VAPT API: Automated Vulnerability Scanner

This repository contains a Django-based API for performing basic vulnerability assessments on target web applications. This project is a Django-based API for automated vulnerability scanning of web applications. The API performs checks like port scanning, security header validation, and basic SQL injection testing, returning results in a JSON format. It supports multiple HTTP methods (GET, POST, PUT, PATCH, DELETE, HEAD) and is designed to be integrated into security workflows for developers and professionals. The project utilizes technologies like Django, Python, and the REST framework, with Postman for testing and GitHub for version control. It aims to enhance skills in API development, security testing, and software engineering best practices.

Features

• Vulnerability Scanning:
  • Performs port scanning to identify open ports.
  • Checks for missing security headers (e.g., X-XSS-Protection, Content-Security-Policy).
  • Conducts a simple SQL injection test.
• Reporting: Returns scan results in JSON format, including:
  • Open ports
  • Missing security headers
  • SQL injection vulnerabilities (if any)
• Flexibility: Accepts both raw JSON and form data in requests.
• Multiple HTTP Methods: Supports GET, POST, PUT, PATCH, DELETE, and HEAD requests.
• Error Handling: Provides informative error messages for invalid requests or unexpected errors.
• CSRF Exemption: The API endpoint is exempt from CSRF protection for easier testing and integration.

Getting Started

Prerequisites

• Python 3.7 or higher
• pip (Python package installer)
• Postman (for API testing)

Installation

1. Clone the repository:

   git clone https://github.com/arjunraj79/VAPT-API-for-Automated-Vulnerability-Scanning.git
   

2. Create a virtual environment:

   python -m venv venv
   

3. Activate the virtual environment:

   source venv/bin/activate
   

4. Install the dependencies:

   pip install -r requirements.txt
   

Running  

the API

1. Start the Django development server:

   python manage.py runserver
   

2. The API will be accessible at http://127.0.0.1:8000/api/scan/.

Making API Requests

You can use Postman or any other API testing tool to make requests to the API endpoint.

Example using Postman (GET request)

1. Open Postman and create a new request.
2. Select GET as the HTTP method.
3. Enter the URL: http://127.0.0.1:8000/api/scan/.
4. Go to the "Params" tab.
5. Add a key-value pair with url as the key and the target URL as the value (e.g., url: https://www.example.com).
6. Click the "Send" button.

Example using cURL (POST request with JSON)

curl -X POST -H "Content-Type: application/json" -d '{"url": "[https://www.example.com](https://www.example.com)"}' http://127.0.0.1:8000/api/scan/
Use code with caution.

API Documentation

Endpoint: /api/scan/

Methods: GET, POST, PUT, PATCH, DELETE, HEAD

Request Body (for POST, PUT, PATCH):

url (string): The URL of the target website to scan. Response Body:

JSON
{
"open_ports": [80, 443],
"missing_security_headers": ["X-XSS-Protection", "Content-Security-Policy", "Strict-Transport-Security", "X-Frame-Options"],
"sql_injection_vulnerability": false
}

Screenshots and Output

Contributing

Contributions are welcome! Feel free to open issues or submit pull requests.