RaidScanner is an advanced, production-ready automated web vulnerability scanner with both Web GUI and CLI interfaces. Designed for ethical hacking and security testing, it detects critical web vulnerabilities including LFI (Local File Inclusion), SQLi (SQL Injection), XSS (Cross-Site Scripting), Open Redirect, and CRLF Injection.
- Overview
- Key Features
- Architecture & Technology Stack
- Quick Start
- Installation Methods
- Usage Guide
- Vulnerability Detection Methods
- Project Structure
- Configuration
- Performance & Optimization
- Output & Reports
- Testing Targets
- Troubleshooting
- Documentation
- Contributing
- Legal Disclaimer
- License
RaidScanner is a comprehensive web security scanning tool built as a university thesis project to demonstrate modern vulnerability detection techniques. It combines traditional HTTP-based scanning with browser automation using Selenium WebDriver to detect both server-side and client-side vulnerabilities.
- Dual Interface: Choose between modern Web GUI or powerful CLI
- Real-time Updates: WebSocket-based live progress tracking
- Browser Automation: Selenium-powered detection for JavaScript-rendered applications
- Containerized: Fully Dockerized for consistent cross-platform execution
- Production Ready: Modular architecture with comprehensive error handling
- Educational Focus: Well-documented codebase designed for learning
β
Security Audits: Assess web applications for common OWASP Top 10 vulnerabilities
β
Penetration Testing: Automated reconnaissance and vulnerability detection
β
CTF Competitions: Quickly identify vulnerable endpoints in capture-the-flag challenges
β
Education: Learn vulnerability detection techniques through practical implementation
β
Development: Integrate into CI/CD pipelines for security testing
| Vulnerability | Status | Detection Method | Highlights |
|---|---|---|---|
| LFI (Local File Inclusion) | β | Selenium + Pattern Matching | Detects file access via path traversal |
| SQLi (SQL Injection) | β | Time-based + Error-based | Authentication bypass detection |
| XSS (Cross-Site Scripting) | β | Browser Automation + Alert Detection | Reflected & DOM-based XSS |
| Open Redirect | β | URL Analysis + JavaScript Parsing | Header & client-side redirects |
| CRLF Injection | β | HTTP Response Splitting | Header injection detection |
π Multi-threaded Scanning: Configurable concurrency (1-10 threads)
π Real-time Dashboard: Live progress updates via WebSocket
π Multiple Output Formats: HTML & JSON reports
π¨ Modern UI: Gradient-based dark theme with Tailwind CSS
π§ Customizable Payloads: Easily modify or add payload files
π³ Docker Support: One-command deployment with volume persistence
π― Smart Detection: Context-aware vulnerability identification
β‘ Performance Optimized: Resource-efficient Selenium execution
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β User Interface Layer β
β ββββββββββββββββββββ ββββββββββββββββββββ β
β β Web GUI β β CLI Interface β β
β β (Flask + Socket) β β (Rich + Colorama) β β
β ββββββββββ¬ββββββββββ ββββββββββ¬ββββββββββ β
βββββββββββββΌβββββββββββββββββββββββββββΌββββββββββββββββββ
β β
βββββββββββββ΄βββββββββββββββββββββββββββ΄ββββββββββββββββββ
β Application Layer (app.py) β
β β’ Route Handling β’ WebSocket Events β
β β’ Session Management β’ Background Tasks β
ββββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββ
β
ββββββββββββββββββββββββββ΄ββββββββββββββββββββββββββββββββ
β Core Logic Layer (core/) β
β ββββββββββββββββ ββββββββββββββββ βββββββββββββββ β
β βScanner Engineβ βReport Gen β βPayload Load β β
β β(5 scanners) β β(HTML/JSON) β β(Management) β β
β ββββββββ¬ββββββββ ββββββββββββββββ βββββββββββββββ β
βββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββ
β
βββββββββββ΄βββββββββββββββββββββββββββββββββββββββββββββ
β Network & Browser Layer β
β βββββββββββββββββββ βββββββββββββββββββ β
β β Requests/AIOHTTPβ β Selenium + Chromeβ β
β β (HTTP Scanning)β β (Browser Testing)β β
β βββββββββββββββββββ βββββββββββββββββββ β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
- Python 3.11: Core language for optimal performance
- Flask 3.0.3: Web framework for RESTful API
- Flask-SocketIO 5.3.6: Real-time bidirectional communication
- Eventlet 0.36.1: Asynchronous networking library
- Selenium 4.0+: Browser automation for JavaScript-heavy sites
- ChromeDriver: Headless Chrome for realistic rendering
- Requests: HTTP library for traditional scanning
- AIOHTTP: Async HTTP client for concurrent requests
- BeautifulSoup4: HTML/XML parsing
- Rich: Beautiful terminal interface with progress bars
- Colorama: Cross-platform colored terminal text
- Prompt Toolkit: Interactive CLI components
- Docker: Containerization for consistent environments
- Docker Compose: Multi-container orchestration
- Xvfb: Virtual framebuffer for headless GUI execution
- Chrome (Stable): Latest browser for accurate testing
The easiest and recommended way to run RaidScanner is using Docker. No manual dependency installation required!
