A professional, enterprise-grade web vulnerability scanner for security professionals and developers. Detects XSS, SQL Injection, CSRF, and security misconfigurations with advanced scanning capabilities.
- XSS (Cross-Site Scripting): 20+ payload variants including DOM-based, event handlers, and encoding bypasses
- SQL Injection: Multiple payload types (boolean-based, time-based, UNION-based, error-based)
- XXE (XML External Entity): 10+ XXE payload variants including blind XXE and file read attempts
- Path Traversal: Directory traversal detection with Unix, Windows, and encoded payloads
- CSRF Vulnerabilities: CSRF token detection and missing token identification
- Security Headers: Analysis of CSP, X-Frame-Options, HSTS, and more
- Concurrent Scanning: Thread pool-based parallel scanning (up to 50 threads)
- Web Crawling: Automatic endpoint discovery with ignore list support
- Form Extraction: Intelligent HTML form parsing and submission testing
- Authentication Support: Login handling with credential management
- Multiple Report Formats: JSON, CSV, and professional HTML reports
- Comprehensive Logging: File and console logging with configurable levels
- Configuration Management: YAML-based configuration with CLI overrides
- Resilient Requests: Built-in retry handling for transient timeouts and connection issues
- Smart Parameter Injection: Payloads are injected into existing query parameters to reduce malformed test URLs
- Header Validation Fallback: Security-header checks automatically fall back from
HEADtoGETwhen needed
- Type Hints: Full type annotation for better IDE support
- Error Handling: Robust exception handling with graceful degradation
- Input Validation: URL validation with RFC compliance
- Thread-Safe: Proper synchronization for concurrent operations
- Duplicate Finding Protection: Deduplicates repeated findings for cleaner reports
- 85%+ Test Coverage: Comprehensive unit and integration tests (183+ test cases)
- Python 3.8 or higher
- Linux, macOS, or Windows
requests>=2.31.0
beautifulsoup4>=4.12.2
lxml>=5.1.0
pyyaml>=6.0.1
jinja2>=3.1.2
colorama>=0.4.6
pip install ExploiterX
exploiterxgit clone https://github.com/anishalx/ExploiterX.git
cd ExploiterX
pip install -r requirements.txt
python exploiterX.pygit clone https://github.com/anishalx/ExploiterX.git
cd ExploiterX
pip install -e ".[dev]"
pytest tests/ --cov=.# Clone and start with vulnerable test environments
git clone https://github.com/anishalx/ExploiterX.git
cd ExploiterX
# Start ExploiterX with DVWA and Juice Shop
docker-compose up -d
# Run a scan against DVWA
docker-compose exec exploiterx python exploiterX.py
# Access shell
docker-compose exec exploiterx bash
# Stop all services
docker-compose down# Build the image
docker build -t exploiterx:latest .
# Run a scan with interactive mode
docker run -it \
-v $(pwd)/reports:/app/reports \
exploiterx:latest
# Run against external target
docker run -it \
-v $(pwd)/reports:/app/reports \
exploiterx:latest --target http://target.com📖 For detailed Docker documentation, see DOCKER.md
python exploiterX.pyThe tool will prompt you for:
- Target URL: The URL to scan (e.g., http://example.com)
- Ignore Links: URLs to exclude from scanning (optional)
- Authentication: Login credentials if required (optional)
╔════════════════════════════════════════╗
║ 🔍 Professional Web Vulnerability ║
║ Scanner v2.0 ║
╚════════════════════════════════════════╝
Enter the target URL: http://vulnerable-app.local
Ignore certain links during scan? (y/n): y
Enter URLs to ignore: /logout, /admin
[*] Initializing scanner...
[*] Starting web crawl...
[+] Discovered: http://vulnerable-app.local/search
[+] Discovered: http://vulnerable-app.local/user
[+] Discovered: http://vulnerable-app.local/api/get_user
[*] Scanning 3 endpoints...
[*] [1/3] Scanning: http://vulnerable-app.local/search?q=test
[+] Testing form 1
[***] XSS VULNERABILITY FOUND in URL parameters
[*] [2/3] Scanning: http://vulnerable-app.local/user?id=1
[***] SQL INJECTION VULNERABILITY FOUND in URL parameters
SCAN SUMMARY
============
Target: http://vulnerable-app.local
Endpoints Discovered: 3
Vulnerabilities Found: 2
# Automatically saved as: reports/scan_2024-01-15_120530.jsonExample JSON structure:
{
"report": {
"generated_at": "2024-01-15T12:05:30",
"tool": "ExploiterX",
"version": "2.0.0"
},
"summary": {
"total_vulnerabilities": 2,
"severity_distribution": {
"critical": 1,
"high": 1,
"medium": 0
}
},
"vulnerabilities": [
{
"type": "XSS",
"url": "http://example.com/search",
"severity": "high",
"payload": "<script>alert('XSS')</script>"
}
]
}Clean, spreadsheet-friendly format:
ID,Type,Severity,URL,Method,Parameter,HTTP Status,Payload,Timestamp
1,XSS,HIGH,http://example.com/search,GET,q,200,<script>alert('XSS')</script>,2024-01-15T12:05:30
Professional interactive report with:
- Executive summary with risk scores
- Severity distribution charts
- Detailed vulnerability listings
- Color-coded severity indicators
- Scan metadata and timeline
Customize scanner behavior:
# Scanning Configuration
timeout: 10 # Request timeout (1-300 seconds)
threads: 5 # Concurrent threads (1-50)
retries: 3 # Retry failed requests (0-10)
# Logging
log_level: INFO # DEBUG, INFO, WARNING, ERROR, CRITICAL
log_file: exploiterx.log
# Ignore patterns
ignore_links:
- /logout
- /admin
- /settings/account
# Authentication (optional)
# auth_required: true
# auth_url: http://example.com/login
# auth_username: user@example.com
# auth_password: password123# Set custom timeout
python exploiterX.py --timeout 20
# Use config file
python exploiterX.py --config custom_config.yaml
# Verbose logging
python exploiterX.py --verbosepytest tests/ -vpytest tests/ --cov=. --cov-report=htmlpytest tests/test_scanner.py::TestXSSDetection -v
pytest tests/test_models.py -v
pytest tests/test_reporters.py -vCurrent coverage: 82%
- Scanner: 85%
- Models: 90%
- Reporters: 78%
- Configuration: 88%
ExploiterX/
├── exploiterX.py # Main entry point
├── scanner.py # Core scanning engine
├── concurrent_scanner.py # Thread pool implementation
├── config/
│ ├── settings.py # Configuration management
│ ├── logging_config.py # Logging setup
│ ├── constants.py # Payloads and constants
│ └── config.yaml # Default configuration
├── models/
│ ├── vulnerability.py # Vulnerability data model
│ └── scan_result.py # Scan result container
├── reporters/
│ ├── base.py # Base reporter class
│ ├── json_reporter.py # JSON report generator
│ ├── csv_reporter.py # CSV report generator
│ └── html_reporter.py # HTML report generator
├── tests/
│ ├── conftest.py # Pytest configuration
│ ├── test_scanner.py # Scanner tests
│ ├── test_models.py # Model tests
│ ├── test_reporters.py # Reporter tests
│ └── test_config.py # Configuration tests
└── requirements.txt
- Input Validation: All user inputs are validated
- Type Safety: Full type hints throughout codebase
- Error Handling: Comprehensive exception handling
- Thread Safety: Proper locking for concurrent operations
- Timeout Protection: Configurable request timeouts
- Secure Defaults: Safe default configurations
- Script injection:
<script>alert('XSS')</script> - Event handlers:
<img onerror="alert('XSS')"> - DOM manipulation:
"><script>alert('XSS')</script> - Protocol handlers:
<a href="javascript:alert('XSS')"> - And 16+ more variants
- Boolean-based:
' OR '1'='1 - Time-based:
' OR SLEEP(5)-- - UNION-based:
' UNION SELECT NULL-- - Error-based:
' AND extractvalue(...) - Stacked queries:
'; DROP TABLE users--
- Missing CSRF tokens
- Token validation bypass
- Method validation
- Cookie attribute analysis
- Sequential Scanning: ~50-100 endpoints/minute
- Concurrent (5 threads): ~150-300 endpoints/minute
- Concurrent (10 threads): ~250-500 endpoints/minute
- Memory Usage: Typical ~50-100MB
Performance depends on:
- Target server response time
- Network latency
- Payload complexity
- Number of forms per page
- Production Websites: Production websites often block automated crawlers and render links via JavaScript, which this scanner cannot execute. The crawler may find 0 endpoints on real-world sites.
- JavaScript Rendering: Cannot execute JavaScript - only parses static HTML. Modern websites that render content dynamically won't have their full endpoint list discovered.
- Security Controls: Sites with WAF (Web Application Firewall), bot detection, or rate limiting may block or slow down scanning.
- Complex Forms: Multi-step forms with state management may require manual testing
- API Rate Limiting: Respects server rate limits with timeouts (may miss vulnerabilities on slow-responding sites)
- CORS Restrictions: Cannot test cross-origin endpoints
- Advanced Obfuscation: May miss heavily obfuscated payloads
- ✅ Local vulnerable applications (DVWA, WebGoat, OWASP Juice Shop)
- ✅ Authorized penetration testing on staging/dev environments
- ✅ Security training and vulnerability learning
- ❌ NOT recommended for production website testing without proper WAF/rate limit handling
DVWA (Damn Vulnerable Web Application) is a deliberately vulnerable PHP/MySQL application designed for security professionals to test and improve their vulnerability detection skills.
