π The honest truth
Three months ago, I started building a web security scanner.
Today, it has:
- 49 security modules (WordPress, cPanel, SQLi, XSS, SSL, API security, etc.)
- Advanced SQL injection detection (error-based, boolean blind, time-based, UNION)
- WAF evasion engine (detects 9 WAFs + Cloudflare, Sucuri, ModSecurity)
- Built-in CVE database (2024β2026 vulnerabilities with CVSS scores)
- HTML, PDF, Markdown, JSON reports
- 230+ automated tests (99.5% pass rate)
And it's completely free and open source under MIT license.
But here's the part I don't put in the README:
π It's not perfect. And I need help.
This is a one-person project. I've tested it on dozens of targets, but:
- Some modules fail on edge cases I haven't seen
- The SQLi detector works great on MySQL, less tested on PostgreSQL
- DOM XSS detection needs more real-world validation
- The evasion engine works against 9 WAFs β but new WAFs appear every week
- I'm sure there are bugs I don't even know about
I'm not looking for praise. I'm looking for people who will break this tool and tell me how.
π― Who this tool is for
- Web developers who want to audit their own sites before deployment
- Security researchers who need a free, scriptable scanner
- Penetration testers who want a second opinion alongside Burp/ZAP
- DevOps engineers who need CI/CD integration (REST API + JSON output)
- Students learning web security (the code is open, modules are simple)
What this tool is NOT:
- A replacement for Burp Suite Pro or Acunetix
- A zero-day finder
- An automated hacker machine
It's a free, honest scanner that catches low-hanging fruit and helps you understand your security posture.
π οΈ How you can help
- Run it on your sites (with permission β read the LEGAL WARNING first)
- Open an issue when it crashes, misses something, or gives a false positive
- Send a pull request for a bug fix or new module
- Share your test results β even failures help me improve
The code is modular. Adding a new module takes ~50 lines. The Wiki has templates.
π¦ Quick start
git clone https://github.com/miladrezanezhad/web-security-scanner-pro.git
cd web-security-scanner-pro
pip install -r requirements.txt
python main.py scan https://your-test-site.com --mode stealth
Or just run python main.py for interactive mode.
β οΈ One more honest thing
I'm a frontend developer who fell into security.
Some modules are better than others. Some code is messy.
But I ship it anyway β because someone else might need it, even if it's not perfect.
Open source isn't about flawless code. It's about building together.
π GitHub: miladrezanezhad/web-security-scanner-pro
#websecurity #opensource #bugbounty #python #infosec #helpneeded
Top comments (0)