- Docker (20.10+)
- Docker Compose (2.0+)
Perfect for beginners and visual learners. Provides a beautiful dashboard with real-time updates.
# Start the web interface
docker compose up -d raidscanner-web
# Access at http://localhost:5000Features:
- π Interactive dashboard with scanner cards
- π΄ Real-time vulnerability detection
- π Live progress bars and statistics
- π Report viewer with download options
For terminal enthusiasts and automation workflows. Provides a rich interactive CLI.
# Start the interactive CLI
docker compose run --rm raidscanner-cliFeatures:
- π― Menu-driven interface
- π Live progress bars
- π¨ Color-coded output
- πΎ Automatic report saving
# Stop web service
docker compose down
# Remove all containers and volumes
docker compose down -vAdvantages:
- β No dependency conflicts
- β Consistent environment across all platforms
- β Chrome and ChromeDriver pre-installed
- β Automatic volume mounting
- β Easy updates via Docker Hub
# Clone repository
git clone https://github.com/zahidoverflow/raidscanner.git
cd raidscanner
# Pull pre-built image (optional)
docker pull zahidoverflow/raidscanner:latest
# Or build locally
docker compose build
# Run Web GUI
docker compose up -d raidscanner-web
# Run CLI
docker compose run --rm raidscanner-cliRequirements:
- Python 3.11+
- Google Chrome (latest stable)
- ChromeDriver (matching Chrome version)
# Clone repository
git clone https://github.com/zahidoverflow/raidscanner.git
cd raidscanner
# Create virtual environment
python3.11 -m venv venv
source venv/bin/activate # On Windows: venv\Scripts\activate
# Install dependencies
pip install -r requirements.txt
# Install ChromeDriver
# Linux: Download from https://chromedriver.chromium.org/
# Or use: pip install webdriver-manager
# Run Web GUI
python app.py
# Run CLI
python scanner_cli.pyNote: Manual installation requires system-specific configuration of Chrome and ChromeDriver paths.
-
Start the Service
docker compose up -d raidscanner-web
-
Access Dashboard
- Open browser:
http://localhost:5000 - You'll see 6 scanner cards + Reports viewer
- Open browser:
-
Select Scanner
- Click on any scanner card (e.g., "LFI Scanner")
- Configuration panel appears
-
Configure Scan
- URLs: Enter target URLs (one per line)
http://example.com/page?file= http://test.com/view?id= - Threads: Adjust concurrency (1-10, default: 5)
- Payloads: Use default or select custom file
- URLs: Enter target URLs (one per line)
-
Execute Scan
- Click "Start Scan" button
- Watch real-time progress updates
- Vulnerabilities appear as they're found
-
View Reports
- Click "Reports" card on dashboard
- Browse scan history
- Download HTML/JSON reports
-
Start CLI
docker compose run --rm raidscanner-cli
-
Main Menu
[ RaidScanner ] Available Scanners: 1. LFI Scanner - Local File Inclusion 2. Open Redirect - Unvalidated Redirects 3. SQL Injection - Database Injection 4. XSS Scanner - Cross-Site Scripting 5. CRLF Injection - HTTP Response Splitting 6. Exit -
Input Target URLs
- Enter URLs one per line
- Press Enter twice when done
- Or provide a file path with URLs
-
Select Payload File
- Choose from available payload files
- Or enter custom payload file path
-
Configure Threads
- Enter 1-10 (default: 5)
- Lower for resource-constrained systems
-
Monitor Progress
- Live progress bar displays scan status
- Vulnerabilities shown in real-time
- Final summary with statistics
-
Access Reports
- HTML reports saved to
./reports/ - JSON data saved for programmatic access
- HTML reports saved to
Detection Technique: Selenium-based browser automation with content analysis
How It Works:
- Injects file traversal payloads (e.g.,
../../../etc/passwd) - Renders page using Chrome WebDriver
- Checks if file content appears (not "File not found" message)
- Validates against false positives
Payloads Used:
