automated web vulnerability scanner built with Python and OWASP ZAP. Here's what I built, how it works, and what I found.
The Problem
Most web security tools like OWASP ZAP are powerful but complex. A developer without a cybersecurity background struggles to configure them correctly. My goal was to wrap ZAP's API into a simple Python CLI tool that anyone can run with a single command.
How It Works
The scanner has four modules:

URL Seeder manually seeds known endpoints into ZAP's site tree before scanning. This is critical for Angular SPAs like OWASP Juice Shop where the traditional spider misses hash-based routes.
Spider crawls all discoverable URLs from the seeded endpoints.
Active Scanner injects attack payloads (SQL injection strings, XSS vectors) against every discovered endpoint.
Report Generator produces a timestamped JSON report with a risk summary.

Running a scan is one command:
bashpython scanner.py --spider --scan --alerts --report
What I Found
Testing against OWASP Juice Shop, the scanner identified 122 security alerts including:

🔴 1 High SQL Injection at /rest/products/search?q=apple'
🟡 70 Medium CORS misconfigurations, missing CSP headers
🔵 23 Low Application error disclosures, timestamp leakage
⚪ 28 Informational Modern web app indicators

The Interesting Problem
Initially the scanner only found 1 alert. The issue? Juice Shop is an Angular SPA with hash-based routing. The ZAP spider couldn't discover routes like /#/login because they're rendered client-side.
The fix was implementing a URL seeder that manually requests all known endpoints through the ZAP proxy before spidering. After that fix — 122 alerts.
The Code
The full source code is available on GitHub:
👉 https://github.com/JAAFAR12781/zap-vulnerability-scanner
What's Next
I'm planning to add AJAX spider support for deeper SPA coverage and HTML report generation for non-technical stakeholders.
If you're building web apps and haven't run a vulnerability scan yet this tool makes it easy to get started.

Top comments (0)