miladrezanezhad/web-security-scanner-pro: wSA Pro tests websites and servers for 49 different types…

The most comprehensive free and open-source web security scanner.

WSA Pro tests websites and servers for 49 different types of security vulnerabilities, outdated software with known CVEs, and dangerous misconfigurations — all while evading WAF detection with a built-in stealth engine.

⚠️ LEGAL WARNING

This tool is designed for legitimate security testing only.

✅ Allowed Use

• Testing your own websites and servers
• Penetration testing with written authorization from the target owner
• Educational purposes in controlled lab environments
• Capture The Flag (CTF) competitions
• Security research and vulnerability assessment

❌ Prohibited Use

• Scanning websites without explicit permission
• Unauthorized penetration testing
• Any malicious or illegal activities
• Violating computer fraud and abuse laws

Applicable Laws

• United States: Computer Fraud and Abuse Act (CFAA)
• United Kingdom: Computer Misuse Act 1990
• European Union: General Data Protection Regulation (GDPR)
• Local cybersecurity laws in your jurisdiction

THE DEVELOPERS ASSUME NO LIABILITY FOR UNAUTHORIZED OR ILLEGAL USE. YOU ARE SOLELY RESPONSIBLE FOR COMPLYING WITH ALL APPLICABLE LAWS.

📊 Features

Security Modules (49 Total)

Advanced SQL Injection Scanner

• Error-based — Detects injection from database error messages
• Boolean-based blind — Compares TRUE/FALSE response differences
• Time-based blind — Measures response delay (SLEEP, pg_sleep, WAITFOR DELAY)
• UNION-based — Automatic column count detection via ORDER BY
• Database fingerprinting — Identifies MySQL, PostgreSQL, MSSQL, Oracle, SQLite

Evasion Engine

• User-Agent rotation — 15+ real browser profiles
• Smart rate limiting — Configurable delays with random jitter
• WAF detection — Identifies Cloudflare, Sucuri, Wordfence, AWS WAF, ModSecurity, Akamai, Imperva
• Captcha detection — reCAPTCHA, hCaptcha, Cloudflare Turnstile
• Exponential backoff — Automatic retry with increasing delays
• Proxy support — HTTP, HTTPS, SOCKS5, Tor network

Reporting

• HTML — Interactive charts, collapsible sections, responsive design
• PDF — Professional layout, A4 formatted, print-ready
• Markdown — GitHub-compatible, plain text, version control friendly
• JSON — Machine-readable, API integration, CI/CD ready

Additional Features

• Built-in CVE database — 2024-2026 vulnerabilities with CVSS scores
• REST API — Automation and CI/CD integration
• Modular architecture — Easy to extend with custom modules
• 230+ automated tests — 99.5% pass rate
• Interactive CLI — User-friendly menu system
• Multi-language reports — English output with remediation guides

📦 Installation

Prerequisites

• Python 3.9 or higher
• pip package manager
• Git (optional)

Quick Install

# Clone the repository
git clone https://github.com/miladrezanezhad/web-security-scanner-pro.git
cd web-security-scanner-pro

# Install dependencies
pip install -r requirements.txt

# Run the scanner
python main.py

One-Line Install

git clone https://github.com/miladrezanezhad/web-security-scanner-pro.git && cd web-security-scanner-pro && pip install -r requirements.txt && python main.py

Full Installation Guide →

🚀 Quick Start

# Interactive mode (recommended for beginners)
python main.py

# Quick security audit (4 critical modules)
python main.py quick https://example.com

# Full scan with all 49 modules
python main.py scan https://example.com

# Specific modules only
python main.py scan https://example.com --modules wordpress,xss,sqli

# Stealth mode for protected sites
python main.py scan https://example.com --mode stealth

# Generate reports
python main.py scan https://example.com --format html pdf json

Full Usage Guide →

📊 Sample Output

╔══════════════════════════════════════════════════════════════════════╗
║              Web Security Analyzer Pro v3.0                         ║
╚══════════════════════════════════════════════════════════════════════╝

Target: https://example.com
Mode: stealth
Started: 2026-05-14 10:30:00

Running 15 security modules...

