“AUTOSEC: Automated Web Application Security Scanner”

A
Major Project Report
submitted in partial fulfillment of the
requirements for the award of the degree of

B.TECH
in
CSF

by
Name Roll No.
SAKSHI R2142221109
VANSHIKA BHATIA R2142221141

under the guidance of

Prof. Abhishek yadav

School of Computer Science

University of Petroleum & Energy Studies
Bidholi, Via Prem Nagar, Dehradun, Uttarakhand
August-2025

1
 CANDIDATE’S DECLARATION

I/We hereby certify that the project work entitled “Autosec” in partial fulfilment of the
requirements for the award of the Degree of B.TECH with specialization in CSF and submitted
to the Department of Systemics, School of Computer Science, University of Petroleum &
Energy Studies, Dehradun, is an authentic record of my/ our work carried out during a period
from August, 2025 to Dec, 2025 under the supervision of prof. Abhishek Yadav.

The matter presented in this project has not been submitted by me/ us for the award of
any other degree of this or any other University.

Sakshi R2142221109
Vanshika bhatia R2142221141
This is to certify that the above statement made by the candidate is correct to the
best of my knowledge.

Date: 27 august 2025 prof. Abhishek yadav

Project Guide

2
 ACKNOWLEDGEMENT

We wish to express our deep gratitude to our guide prof. Abhishek yadav, for all advice,
encouragement and constant support she has given us throughout our project work. This work
would not have been possible without her support and valuable suggestions.

We are also grateful to Dean SoCS UPES for giving us the necessary facilities to carry out our
project work successfully. We also thanks to our Course Coordinator, and our Activity
Coordinator Dr. Keshav Sinha for providing timely support and information during the
completion of this project.

We would like to thank all our friends for their help and constructive criticism during our
project work. Finally, we have no words to express our sincere gratitude to our parents who
have shown us this world and for every support they have given us.

Name Sakshi Vanshika bhatia

Roll No. R2142221109 R2142221141

3
 ABSTRACT

With the growing reliance on web applications, security vulnerabilities have become a critical
concern for organizations worldwide. This project proposes the design and development of
AutoSec, an automated web application security scanner capable of identifying vulnerabilities
listed in the OWASP Top 10. AutoSec will incorporate a target URL crawler, vulnerability
detection modules, and a risk scoring mechanism, followed by an automated reporting system.
The tool aims to assist developers and security analysts in identifying and mitigating potential
threats early in the software development lifecycle. Testing will be conducted using deliberately
vulnerable applications such as DVWA, bWAPP, and OWASP Juice Shop

4
 TABLE OF CONTENTS

S.No Content Page No.

1 Introduction 6

2 Literature Review 7

3 Problem Statement 9

4 Objectives 10

5 Methodology 11

6 SWOT Analysis 12

7 System Requirements 13

8 Conclusion 14

9 References 15

5
 INTRODUCTION
The exponential growth of web-based applications has led to increased exposure to security
risks. Threat actors exploit vulnerabilities such as SQL injection, cross-site scripting, and
insecure configurations to gain unauthorized access, steal data, or disrupt services. Manual
vulnerability detection is time-consuming and requires high expertise. This project addresses the
need for an automated, scalable, and user-friendly security scanner that can detect and report
vulnerabilities effectively

6
 LITERATURE REVIEW
Several automated security scanning tools, such as OWASP ZAP, Burp Suite, and Nikto,
provide comprehensive vulnerability scanning capabilities.

However:-

 They may require manual configuration, limiting scalability.

 High licensing costs for premium features restrict accessibility.
 Limited integration capabilities for continuous deployment pipelines.

This project aims to bridge these gaps by developing a customizable, lightweight, and CI/CD-
friendly scanner using open-source libraries and APIs

7
 INFERENCE FROM LITERATURE

 Existing vulnerability scanners (e.g., Nikto, OWASP ZAP) are useful but often miss complex
vulnerabilities.

 Most prior works highlight SQL Injection & XSS as dominant threats, but modern apps
require broader coverage.

 Studies show a gap between academic models and real-world deployment of scanners.

 No single tool provides comprehensive, automated, and adaptive scanning.

 There is a strong need for a custom, lightweight, and extendable scanner that balances
accuracy, automation, and usability.

