PulseShield-Web-Application-Vulnerability-Scanner

🛡️ PulseShield – Web Vulnerability Scanner

A professional, AI-assisted web application vulnerability scanner built as an internship-ready security project. PulseShield helps security researchers and beginners identify common web vulnerabilities through an easy-to-use web dashboard, automated crawling, and PDF/JSON reporting.

🚀 Key Highlights

Beginner-friendly Web UI (no CLI-only tool)
Supports static + SPA (JavaScript) websites
Generates professional PDF & JSON reports
AI-assisted severity scoring & false-positive filtering
Screenshot-based PoC capture (where applicable)
Designed for Bugcrowd / responsible disclosure workflows

🔍 Vulnerabilities Covered

Cross-Site Scripting (XSS)
SQL Injection (SQLi)
Server-Side Request Forgery (SSRF)
Local File Inclusion (LFI)
Cross-Site Request Forgery (CSRF)
Insecure Direct Object Reference (IDOR)
Authentication issues
Cryptographic misconfigurations
Security misconfigurations
Insecure design patterns
WAF / protection detection

🧠 Technology Stack

Backend: Python (Flask)
Frontend: HTML, CSS, JavaScript
Crawler: Requests + Playwright (SPA support)
Reporting: ReportLab (PDF), JSON
AI Logic: Custom heuristic + scoring modules
Charts: Chart.js

📁 Complete Project Structure

web-vulnerability-scanner/
│
├── app.py
├── requirements.txt
├── README.md
│---config.py
├── core/
│   ├── scanner.py
│   ├── crawler.py
│   ├── spa_crawler.py
│   ├── parameter_parser.py
│   ├── request_handler.py
│
├── detectors/
│   ├── xss_detector.py
│   ├── sqli_detector.py
│   ├── ssrf_detector.py
│   ├── lfi_detector.py
│   ├── csrf_detector.py
│   ├── idor_detector.py
│   ├── auth_detector.py
│   ├── crypto_detector.py
│   ├── misconfig_detector.py
│   ├── component_detector.py
│   ├── logging_detector.py
│   ├── insecure_design_detector.py
│
├── ai_engine/
│   ├── false_positive_killer.py
│   ├── severity_scoring.py
│   ├── payload_selector.py
│   ├── behavior_analysis.py
│
├── utils/
│   ├── logger.py
│   ├── validators.py
│   ├── rate_limiter.py
│
├── poc/
│   └── poc_screenshot.py
│
├── payloads/
│   ├── xss.txt
│   ├── sqli.txt
│   ├── ssrf.txt
│   ├── lfi.txt
│
├── reports/
│   ├── scan_report.pdf
│   ├── scan_results.json
│   └── screenshots/
│
├── web/
│   ├── templates/
│   │   ├── base.html
│   │   ├── index.html
│   │   ├── login.html
│   │   ├── loading.html
│   │   └── dashboard.html
│   │
│   └── static/
│       ├── css/style.css
│       └── js/main.js/chart.js/login.js/loading.js
|
│
└── venv/

⚙️ Installation & Setup (Windows – PowerShell)

1️⃣ Clone the Repository

git clone https://github.com/nishajas291-crypto/PulseShield-Web-Application-Vulnerability-Scanner.git

2️⃣ Enable Script Execution (PowerShell in vscode)

Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass

3️⃣ Create & Activate Virtual Environment

python -m venv venv
venv\Scripts\activate

4️⃣ Go to the folder path

 cd PulseShield-Web-Application-Vulnerability-Scanner

5️⃣ Install Dependencies (Mandatory)

python -m pip install -r requirements.txt

IF throw error use below code

python -m pip install --upgrade pip
python -m pip install flask requests beautifulsoup4 lxml reportlab playwright
python -m playwright install

▶️ Running the Application

python app.py

Open browser:

http://127.0.0.1:5000

🖥️ Web Interface Flow

Login Page – Simple UI access
Index Page – Enter target URL
Loading Page – Live scan progress
Dashboard –
- Severity statistics
- Donut & OWASP charts
- Findings table (clickable PoC URLs)
- Report download buttons

## 🔐 Authentication (Login Feature)

This application includes a basic authentication system to restrict access to the scanning dashboard. Default Login Credentials

Username: admin
Password: admin123

📄 Reports

📘 PDF Report

Vulnerability summary
Endpoint + parameter
Severity & CVSS
PoC payload
Screenshot path (if captured,its only for medium ,high,critical bug)

📑 JSON Report

Machine-readable
Useful for automation & integrations

📸 Screenshot PoC – Important Note

Automatically captured for:
- XSS
- SQLi
- IDOR
- CSRF
SSRF screenshots may fail
- SSRF often has no visual response
- Acceptable for Bugcrowd if payload + impact exists

OWASP Top 10 Checklist

OWASP ID	Category	Covered in Project
A01	Broken Access Control	✅ IDOR Detector
A02	Cryptographic Failures	✅ Crypto Detector
A03	Injection	✅ SQLi, XSS
A04	Insecure Design	✅ Insecure Design Detector
A05	Security Misconfiguration	✅ Misconfig Detector
A06	Vulnerable Components	✅ Component Detector
A07	Auth Failures	✅ Auth Detector
A08	Software & Data Integrity	⚠️ Partial
A09	Logging & Monitoring	✅ Logging Detector
A10	SSRF	✅ SSRF Detector

🏆 Advantages of This Project

Web UI (unlike many CLI-only scanners)
SPA crawling support
AI-based false positive reduction
Clean & professional reports
Beginner-friendly architecture
Bugcrowd-ready reporting format
Auto screenshots for medium,high,critical
AI remediations
severity charts
its shows endpoints,vulnerable url

⚠️ Limitations

No authenticated scanning
SSRF requires manual OOB validation for strong PoC
Rate-limited to avoid DoS

⚠️ Important Note (Lab / Restricted Systems)

This project uses Playwright (with greenlet dependency) exclusively for SPA (Single Page Application) crawling and screenshot capture.

On some institutional or corporate systems, Windows Application Control / AppLocker policies may block compiled dependencies such as greenlet, causing Playwright to fail during execution.

✅ Workaround

If such a restriction is encountered:

Disable or skip the SPA crawler module
Proceed with static crawling and request-based vulnerability scanning

This limitation is environmental, not a defect in the application logic.
All core vulnerability detection modules function correctly without SPA crawling.

This project uses Playwright for SPA crawling. On systems with Windows Application Control / AppLocker enabled, Playwright native dependencies (greenlet) may be blocked.

Recommended: