Spaces:
Runtime error
# IntelliScan — Conception & Design Document
Project: IntelliScan — AI-Powered Web Vulnerability Scanner
Version: 1.0.0
Author: SABKARI Mohamed
Institution: Ibn Tofail University, Kenitra, Morocco
Academic Context: Master's Thesis (PFE) — Cybersecurity & AI, 2025–2026
Supervisor: Pr. Youssef FAKHRI
License: MIT
Date: May 2026
Table of Contents
- Project Overview
- Functional Requirements
- System Architecture
- Detailed Module Design
- ML Classifier Design
- Database / Persistence Design
- Interface Design
- Security & Ethical Design
- Test Strategy
- Deployment Design
- Technology Choices Justification
- Limitations & Future Work
1. Project Overview
1.1 Problem Statement
Web application vulnerabilities remain one of the most exploited attack vectors in cybersecurity. According to the OWASP Top 10 (2021), injection flaws (SQLi), Cross-Site Scripting (XSS), and insecure file handling (LFI) consistently rank among the most critical threats. Existing vulnerability scanners present several limitations:
| Scanner | Limitation |
|---|---|
| OWASP ZAP | Complex UI, steep learning curve, no ML-based detection |
| Burp Suite | Commercial license required for advanced features |
| Nikto | Signature-only, no adaptive classification |
| SQLMap | Single vulnerability type (SQLi only) |
| w3af | Discontinued maintenance, outdated engine |
IntelliScan addresses these gaps by combining signature-based detection with machine learning classification in a unified, open-source, modular pipeline. The dual-approach design provides both the reliability of known-pattern matching and the adaptability of behavioral ML classification.
1.2 Objectives and Scope
Primary Objectives:
- Automate authenticated crawling and vulnerability detection for SQLi, XSS, and LFI
- Provide a dual detection engine (signature + Random Forest ML) to improve detection confidence
- Generate professional PDF reports suitable for stakeholder communication
- Offer a modular, extensible architecture enabling future vulnerability type additions
Scope Boundaries:
- In scope: SQLi, reflected XSS, stored XSS, LFI on HTTP/HTTPS targets
- Out of scope (v1.0): CSRF, SSRF, command injection, blind SQLi, DOM XSS, API fuzzing
1.3 Target Users
| Actor | Profile | Use Case |
|---|---|---|
| Penetration Tester | Security professional with CLI experience | Authorized vulnerability assessments |
| Developer | Web developer integrating security into CI/CD | Pre-deployment security checks |
| Academic Researcher | Student/professor studying ML-based detection | Benchmarking detection algorithms |
| Security Auditor | Compliance officer reviewing application security | Generating audit evidence (PDF reports) |
1.4 Ethical and Legal Framework
IntelliScan is designed exclusively for authorized security testing. The tool enforces:
- Explicit consent requirement: Users must have written authorization before scanning
- Identification header: All HTTP requests include
User-Agent: IntelliScan/1.0 - Rate limiting: 0.1s delay between requests to minimize target impact
- Scope restriction: Crawler enforces same-domain policy and blacklists sensitive paths
Legal compliance:
- Morocco — Loi 09-08: Data protection for scan results containing PII
- EU — RGPD/GDPR: Applicable when scanning EU-hosted targets
- US — CFAA: Unauthorized access prohibition; IntelliScan requires explicit authorization
- Responsible Disclosure: Tool documentation recommends coordinated disclosure practices