- Path traversal:
../../../etc/passwd - Encoded variants:
%2e%2e%2f,..%2f - Null byte injection:
../../../etc/passwd%00 - Windows paths:
..\..\windows\win.ini
Success Indicators:
root:x:0:(Linux passwd file)boot loader(Windows boot.ini)- Absence of "File not found:" message
Detection Technique: Hybrid approach (Time-based + Error-based)
Time-Based Detection:
- Injects delay payloads:
' AND SLEEP(5)-- - Measures response time
- If response time β₯ threshold β Vulnerable
Error-Based Detection:
- Injects syntax-breaking payloads:
' OR '1'='1 - Checks response for SQL error messages
- Detects patterns like "SQL Error", "syntax error", "detected injection"
Payloads Used:
- Authentication bypass:
' OR '1'='1'-- - Union-based:
' UNION SELECT NULL,NULL-- - Time-based:
' AND SLEEP(5)-- - Stacked queries:
'; DROP TABLE users--
Database Support:
- MySQL, PostgreSQL, MSSQL, Oracle
- Generic payloads for maximum compatibility
Detection Technique: Selenium-based alert detection + source code analysis
How It Works:
- Injects XSS payloads into URL parameters
- Renders page in headless Chrome
- Checks for
alert()execution - Falls back to source code inspection for encoded payloads
Payloads Used:
- Basic:
<script>alert(1)</script> - Event handlers:
<img src=x onerror=alert(1)> - SVG vectors:
<svg onload=alert(1)> - Polyglots: Mixed-context payloads
Detection Methods:
- Alert popup detection (primary)
- Payload reflection in source (secondary)
- DOM mutation analysis
Detection Technique: Multi-method redirect detection
Detection Methods:
- HTTP Headers: Checks
Locationheader - Meta Refresh: Parses
<meta http-equiv="refresh"> - JavaScript: Detects
window.locationassignments - URL Change: Monitors browser navigation
Payloads Used:
http://evil.com//evil.com(protocol-relative)https://evil.com@good.comjavascript:alert(1)
Validation:
- Confirms actual redirection occurred
- Checks if payload URL appears in destination
Detection Technique: HTTP response header manipulation
How It Works:
- Injects CRLF sequences:
%0d%0aSet-Cookie:injected=1 - Checks response headers for injected content
- Validates successful header splitting
Payloads Used:
%0d%0aSet-Cookie:crlf=injection\r\nSet-Cookie:crlf=injection- Unicode variants:
%E5%98%8A%E5%98%8D - Null byte combinations
Success Indicators:
- "CRLF injection" message in response
- "HTTP response splitting" detected
- Injected headers visible
raidscanner/
βββ π app.py # Flask web application (469 lines)
βββ π scanner_cli.py # CLI interface (381 lines)
βββ π compose.yml # Docker Compose configuration
βββ π requirements.txt # Python dependencies
βββ π requirements-docker.txt # Docker-specific dependencies
βββ π README.md # This file
β
βββ π .docker/ # Docker configuration
β βββ Dockerfile # Container build definition
β βββ .dockerignore # Build exclusions
β
βββ π core/ # Core scanning engine
β βββ __init__.py
β βββ scanner_engine.py # 744 lines - All scanner logic
β βββ report_generator.py # 129 lines - HTML/JSON reports
β βββ payload_loader.py # 70 lines - Payload management
β
βββ π utils/ # Utility modules
β βββ __init__.py
β βββ config.py # 70 lines - Configuration
β βββ platform_helper.py # Cross-platform helpers
β
βββ π web/ # Web interface
β βββ templates/
β β βββ index.html # Dashboard
β β βββ scanner.html # Scanner configuration
β β βββ reports.html # Report viewer
β βββ static/
β βββ js/
β βββ main.js # 352 lines - Frontend logic
β
βββ π payloads/ # Attack payloads
β βββ lfi-payloads.txt # LFI vectors
β βββ sqli.txt # SQL injection payloads
β βββ xss.txt # XSS payloads (optimized)
β βββ or.txt # Open redirect URLs
β βββ sqli/ # Database-specific payloads
β βββ mysql.txt
β βββ postgresql.txt
β βββ mssql
β βββ oracle.txt
β
βββ π reports/ # Generated reports (auto-created)
β βββ lfi_report_*.html
β βββ sqli_report_*.json
β βββ ...
