This project aims to simplify the field of Dynamic Application Security Testing. The OSTE meta scanner is a comprehensive web vulnerability scanner that combines multiple DAST scanners, including Nikto Scanner, ZAP, Nuclei, SkipFish, and Wapiti.
This software offers a user-friendly graphical interface which presents a comprehensive report for each scan, making the scanning process effortless and straightforward.
The main focus of this scanner is on web injection vulnerabilities such as SQL injection, XSS injection, OS command injection, XML injection, and many more. Additionally, it provides a list of vulnerabilities supported by each scanner, apart from injection vulnerabilities.
We offer two types of reports. The first is a consolidated report in JSON format, which includes important reports from each scanner. It contains details such as the vulnerability, the corresponding URL, the parameter used, the Curl command, the attack vector, a description of the vulnerability, and more.
The second report is an HTML file format that specifically highlights successful injection attacks. Our results and decisions are based on a novel learning algorithm proposed during the ("A Meta-Scan based approach for the detection of injection vulnerabilities in Web applications.", -University May 8, 1945 -Guelma -, Computer Science Department, Presented by: SEYYID TAQY EDINE OUDJANI, Supervised by: DR. ABDELHAKIM HANNOUSSE. 2023). [https://dspace.univ-guelma.dz/jspui/handle/123456789/15028].
List of Main Vulnerabilities supported:
- Injection
- SQL injection
- Cross site scripting
- OS command injection
- XML injection
- XSLT injection
- XML External entites
- code injection
- host header injection
- html injection
- Template injection (server-side)
- CRLF injection
- OGNL injection
- Other vulnerabilities (refer to the repository of each scanner for a complete list.)
- Skipfish Vulnerabilities support List.
- Wapiti Vulnerabilities support List.
- ZAP Active Attack list.
- Nikto Vulnerabilities support List (Specified: Tunning 9 & 4).
- Nuclei CVE-Template.
The installation process requires a specific set of requirements. While this project is primarily supported on Kali Linux, it can also be compatible with other operating systems:
- ZAP:
- kaliLinux: [ sudo apt install zaproxy ]
- Other OSs: [ https://github.com/zaproxy/zaproxy ]
- Wapiti:
- kaliLinux: [ sudo apt install wapiti ]
- Other OSs: [ https://wapiti-scanner.github.io/ ]
- Skipfish:
- kaliLinux: [ sudo apt install skipfish ]
- Other OSs: [ https://gitlab.com/kalilinux/packages/skipfish ]
- Nikto :
- kaliLinux: [ sudo apt install nikto ]
- Other OSs: [ https://github.com/sullo/nikto ]
- Nuclei:
- kaliLinux: [ sudo apt install nuclei ]
- Other OSs: [ https://github.com/projectdiscovery/nuclei ]
- Python 3 * Libraries:
- customtkinter
- zapv2
- jinja2
- webbrowser
- PIL
- matplotlib
- BeautifulSoup
- pprint
- optional requirments for more features:
- XAMP server
- NPM
(Note: Please note that I will be creating a bash script to automate the installation steps for Linux users as soon as possible.)
After cloning the repository to your local machine, you can initiate the application by executing the command python3 Metascan.py.
Then, you can navigate through the interface of the application.
A Docker image is available in OSTEscaner directory. It is based on kali linux and will need a xserver to display the python GUI. On linux, you probably already have one runnig, on windows (including WSL) good oss servers are vcxsrv or xming.
first export your display:
Linux: export DISPLAY=:0.0
Windows (wsl): export DISPLAY="$(grep nameserver /etc/resolv.conf | sed 's/nameserver //'):0"
then build & run the docker image:
docker build -t metascan .
docker run -e DISPLAY=$DISPLAY --network=host metascan
troubleshooting:
- xdisplay for docker maybe tricky and you may face the
_tkinter.TclError: couldn't connect to displayerror. As it is based on network communication, yo may need to include your local ip address: e.g.export DISPLAY:192.168.100.5:0.0, on windows you may look for tutorial on xming and install additional fonts. - the apt commands during the build sometimes fails due to kali.org network error (
Failed to fetch http://http.kali.org/) just retry the build
We welcome contributions to enhance and improve this project.
either by donation :
or by your power of mind .contribute, please follow these guidelines:
- Fork the repository and create a new branch for your contribution.
- Ensure that your code adheres to the project's coding standards.
- Make your changes, addressing the specific issue or adding the proposed enhancement.
- Test your changes thoroughly.
- Commit your changes and provide a clear and descriptive commit message.
- Push your changes to your forked repository.
- Submit a pull request, detailing the changes you've made and providing any relevant information or context.
Please note that all contributions will be reviewed by the project maintainers. We appreciate your effort and will do our best to provide timely feedback.
If you have any questions or need further clarification, feel free to reach out to us through the issue tracker or by contacting the project maintainers directly.
This project is under GNU GENERAL PUBLIC LICENSE Version 3, 29 June 2007.
This project is intended for educational purposes and aims to simplify the overall assessment of cybersecurity. However, we want to emphasize that we are not liable for any malicious use of this application. It is crucial that users of this software exercise responsibility and ethical behavior. We strongly recommend notifying the targets or individuals involved before utilizing this software.
linkdin:(https://www.linkedin.com/in/oudjani-seyyid-taqy-eddine-b964a5228)