2. Functional Requirements
2.1 Use Cases
┌──────────────────────────────────────────────────────────────â”
│ IntelliScan System │
│ │
│ ┌─────────┠┌──────────────────────────────────────┠│
│ │ Security │───>│ UC-01: Run Full Scan Pipeline │ │
│ │ Analyst │ └──────────────────────────────────────┘ │
│ │ │ ┌──────────────────────────────────────┠│
│ │ │───>│ UC-02: Crawl Target Only │ │
│ │ │ └──────────────────────────────────────┘ │
│ │ │ ┌──────────────────────────────────────┠│
│ │ │───>│ UC-03: Train ML Classifier │ │
│ │ │ └──────────────────────────────────────┘ │
│ │ │ ┌──────────────────────────────────────┠│
│ │ │───>│ UC-04: Generate Payload Variants │ │
│ │ │ └──────────────────────────────────────┘ │
│ │ │ ┌──────────────────────────────────────┠│
│ │ │───>│ UC-05: View PDF Report │ │
│ └─────────┘ └──────────────────────────────────────┘ │
│ │
│ ┌─────────┠┌──────────────────────────────────────┠│
│ │ CI/CD │───>│ UC-06: Automated Scan (CLI) │ │
│ │ Pipeline│ └──────────────────────────────────────┘ │
│ └─────────┘ │
│ │
│ ┌─────────┠┌──────────────────────────────────────┠│
│ │ Discord │<───│ UC-07: Receive Scan Notification │ │
│ │ Channel │ └──────────────────────────────────────┘ │
│ └─────────┘ │
└──────────────────────────────────────────────────────────────┘
2.2 Functional Requirements per Module
Module 1 — Crawler
| ID | Requirement | Priority |
|---|---|---|
| FR-CRAWL-01 | Authenticate via POST /login.php with CSRF token extraction | Must |
| FR-CRAWL-02 | Set DVWA security level to "low" automatically | Must |
| FR-CRAWL-03 | BFS traversal with configurable MAX_DEPTH (default=5) | Must |
| FR-CRAWL-04 | Limit to MAX_PAGES (default=200) to prevent infinite crawling | Must |
| FR-CRAWL-05 | Extract HTML forms with action, method, input names/types/values | Must |
| FR-CRAWL-06 | Extract URL query parameters from discovered pages | Must |
| FR-CRAWL-07 | Enforce same-domain policy (no off-site crawling) | Must |
| FR-CRAWL-08 | Blacklist sensitive paths (/logout.php, /setup.php, /.git/, /.env) | Must |
| FR-CRAWL-09 | Output results.json with structured crawl data | Must |
Module 2 — Injector
| ID | Requirement | Priority |
|---|---|---|
| FR-INJ-01 | Load payloads from payloads/ directory (sqli.txt, xss.txt, lfi.txt) | Must |
| FR-INJ-02 | Support GET and POST injection methods | Must |
| FR-INJ-03 | Concurrent injection via ThreadPoolExecutor (MAX_CONCURRENT=8) | Must |
| FR-INJ-04 | Auto-fetch CSRF token for POST forms (user_token) | Must |
| FR-INJ-05 | Capture status_code, response_len, response_body (truncated 8000 chars) | Must |
| FR-INJ-06 | Support DVWA_FORMS fallback definitions for 4 endpoints | Should |
| FR-INJ-07 | Output injection_results.json | Must |
Module 3 — Analyzer
| ID | Requirement | Priority |
|---|---|---|
| FR-ANAL-01 | Detect SQLi via "first name:" count and SQL_ERROR_PATTERNS (8 patterns) | Must |
| FR-ANAL-02 | Detect XSS via payload reflection check and XSS_DANGEROUS_PATTERNS | Must |
| FR-ANAL-03 | Detect LFI via LFI_SIGNATURES (root:x:0:0, /bin/bash, etc.) | Must |
| FR-ANAL-04 | Assign severity: sqli=HIGH, xss_r=MEDIUM, xss_s=HIGH, lfi=HIGH | Must |
| FR-ANAL-05 | Label each result as VULNERABLE or NOT_VULNERABLE with reason | Must |
| FR-ANAL-06 | Output labeled_results.json | Must |
Module 4 — ML Classifier
| ID | Requirement | Priority |
|---|---|---|
| FR-ML-01 | Extract 8 behavioral features (no data leakage) | Must |