β
βββ π output/ # Raw scan data (auto-created)
β
βββ π docs/ # Documentation
β βββ CONTEXT.md # 300 lines - Full project context
β βββ USER_GUIDE.md # 171 lines - User documentation
β βββ DEVELOPER_GUIDE.md # 274 lines - Architecture guide
β βββ openspec/ # OpenSpec documentation
β
βββ π bin/ # Binary executables
β βββ chromedriver-linux64/ # ChromeDriver for Linux
β
βββ π scripts/ # Utility scripts
βββ start.sh # Interactive startup
βββ docker-run.sh # Linux/Mac runner
βββ docker-run.bat # Windows runner
Key Files:
core/scanner_engine.py: Heart of the application - contains all 5 scannersapp.py: Flask web server with WebSocket supportweb/static/js/main.js: Frontend JavaScript for real-time updatescompose.yml: Docker orchestration configuration
# Web Server
HOST=0.0.0.0 # Listen address
PORT=5000 # Web server port
DEBUG=False # Debug mode
SECRET_KEY=your-secret # Flask secret key
# Scanning
DEFAULT_THREADS=5 # Default concurrency
MAX_THREADS=10 # Maximum allowed threads
DEFAULT_TIMEOUT=10 # Request timeout (seconds)
# Chrome/Selenium
DISPLAY=:99 # Virtual display for Xvfbservices:
raidscanner-web:
image: zahidoverflow/raidscanner:latest
ports:
- "5000:5000"
volumes:
- ./output:/app/output
- ./reports:/app/reports
- ./payloads:/app/payloads:ro
environment:
- MODE=web
shm_size: '2gb' # Required for ChromeConfigured in utils/config.py:
CHROME_OPTIONS = [
'--headless', # Run without GUI
'--no-sandbox', # Required for Docker
'--disable-dev-shm-usage', # Overcome limited /dev/shm
'--disable-gpu', # Disable GPU acceleration
'--disable-extensions', # No extensions
'--disable-browser-side-navigation',
'--disable-infobars',
'--disable-notifications'
]Add custom payloads to ./payloads/ directory:
# Create custom LFI payload file
echo "../../../custom/path" >> ./payloads/custom-lfi.txt
# Create custom SQLi payloads
cat > ./payloads/custom-sqli.txt << EOF
' OR 1=1--
' UNION SELECT NULL--
' AND SLEEP(10)--
EOF| Component | Minimum | Recommended |
|---|---|---|
| CPU | 2 cores | 4+ cores |
| RAM | 2 GB | 4 GB |
| Disk | 1 GB | 5 GB |
| Network | Stable connection | High bandwidth |
- LFI: 3-5 threads (Selenium-intensive)
- SQLi: 3-5 threads (Time-based delays)
- XSS: 2-3 threads (Browser overhead)
- Open Redirect: 3-5 threads (Network-bound)
- CRLF: 3-5 threads (Lightweight)
- Adjust Thread Count: Lower threads for resource-constrained systems
- Use SSD: Faster disk I/O for Chrome cache
- Increase shm_size: Set to 2GB+ in Docker for Chrome stability
- Filter Payloads: Remove unnecessary payloads for faster scans
- Network: Ensure stable connection to target
# Example: Reduce XSS payload file for faster scans
head -n 100 payloads/xss.txt > payloads/xss-quick.txt
# Use custom payload in CLI or Web GUIBeautiful, interactive HTML reports with Tailwind CSS styling:
Location: ./reports/{type}_report_{timestamp}.html
Features:
- Summary statistics
- Vulnerable URLs with direct links
- Color-coded severity
- Responsive design
- Printable formatExample: reports/lfi_report_20251209_090022.html
Machine-readable JSON for automation:
{
"scan_type": "LFI",
"timestamp": "2025-12-09T09:00:22",
"summary": {
"total_found": 5,
"total_scanned": 150,
"duration": 45
},
"vulnerable_urls": [...],
"detailed_results": [...]
