A Military Grade Python-based penetration testing framework targeting OWASP Top 10 (2021) vulnerabilities. Built with asynchronous architecture for 10x faster scanning compared to traditional tools.
โ ๏ธ Disclaimer: This tool is for authorized security testing only. Unauthorized use is illegal.
| Feature | Description |
|---|---|
| Async Warfare Engine | aiohttp + asyncio based - 100+ concurrent connections |
| Stealth Mode | Randomized User-Agents, Jitter delays, WAF bypass |
| Interactive TUI | Rich interface with banners, panels, and tables |
| Modular Scanners | Plug-and-play scanner modules |
| Heavy Payload Support | External .txt payload files - unlimited ammo |
| Professional Reports | HTML + JSON output for clients |
| IP Address Support | Network reconnaissance + Web scanning |
- Python 3.8 or higher
- pip (Python package manager)
git clone https://github.com/YOUR_USERNAME/owasp-scanner.gitcd owasp-scannerpip install -r requirements.txtmkdir -p payloads reportspython main.pychmod +x main.pyalias scan='python3 /path/to/owasp-scanner/main.py'scanpython main.pyFollow the on-screen menu:
- Enter target URL or IP address
- Select scanner module(s)
- View results in real-time
- Check
reports/folder for HTML/JSON reports
python main.py --target https://example.com --scanner a03python main.py --target 192.168.1.1 --allpython main.py --target https://site.com --config config.yaml| Code | Module | OWASP | Description |
|---|---|---|---|
1 |
Access Control | A01 | Admin panels, hidden directories, backup files |
2 |
IDOR Scanner | A01 | Insecure Direct Object Reference testing |
3 |
Injection | A03 | SQL Injection, XSS, Command Injection |
4 |
Misconfiguration | A05 | Server info, sensitive files, debug modes |
5 |
Auth Failures | A07 | Weak passwords, session issues |
6 |
SSRF | A10 | Server-Side Request Forgery |
owasp-scanner/
โโโ main.py # Entry point
โโโ requirements.txt # Dependencies
โโโ config.yaml # Configuration
โ
โโโ core/
โ โโโ engine.py # Async HTTP engine
โ โโโ base_scanner.py # Parent scanner class
โ โโโ reporter.py # Report generator
โ โโโ tui.py # Terminal interface
โ
โโโ scanners/
โ โโโ a00_port_scanner.py
โ โโโ a01_access_control.py
โ โโโ a01_idor.py
โ โโโ a03_injection.py
โ โโโ a05_misconfiguration.py
โ โโโ a07_auth_failures.py
โ โโโ a10_ssrf.py
โ
โโโ payloads/ # Create this folder
โ โโโ sqli.txt # SQL Injection payloads
โ โโโ xss.txt # XSS payloads
โ โโโ admin_paths.txt # Admin panel paths
โ โโโ backup_files.txt # Sensitive files
โ โโโ idor_params.txt # IDOR parameters
โ โโโ idor_values.txt # IDOR test values
โ โโโ ssrf_urls.txt # SSRF test URLs
โ
โโโ reports/ # Auto-generated
โโโ report.html
โโโ report.json
Create payloads/ folder and add these files:
| File | Purpose | Min Lines |
|---|---|---|
sqli.txt |
SQL Injection payloads | 50+ |
xss.txt |
Cross-Site Scripting | 50+ |
admin_paths.txt |
Admin panel paths | 100+ |
backup_files.txt |
Sensitive/backup files | 100+ |
ssrf_urls.txt |
SSRF test URLs | 20+ |
sqli.txt:
' OR 1=1--
' UNION SELECT 1,2,3--
' AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT DATABASE())))--
ssrf_urls.txt:
http://169.254.169.254/latest/meta-data/
http://metadata.google.internal/computeMetadata/v1/
http://localhost:22
Edit config.yaml to customize:
# config.yaml
scanner:
timeout: 10
max_concurrent: 50
user_agent: random
jitter_min: 0.5
jitter_max: 2.0
reports:
output_dir: reports
formats:
- html
- json
stealth:
random_delay: true
rotate_user_agent: trueโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ OWASP MILITARY GRADE PENETRATION FRAMEWORK โ
โ Version 2024.3 โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
[*] Target: https://example.com
[*] Scanner: A03 - Injection Scanner
[*] Payloads Loaded: 150
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ SCANNING PROGRESS โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ 100% 150/150 โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Severity โ HIGH - SQL Injection Detected โ
โโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ URL โ https://example.com/product?id=1 โ
โ Payload โ ' OR 1=1-- โ
โ Evidence โ MySQL syntax error in response โ
โโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
[โ] Scan Complete
[โ] Report saved: reports/report_2024-01-15.html
| Problem | Solution |
|---|---|
ModuleNotFoundError |
Run pip install -r requirements.txt |
Permission denied |
Use chmod +x main.py or run with sudo |
Connection timeout |
Increase timeout in config.yaml |
No payloads found |
Create files in payloads/ folder |
aiohttp>=3.8.0
rich>=13.0.0
pyyaml>=6.0
colorama>=0.4.6
Install all:
pip install aiohttp rich pyyaml colorama- Fork the repository
- Create feature branch (
git checkout -b feature/new-scanner) - Commit changes (
git commit -m 'Add new scanner') - Push to branch (
git push origin feature/new-scanner) - Open Pull Request
This project is licensed under the MIT License - see LICENSE file.
This tool is provided for educational purposes and authorized security testing only.
- Always obtain written permission before testing
- Unauthorized access to computer systems is illegal
- The authors assume no liability for misuse
Built with โค๏ธ for Security Researchers