Skip to main content

Overview

The Vulnerability Scanner module (modules/vuln_scanner.py) integrates two powerful tools for web security testing:
  • Nikto: Web server vulnerability scanner
  • SQLMap: Automated SQL injection detection and exploitation tool

VulnerabilityScanner Class

Defined at vuln_scanner.py:13, this class orchestrates web vulnerability detection.

Initialization

vuln_scanner.py:14-24
class VulnerabilityScanner:
    def __init__(self, target, ports_data):
        """Initialize vulnerability scanner"""
        self.target = target
        self.ports_data = ports_data
        self.web_ports = []
        self.vulnerabilities = []
        self.web_vulns = []
        self.sql_vulns = []
        
        self.identify_web_services()
target
string
required
Target IP address or domain
ports_data
list
required
List of open ports from Scanner module

Web Service Detection

identify_web_services()

Automatically detects HTTP/HTTPS services from port scan results.
vuln_scanner.py:26-43
def identify_web_services(self):
    """Identify HTTP/HTTPS services from port scan"""
    common_web_ports = [80, 443, 8080, 8443, 8000, 8888, 3000, 5000]
    web_services = ['http', 'https', 'ssl/http', 'http-proxy', 'http-alt']
    
    for port in self.ports_data:
        service = port.get('service', '').lower()
        port_num = port.get('port')
        
        if any(web_svc in service for web_svc in web_services) or port_num in common_web_ports:
            protocol = 'https' if port_num == 443 or 'https' in service else 'http'
            self.web_ports.append({
                'port': port_num,
                'protocol': protocol,
                'url': f"{protocol}://{self.target}:{port_num}"
            })
Detected Services:
  • Standard ports: 80 (HTTP), 443 (HTTPS)
  • Alternative ports: 8080, 8443, 8000, 8888, 3000, 5000
  • Service names: http, https, ssl/http, http-proxy, http-alt

Nikto Integration

scan_with_nikto()

Runs Nikto web vulnerability scanner against detected web services.
vuln_scanner.py:45-79
def scan_with_nikto(self, url):
    """Run Nikto web vulnerability scanner"""
    cmd = [
        'nikto',
        '-h', url,
        '-Format', 'json',
        '-output', f'logs/nikto_{self.target}_{timestamp}.json',
        '-Tuning', '123456789',  # All tests
        '-timeout', '10'
    ]
    
    result = subprocess.run(cmd, capture_output=True, text=True, timeout=300)
    vulns = self.parse_nikto_output(result.stdout)
    return vulns
Nikto Parameters:
-h
string
Target URL to scan
-Format
string
Output format (json for automated parsing)
-Tuning
string
Test categories: 1-9 enables all vulnerability checks
-timeout
number
Request timeout in seconds (default: 10)

Nikto Vulnerability Categories

TuningCategory
1Interesting files/directories
2Misconfiguration
3Information disclosure
4Injection (XSS/Script/HTML)
5Remote file retrieval
6Denial of service
7Remote file inclusion
8Command execution
9SQL injection

SQLMap Integration

scan_sql_injection()

Scans for SQL injection vulnerabilities using SQLMap.
vuln_scanner.py:129-165
def scan_sql_injection(self, url):
    """Scan for SQL injection vulnerabilities using SQLMap"""
    cmd = [
        'sqlmap',
        '-u', url,
        '--batch',
        '--crawl=2',
        '--level=1',
        '--risk=1',
        '--random-agent',
        '--timeout=30',
        '--retries=2',
        '--threads=5'
    ]
    
    result = subprocess.run(cmd, capture_output=True, text=True, timeout=180)
    return self.parse_sqlmap_output(result.stdout)
SQLMap Parameters:
--batch
flag
Never ask for user input, use default behavior
--crawl
number
Crawl depth for finding injection points (default: 2)
--level
number
Level of tests to perform (1-5, default: 1)
--risk
number
Risk of tests (1-3, default: 1 for safe testing)
--threads
number
Number of concurrent HTTP requests (default: 5)

SQL Injection Types Detected

Uses boolean logic to infer database content through true/false responses.Example: id=1 AND 1=1 (true) vs id=1 AND 1=2 (false)

Vulnerability Severity

Vulnerabilities are classified into four severity levels:
CVSS 9.0-10.0Remote code execution, SQL injection with data exfiltration, authentication bypass

Complete Workflow

vuln_scanner.py:200-230
def run_full_scan(self):
    """Execute complete vulnerability scanning workflow"""
    # 1. Identify web services
    if not self.web_ports:
        return {'vulnerabilities': [], 'web_vulnerabilities': [], 'sql_vulnerabilities': []}
    
    # 2. Scan each web service with Nikto
    for web_port in self.web_ports:
        nikto_vulns = self.scan_with_nikto(web_port['url'])
        self.web_vulns.extend(nikto_vulns)
    
    # 3. Test for SQL injection
    for web_port in self.web_ports:
        sql_vulns = self.scan_sql_injection(web_port['url'])
        self.sql_vulns.extend(sql_vulns)
    
    return {
        'vulnerabilities': self.vulnerabilities,
        'web_vulnerabilities': self.web_vulns,
        'sql_vulnerabilities': self.sql_vulns
    }

Usage Example

from modules.vuln_scanner import VulnerabilityScanner
from modules.scanner import Scanner

# Get port scan results
scanner = Scanner("example.com")
scan_results = scanner.run_full_scan()

# Initialize vulnerability scanner
vuln_scanner = VulnerabilityScanner("example.com", scan_results['ports'])

# Run vulnerability scan
vulnerabilities = vuln_scanner.run_full_scan()

print(f"Web vulnerabilities: {len(vulnerabilities['web_vulnerabilities'])}")
print(f"SQL injection points: {len(vulnerabilities['sql_vulnerabilities'])}")

Output Format

{
  "web_vulnerabilities": [
    {
      "type": "web",
      "url": "http://example.com:80",
      "severity": "MEDIUM",
      "description": "Server leaks inodes via ETags",
      "osvdb": "3233"
    }
  ],
  "sql_vulnerabilities": [
    {
      "type": "sql_injection",
      "url": "http://example.com/login.php?id=1",
      "parameter": "id",
      "injection_type": "boolean-based blind",
      "payload": "1 AND 1=1",
      "severity": "CRITICAL"
    }
  ]
}

Skipping Web Scans

Use the --skip-web CLI flag to disable web vulnerability scanning: 
python3 main.py -t example.com --skip-web
Web vulnerability scanning can be time-intensive (10-30 minutes per service). Use --skip-web for faster reconnaissance-only scans.

Web Vulnerabilities Guide

Detailed guide to web vulnerability scanning

Configuration

Nikto and SQLMap timeout settings

CLI Options

—skip-web flag documentation

PDF Reports

How web vulnerabilities appear in reports

Build docs developers (and LLMs) love

Get started for freeTalk to us