WebSecScan¶
Open-Source Web Security Scanner for Academic Research
WebSecScan is a modular, deterministic web vulnerability scanner built with Next.js and TypeScript. Designed for security research, education, and ethical penetration testing, it provides rule-based detection of common web vulnerabilities aligned with OWASP Top 10 2025.
Key Features¶
- ✅ Static Analysis — JavaScript/TypeScript and HTML security analysis
- ✅ Dynamic Testing — Safe, non-destructive runtime vulnerability detection
- ✅ Library Scanning — Known vulnerability detection in dependencies
- ✅ OWASP 2025 Aligned — Up-to-date vulnerability categorization
- ✅ Authenticated Scanning — Session-based testing capabilities
- ✅ Real-time Logging — Live scan progress with Server-Sent Events (SSE)
- ✅ Deterministic Results — Reproducible, auditable findings
Who Is This For?¶
- Graduate Students building security tools for thesis work
- Security Researchers studying vulnerability detection methodologies
- Educators teaching web security concepts with real code examples
- Developers learning secure coding practices
Project Philosophy¶
WebSecScan emphasizes:
- Transparency — All detection logic is rule-based and auditable
- Reproducibility — Scans produce consistent, deterministic results
- Safety — Non-destructive testing with explicit permission checks
- Education — Clear documentation suitable for learning
This is an academic research tool, not a commercial product. It prioritizes correctness and clarity over speed or comprehensive coverage.
Technology Stack¶
| Component | Technology | Version |
|---|---|---|
| Framework | Next.js | 16.1.0 |
| Language | TypeScript | 5.x (strict mode) |
| Runtime | Node.js | ≥18.x |
| Database | Prisma ORM | Latest |
| Browser Testing | Playwright | Latest |
| HTML Parsing | Cheerio | Latest |
| UI | React 19 + Tailwind CSS | Latest |
| Testing | Node Test Runner | Built-in |
Quick Start¶
For Users¶
- Installation & First Scan — Get the scanner running locally (5 minutes)
- Features Overview — Understand what the scanner can do
- Security & Ethics — Legal guidelines and authorization requirements
- Deployment — Set up in production
For Developers¶
- Architecture Overview — Understand system design
- How Scanning Works — Scan modes and methodology
- API Reference — REST API and Server Actions
- Development Setup — Configure your environment
- Testing Guide — Write and run tests
- Contributing — Submit pull requests
For Researchers¶
- OWASP 2025 Mapping — Vulnerability categorization and 2021→2025 migration
- Static Analysis Rules — JavaScript/HTML detection patterns
- Dynamic Testing Methodology — Safe testing approach for runtime vulnerabilities
- Reducing False Positives — Confidence scoring and accuracy
- Academic References — OWASP, security standards, research papers
For Operations¶
- Deployment Guide — Docker, Docker Compose, manual setup
- Security & Ethics — Legal and audit logging
- FAQ — Common deployment questions
⚠️ Legal & Ethical Notice¶
Only scan systems you own or have explicit written permission to test.
Unauthorized security testing may be illegal. WebSecScan is designed for:
- Testing your own applications
- Academic research on authorized targets
- Security education in controlled environments
See Security & Ethics for detailed guidelines.
Core Concepts¶
Scan Modes¶
WebSecScan operates in three modes:
| Mode | What it does | Speed | Coverage |
|---|---|---|---|
| Static Only | Analyzes source code patterns | Very Fast | Broad |
| Dynamic Only | Runtime testing via HTTP requests | Moderate | Deep |
| Both | Combined analysis | Moderate-Slow | Comprehensive |
Vulnerability Categories¶
All findings are classified using OWASP Top 10 2025:
- A01:2025 — Broken Access Control (includes SSRF)
- A02:2025 — Cryptographic Failures
- A03:2025 — Software Supply Chain Failures
- A04:2025 — Cryptographic Failures
- A05:2025 — Injection (SQL, Command, XPath)
- A06:2025 — Insecure Design
- A07:2025 — Authentication Failures
- A08:2025 — Software or Data Integrity Failures
- A09:2025 — Security Logging and Alerting Failures
- A10:2025 — Mishandling of Exceptional Conditions
See OWASP 2025 Mapping for complete reference.
Documentation¶
| Section | Purpose |
|---|---|
| Getting Started | Installation, first scan, basic usage |
| Features | Overview of capabilities and features |
| Architecture | System design, components, request flow |
| Scanning | How static/dynamic analysis works |
| Security | OWASP taxonomy, ethics, detection details |
| API | REST endpoints and Server Actions |
| Development | Setup, testing, contributing guidelines |
| Deployment | Production setup and configuration |
| References | Academic sources and standards |
| FAQ | Common questions and troubleshooting |
Getting Help¶
- Issues: GitHub Issues
- Discussions: GitHub Discussions
- Live Demo: https://web-sec-scan.vercel.app
- Documentation: You're reading it!
Resources¶
| Resource | URL |
|---|---|
| GitHub Repository | https://github.com/Pranavraut033/WebSecScan |
| Live Demo | https://web-sec-scan.vercel.app |
| Documentation Site | https://pranavraut033.github.io/WebSecScan/ |
| Test Fixtures Repo | https://github.com/Pranavraut033/WebSecScan-TestFixtures |
| Test Fixtures Docker | https://github.com/Pranavraut033/WebSecScan-TestFixtures/pkgs/container/websecscan-test-fixtures |
Contributing¶
Contributions are welcome! See Contributing Guide for:
- Code standards and requirements
- Testing and documentation expectations
- Pull request process
- Mandatory project rules
Project Status¶
Status: Active Development
Latest Version: 2.0.0
Last Updated: January 2026
Ready to start? Head to Getting Started →