}Example: reports/lfi_report_20251209_090022.json
Docker automatically maps these directories:
| Host Directory | Container Path | Purpose |
|---|---|---|
./payloads/ |
/app/payloads |
Input: Attack payloads (read-only) |
./output/ |
/app/output |
Output: Raw scan data |
./reports/ |
/app/reports |
Reports: HTML/JSON vulnerability reports |
Accessing Reports:
# View latest LFI report
open ./reports/lfi_report_*.html # macOS
xdg-open ./reports/lfi_report_*.html # Linux
start ./reports/lfi_report_*.html # Windows
# Parse JSON programmatically
python -m json.tool reports/sqli_report_*.jsonRaidScanner has been tested against various intentionally vulnerable applications:
Compatibility: Excellent (Custom-built for this project)
# Clone DVWU
git clone https://github.com/zahidoverflow/dvwu.git
cd dvwu
# Start DVWU
npm install
npm start
# Scan with RaidScanner
# LFI: http://localhost:3000/api/download?file=
# SQLi: http://localhost:3000/api/search?query=
# XSS: http://localhost:3000/api/comment?text=
# OR: http://localhost:3000/api/redirect?url=
# CRLF: http://localhost:3000/api/newsletter?email=Compatibility: Good (Requires security level: Low)
Compatibility: Moderate (Some lessons compatible)
Compatibility: Good (Multiple vulnerability types)
URL: http://testphp.vulnweb.com/
Compatibility: Excellent (Public test site)
# Check if container is running
docker ps
# View logs
docker logs raidscanner-web
# Restart service
docker compose restart raidscanner-webError: Chrome failed to start
Solution: Increase Docker shm_size to 2GB
# In compose.yml
shm_size: '2gb'Error: Connection timeout
Solution: Increase timeout in utils/config.py
DEFAULT_TIMEOUT = 30 # Increase from 10# Fix volume permissions
sudo chown -R $USER:$USER ./output ./reports
chmod -R 755 ./output ./reportsError: WebSocket disconnected
Solution: Check CORS settings and firewall
# In app.py
CORS(app, resources={r"/*": {"origins": "*"}})Enable debug logging:
# Set environment variable
export DEBUG=True
# Run with verbose logging
docker compose up raidscanner-webComprehensive documentation is available in the docs/ directory:
1. User Guide
- Installation instructions
- Web GUI walkthrough
- CLI usage guide
- Troubleshooting tips
- Architecture overview
- API documentation
- Adding new scanners
- Contributing guidelines
- Complete project context (300 lines)
- Technical implementation details
- Performance characteristics
- Version history
- Detailed feature analysis
- Bug tracking
- Project specifications
- Change proposals
Contributions are welcome! This project was built for educational purposes and community improvement.
-
Fork the Repository
git clone https://github.com/zahidoverflow/raidscanner.git
-
Create Feature Branch
git checkout -b feature/new-scanner
-
Make Changes
- Add new scanner in
core/scanner_engine.py - Update documentation
- Add tests
- Add new scanner in
-
Test Thoroughly
# Test web mode docker compose up -d raidscanner-web # Test CLI mode docker compose run --rm raidscanner-cli
-
Submit Pull Request
- Clear description of changes
- Link to related issues
- Include test results
# Clone repository
git clone https://github.com/zahidoverflow/raidscanner.git
cd raidscanner
# Create virtual environment
python3.11 -m venv venv
source venv/bin/activate
# Install dependencies
pip install -r requirements.txt
# Run in development mode
export DEBUG=True
python app.pySee Developer Guide for detailed instructions on:
- Scanner architecture
- Adding detection methods
- Integrating with Web GUI and CLI
- Writing tests
This tool is designed for educational purposes and authorized security testing only.
You MUST have explicit written permission to scan any target system. Unauthorized scanning is illegal in most jurisdictions and may result in:
- βοΈ Criminal prosecution
- π° Civil lawsuits
- π« Network bans
- π Legal penalties
β Authorized Activities:
- Scanning your own applications
- Penetration testing with client authorization
- Security research on intentionally vulnerable platforms (DVWA, DVWU, etc.)
- Educational use in controlled environments
- CTF competitions
β Prohibited Activities:
- Scanning systems without permission
- Malicious exploitation of vulnerabilities
- Unauthorized data access
- Denial of service attacks
- Distribution of exploit results
The author and contributors are not responsible for:
- Any misuse of this tool
- Damage caused to target systems
- Legal consequences of unauthorized scanning
- Data breaches or loss
- Third-party actions
By using RaidScanner, you agree to:
- Use it only on authorized targets
- Comply with all applicable laws
- Take full responsibility for your actions
- Respect privacy and security of others
This project is licensed under the MIT License - see below for details:
MIT License
Copyright (c) 2025 Zahid Hasan Polash (zahidoverflow)
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
- OWASP - For security research and vulnerability documentation
- Selenium - For browser automation capabilities
- Flask - For the excellent web framework
- Docker - For containerization technology
- Security Community - For continuous education and improvement
- Author: Md. Zahidul Islam (zahidoverflow)
- Contributor: Osman Faruque (osmanfaruque), Md Mehrab hossain (0xmehr4b)
- GitHub: https://github.com/zahidoverflow/raidscanner
- Docker Hub: https://hub.docker.com/r/zahidoverflow/raidscanner
- Issues: GitHub Issues
If you find RaidScanner useful for your security testing or educational purposes, please consider giving it a β on GitHub!
Made with β€οΈ for the Security Community