| FR-ML-02 | Train RandomForestClassifier (100 trees, balanced, max_depth=10) | Must |
| FR-ML-03 | 80/20 stratified train-test split | Must |
| FR-ML-04 | 5-fold cross-validation with F1-weighted scoring | Must |
| FR-ML-05 | Persist model + mean_response_len_per_type via joblib | Must |
| FR-ML-06 | Require minimum 4 samples to train | Must |
| FR-ML-07 | Produce TrainingReport with metrics and feature importances | Must |
Module 5 — Payload Generator
| ID | Requirement | Priority |
|---|---|---|
| FR-GEN-01 | Case alternation mutation (not for LFI) | Must |
| FR-GEN-02 | SQL comment insertion (sqli only) | Must |
| FR-GEN-03 | Quote substitution ' ↔ " (not for LFI) | Must |
| FR-GEN-04 | URL encoding (urllib.parse.quote) | Must |
| FR-GEN-05 | Double URL encoding | Must |
| FR-GEN-06 | Whitespace variation (double space, tab, /**/) | Must |
| FR-GEN-07 | Deduplicate generated variants | Must |
Module 6 — Reporter
| ID | Requirement | Priority |
|---|---|---|
| FR-REP-01 | Cover page with target, date, severity summary boxes | Must |
| FR-REP-02 | Executive summary with statistics table by vuln type | Must |
| FR-REP-03 | Detailed findings with severity badge, URL, payload, reason | Must |
| FR-REP-04 | Remediation recommendations (5 per vuln type) | Must |
| FR-REP-05 | Methodology & disclaimer section | Must |
| FR-REP-06 | Output report.pdf using fpdf2 | Must |
2.3 Non-Functional Requirements
| ID | Category | Requirement | Target |
|---|---|---|---|
| NFR-01 | Performance | Complete full scan of DVWA in < 5 minutes | < 300s |
| NFR-02 | Performance | Concurrent injection with 8 workers | 4-8x speedup |
| NFR-03 | Reliability | Retry failed HTTP requests (3 retries, exponential backoff) | 99% delivery |
| NFR-04 | Security | Rate limit requests to 0.1s minimum interval | Responsible scanning |
| NFR-05 | Portability | Run on Python 3.10+ across Windows, Linux, macOS | Cross-platform |
| NFR-06 | Portability | Docker Compose deployment with DVWA test target | One-command setup |
| NFR-07 | Maintainability | Modular pipeline architecture (6 independent modules) | Low coupling |
| NFR-08 | Maintainability | >80% unit test coverage | pytest-cov |
| NFR-09 | Usability | Rich CLI output with colored tables and progress | Developer UX |
| NFR-10 | Extensibility | JSON intermediate files enable module replacement | Plugin-ready |
3. System Architecture
3.1 High-Level Pipeline Diagram
┌─────────────┠┌─────────────┠┌─────────────â”
│ TARGET │ │ PAYLOADS │ │ CONFIG │
│ Web App │ │ sqli.txt │ │ config.py │
│ (DVWA) │ │ xss.txt │ │ Constants │
└──────┬───────┘ │ lfi.txt │ └──────┬───────┘
│ └──────┬──────┘ │
▼ │ │
┌──────────────┠│ ┌─────────▼────────â”
│ MODULE 1 │ │ │ HttpClient │
│ Crawler │◄───────────┼─────────│ (Session, │
│ BFS + Auth │ │ │ Retry, CSRF) │
└──────┬───────┘ │ └──────────────────┘
│ │
▼ results.json │
┌──────────────┠│
│ MODULE 2 │◄───────────┘
│ Injector │
│ GET / POST │
└──────┬───────┘
│
â–¼ injection_results.json
┌──────────────â”
│ MODULE 3 │
│ Analyzer │
│ Signatures │
└──────┬───────┘
│
â–¼ labeled_results.json
┌────┴─────────────────â”
│ │
â–¼ â–¼
┌──────────────┠┌──────────────â”
│ MODULE 4 │ │ MODULE 6 │
│ ML Class. │ │ Reporter │
│ Rand Forest │ │ PDF (fpdf2) │
└──────┬───────┘ └──────┬───────┘
│ │
â–¼ â–¼
model.pkl report.pdf
┌──────────────â”
│ MODULE 5 │ (independent — can run standalone)
│ Payload Gen │
│ 6 Mutations │
└──────┬───────┘
│
â–¼