✓ wordpress: WordPress 6.4.2 detected
✓ php: PHP 8.1.26 detected
✓ ssl: TLS 1.3, Grade A
✓ headers: 3 missing security headers
🚨 xss: 2 reflected XSS found
🚨 sqli: 1 time-based SQLi found (MySQL)
🚨 cpanel: WHM accessible on port 2087

═══════════════════════════════════════════════════
📊 Scan Summary
═══════════════════════════════════════════════════
CRITICAL:  2  ⚠️
HIGH:      4  ⚠️
MEDIUM:    7  ⚠️
LOW:       3  ✅
INFO:      8  ℹ️
───────────────────────────────────────────────────
TOTAL:    24 findings
════════════════════════════════════════════��══════

Duration: 45.5 seconds
Report saved: reports/output/audit.html

🆚 Comparison with Other Tools

Why WSA Pro?

Ranking

WSA Pro is the highest-rated completely free web security scanner.

Unique Advantages

• 🥇 Only free tool with cPanel, DirectAdmin, Plesk scanning
• 🥇 Only free tool with advanced evasion engine (WAF detection, auto-retry)
• 🥇 Only free tool with built-in CVE database through 2026
• 🥇 49 modules in a single tool (most free tools do 5-10 things)

📁 Project Structure

web-security-scanner-pro/
├── main.py                 # Entry point
├── config.yaml            # Configuration
│
├── core/                  # Core engine
│   ├── scanner.py         # Main orchestrator
│   ├── browser.py         # HTTP client with stealth
│   ├── evasion.py         # WAF bypass & anti-detection
│   ├── database.py        # CVE vulnerability database
│   ├── reporter.py        # Report generation
│   ├── updater.py         # Database updater
│   └── api.py             # REST API server
│
├── modules/               # 49 security test modules
│   ├── cms/              # WordPress (9), Joomla, Drupal
│   ├── webserver/        # Apache, Nginx, LiteSpeed, IIS, Tomcat
│   ├── php/              # Version, Config, Functions, Info
│   ├── database/         # MySQL, PostgreSQL, Redis, MongoDB, Elasticsearch
│   ├── control_panels/   # cPanel, DirectAdmin, Plesk, Virtualmin
│   ├── vulnerabilities/  # XSS, SQLi, LFI, XXE, SSTI, CSRF, etc.
│   ├── ssl_tls/         # Certificate, Protocols, Ciphers
│   ├── headers/          # Security Headers, Info Disclosure
│   └── api_security/     # GraphQL, REST API, JWT
│
├── database/             # Vulnerability data
│   ├── vulnerabilities_2024.py
│   ├── vulnerabilities_2025.py
│   └── vulnerabilities_2026.py
│
├── reports/              # Report templates
│   └── templates/
│       ├── report.html
│       └── report.md
│
└── tests/                # 230+ automated tests
    ├── core/
    └── modules/

📚 Documentation

Full documentation is available in the Wiki:

🧪 Testing

# Run all tests
python tests/test_runner.py

# Run specific tests
python -m pytest tests/modules/test_wordpress.py -v
python -m pytest tests/core/test_core_database.py -v

# With coverage
python -m pytest tests/ --cov=core --cov=modules --cov-report=html

Test Results:

• 230+ automated tests
• 99.5% pass rate
• Covers all 49 modules and 6 core components

🤝 Contributing

Contributions are welcome! See the Contributing Guide.

Quick Module Template

class Scanner:
    def __init__(self, browser, target_url, config):
        self.browser = browser
        self.target_url = target_url
        self.config = config
        self.findings = []

    def run(self):
        # Your test logic
        return {'findings': self.findings}

📝 License

This project is licensed under the MIT License — see the LICENSE file for details.

MIT means you can:

• ✅ Use commercially
• ✅ Modify
• ✅ Distribute
• ✅ Sublicense
• ✅ Private use

⚡ Credits

Created by Milad Rezanezhad

📞 Contact

• Issues: GitHub Issues
• Wiki: Documentation
• Discussions: GitHub Discussions

🌟 Star History

If this tool helps you, please consider giving it a star ⭐ on GitHub!