8
 PROBLEM STATEMENT
Current vulnerability assessment tools are often complex, expensive, or lack customization for
specific organizational needs. Small and medium enterprises struggle to implement effective
web application security testing due to cost and expertise limitations. There is a need for a cost-
effective, automated tool that is easy to deploy and capable of detecting vulnerabilities aligned
with OWASP Top 10 guidelines

9
 OBJECTIVES
 Develop a web crawler to identify and map internal links of the target application.
 Implement vulnerability detection modules for SQLi, XSS, CSRF, SSRF, insecure
headers, and directory listing.
 Assign severity levels using CVSS scoring methodology.
 Automatically generate detailed PDF/HTML reports with recommendations.
 Provide a web-based dashboard for scan management and report viewing.
 Ensure compatibility with CI/CD pipelines for DevSecOps integration

10
 METHODOLOGY
1. Requirement Analysis & Design

Identify OWASP Top 10 vulnerabilities and their detection mechanisms.

2. Development of Crawler

Build a recursive URL crawler using BeautifulSoup/Scrapy.

3. Vulnerability Testing Modules

Implement payload injection and response analysis for SQLi, XSS, CSRF, SSRF, and
header misconfigurations.

4. Risk Scoring Engine

Calculate severity scores based on CVSS metrics.

5. Report Generation

Create PDF/HTML reports with findings and recommendations.

6. User Interface Development

Implement a web dashboard using Flask/Django and Bootstrap/Tailwind.

7. Testing & Evaluation

Use DVWA, bWAPP, and Juice Shop to validate detection accuracy.

8. Documentation & Submission

Prepare final documentation and presentation.

11
 SWOT Analysis

Strengths

 Automated, lightweight, and user-friendly.

 Detects common web vulnerabilities (SQLi, XSS, weak passwords).

Weaknesses

• Limited to selected vulnerabilities.

• Not a replacement for professional pentesting tools.

Opportunities

• Can integrate with CI/CD for DevSecOps.

• Extendable to mobile and cloud applications.

Threats

• Competition from established tools (Burp, ZAP).

• Attackers continuously evolve techniques.

12
 SYSTEM REQUIREMENTS
Hardware Requirements

 Processor: Intel i3 (or above)

 RAM: 4 GB (8 GB recommended)
 Storage: 500 MB free disk space
 OS: Windows / Linux / macOS

Software Requirements

 Programming Language: Python 3.x

 Frameworks/Libraries:
o requests, BeautifulSoup (for crawling & parsing)
o re (Regex for pattern matching)
o selenium (for dynamic content scanning)
 Database: SQLite / MySQL (for storing scan results)
 Testing Environment: DVWA / OWASP Juice Shop
 IDE/Tools: PyCharm / VS Code, Git, Docker (optional)

13
 CONCLUSION
Justification of Objectives:

1. Growing Cybersecurity Threats: Increasing SQL injection, XSS, and weak

authentication attacks demand automated scanners.
2. Automation Need: Manual vulnerability testing is slow, error-prone, and requires expert
knowledge → automation makes it accessible.
3. Educational & Research Value: Helps students, researchers, and developers understand
web vulnerabilities through hands-on testing.
4. Cost-Effective: Open-source, lightweight tool avoids dependency on expensive
enterprise scanners (e.g., Burp Suite, Acunetix).
5. Testing Environment Compatibility: Designed to integrate with DVWA, OWASP
Juice Shop, and real-world web apps.
6. Scalability: The modular design ensures future inclusion of more vulnerabilities (CSRF,
LFI, etc.).

Future Scope:

 Expand Vulnerability Coverage: Include CSRF, LFI, RFI, SSRF, Command Injection, and
Directory Traversal checks.

 Machine Learning Integration: Use ML models to classify suspicious payload responses for
smarter detection.

 Real-Time Monitoring: Develop an agent for continuous scanning of live web apps.

 Cloud-Based Deployment: Offer SaaS model for remote scanning with centralized reporting.

 Visualization Dashboard: Add graphical reports for vulnerability trends and risk
prioritization.

 Integration with DevSecOps: Automate scanning within CI/CD pipelines (Jenkins, GitHub
Actions).

 Mobile App Security: Extend scanning to hybrid/mobile app APIs.

 Self-Healing Mechanism: Suggest and apply automated patch recommendations where

feasible.

14
 REFERENCES

• Fonseca et al. (2007) – Proposed vulnerability & attack injection to test robustness of
web security mechanisms. Showed how systematic testing can reveal hidden flaws.

• Doupe et al. (2010) – Compared black-box scanners and found that many miss critical
vulnerabilities, stressing the need for more accurate automated tools.

• Bau et al. (2010) – Provided a benchmark study of web application vulnerability

scanners, highlighting key techniques and their limitations.

• OWASP ZAP (2023) – An open-source, widely used tool for web vulnerability scanning.
Serves as a baseline model for automated testing systems.

• Nikto (2023) – Open-source web server scanner that detects outdated versions,
configuration issues, and common vulnerabilities.

• Halfond et al. (2006) – Classified SQL Injection attacks and reviewed countermeasures,
forming the foundation for modern SQLi detection techniques.

15