- Start DVWA locally:
docker run --rm -it -p 80:80 vulnerables/web-dvwa- Open in browser (Windows/macOS):
http://localhost/DVWA
On Linux (if localhost doesn't work):
# Find Docker container IP
docker inspect <container_id> | grep IPAddress
# Then use: http://<docker_ip>/DVWA-
Login with default credentials:
- Username:
admin - Password:
password
- Username:
-
Run ExploiterX (in another terminal):
cd ExploiterX
python exploiterX.py- Enter DVWA URL when prompted:
Enter the target URL: http://localhost/DVWA
Security Level Selection (in DVWA):
- Low: Minimal security (great for learning)
- Medium: Some security controls
- High: Enhanced security (closer to production)
Vulnerable Pages to Test:
/DVWA/vulnerabilities/xss_r/- Reflected XSS/DVWA/vulnerabilities/sqli/- SQL Injection/DVWA/vulnerabilities/csrf/- CSRF vulnerabilities/DVWA/vulnerabilities/upload/- File upload issues
docker run --rm -it -p 3000:3000 bkimminich/juice-shop
# Access at http://localhost:3000docker run --rm -it -p 8080:8080 webgoat/goatandwolf
# Access at http://localhost:8080/WebGoat# Test against your own vulnerable application
python exploiterX.py --timeout 20
# Enter: http://localhost:8000 (your local app)When running against DVWA, you should see:
[*] Initializing scanner...
[*] Starting web crawl...
[+] Discovered: http://localhost/DVWA/
[+] Discovered: http://localhost/DVWA/vulnerabilities/
[+] Discovered: http://localhost/DVWA/vulnerabilities/xss_r/
[+] Discovered: http://localhost/DVWA/vulnerabilities/sqli/
...
[*] Scanning 15 endpoints...
[*] [1/15] Scanning: http://localhost/DVWA/vulnerabilities/xss_r/
[+] Testing form 1
[***] XSS VULNERABILITY FOUND in URL parameters
[*] [2/15] Scanning: http://localhost/DVWA/vulnerabilities/sqli/
[***] SQL INJECTION VULNERABILITY FOUND in URL parameters
...
Contributions are welcome! Please see CONTRIBUTING.md for guidelines.
- Additional vulnerability types (XXE, Path Traversal, etc.)
- Performance optimization
- Payload improvements
- Documentation
- Bug fixes
- Test coverage expansion
- Add XXE injection detection
- Add Path Traversal detection
- Add Open Redirect detection
- Headless browser integration (Playwright/Selenium)
- API endpoint detection
- GraphQL query scanning
- Burp Suite integration
- OWASP Top 10 mapping
- REST API for automation
- Docker containerization
This project is licensed under the MIT License. See the LICENSE file for details.
This tool is for authorized security testing only. Unauthorized access to computer systems is illegal. Always obtain proper authorization before scanning any web application.
The authors assume no liability for misuse or damage caused by this tool.
- Original ExploiterX concept
- Open-source security community
- BeautifulSoup and requests maintainers
- Issues: Report bugs on GitHub Issues
- Discussions: Ask questions in GitHub Discussions
- Documentation: See Wiki
Issue: Scan hangs on a URL
# Solution: Increase timeout
python exploiterX.py --timeout 30Issue: Too many false positives
# Solution: Add URLs to ignore list
# Edit config/config.yaml and add patterns to ignore_linksIssue: Out of memory on large sites
# Solution: Reduce thread count
# Edit config/config.yaml: threads: 2- Lines of Code: ~3,000
- Test Cases: 150+
- Supported Payloads: 25+ XSS, 12+ SQLi
- Python Versions: 3.8, 3.9, 3.10, 3.11, 3.12, 3.13
- Operating Systems: Windows, macOS, Linux
- HARDENED: URL payload injection now targets existing parameters instead of appending malformed test params
- HARDENED: Added bounded request retries for transient network failures
- HARDENED: Security-header analysis now falls back from
HEADtoGETon unsupported targets - FIXED: Parallel form scanning now correctly passes custom payloads into XSS form tests
- FIXED: Concurrent batch stats now reset per run for accurate reporting
- ADDED: Regression tests for retry behavior, header fallback, concurrency stats, and payload wiring
- FIXED: Windows CI/CD lxml build failure (updated to lxml>=5.1.0)
- IMPROVED: Crawler error handling with helpful feedback for production sites
- ADDED: DVWA testing guide and documentation
- ADDED: Known limitations section with recommended use cases
- ADDED: Support for Python 3.12, 3.13
- IMPROVED: Crawler warnings when no endpoints found
- NEW: Multiple vulnerability detection (XSS, SQLi, CSRF, Headers)
- NEW: Concurrent scanning with thread pool
- NEW: Multiple report formats (JSON, CSV, HTML)
- NEW: Comprehensive configuration system
- NEW: Type hints throughout codebase
- IMPROVED: Error handling and logging
- IMPROVED: Performance with concurrent operations
- ADDED: 150+ test cases (80%+ coverage)
- ADDED: Professional HTML reports
- Initial release
- Basic XSS detection
- Web crawling
- Form extraction
Made with ❤️ for the security community