all_payloads.json
Note: Generate high-resolution PNG versions with
python docs/generate_diagrams.py
3.2 Module Dependency Graph
┌─────────────────â”
│ __main__.py │
│ CLI (Click) │
└────────┬────────┘
│
┌────────▼────────â”
│ core.py │
│ IntelliScan │
└────────┬────────┘
│
┌───────┬───────┬───┼───┬───────┬───────â”
▼ ▼ ▼ │ ▼ ▼ ▼
crawler injector anal │ classif pgen reporter
.py .py .py │ .py .py .py
│ │ │ │ │ │ │
▼ ▼ │ │ │ │ │
http_client.py │ │ │ │ │
â–¼ â–¼ â–¼ â–¼ â–¼
┌──────────────────────────â”
│ config.py │
│ (All constants, Final) │
└──────────────────────────┘
3.3 Component Interaction Description
The IntelliScan orchestrator (core.py) implements the Pipeline design pattern:
- Crawler authenticates and explores the target via BFS, producing a site map
- Injector reads discovered forms/params and delivers payloads concurrently
- Analyzer applies signature-based heuristics to label each injection result
- ML Classifier trains a Random Forest on the labeled data for secondary classification
- Payload Generator produces WAF-bypass variants (runs independently)
- Reporter compiles all findings into a professional PDF report
Key design principles:
- Loose coupling: Modules communicate exclusively via JSON files
- Single responsibility: Each module has one clearly defined role
- Fail-safe orchestration: ML training is skipped if <4 samples; individual module failures don't crash the pipeline
4. Detailed Module Design
4.1 Module 1 — Crawler (crawler.py)
Purpose: Authenticated BFS exploration of the target web application to discover all injectable forms and URL parameters.
Input/Output:
| Direction | Data | Format |
|---|---|---|
| Input | Target URL, optional credentials (user:password) | CLI arguments |
| Output | Site map with forms and URL params | results.json |
Key Algorithms:
- BFS traversal using
collections.dequewith(url, depth)tuples - CSRF token extraction via BeautifulSoup parsing of
input[name=user_token] - Form extraction parsing
<form>,<input>,<textarea>,<select>elements - Same-domain enforcement via
urlparse().netloccomparison
Key Classes:
| Class | Fields | Role |
|---|---|---|
Form |
url, action, method, inputs | Represents a discovered HTML form |
UrlParam |
url, params | Represents a URL with query parameters |
CrawlResult |
target, pages_visited, forms, url_params | Aggregated crawl output |
Crawler |
target, auth, max_pages, max_depth, http | Main crawler engine |
Error Handling:
- HTTP errors during page fetching are logged and skipped (BFS continues)
- Authentication failure raises
RuntimeErrorwith clear message - DVWA security configuration failure is silently ignored (target may not be DVWA)
Testability:
- Mock
HttpClientto provide canned HTML responses - Test BFS depth limiting, blacklist enforcement, form extraction independently
4.2 Module 2 — Injector (injector.py)
Purpose: Inject attack payloads into all discovered forms and URL parameters, capturing HTTP responses for analysis.
Input/Output:
| Direction | Data | Format |
|---|---|---|
| Input | Crawl results, payload files | results.json, payloads/*.txt |
| Output | Injection results with responses | injection_results.json |
Key Algorithms:
- Task generation: Cartesian product of
(vuln_type × form × payload) - Concurrent execution:
ThreadPoolExecutorwithMAX_CONCURRENT=8workers - CSRF handling: Auto-fetches fresh token for each POST injection
Payload Counts (base):
| File | Payloads | Examples |
|---|---|---|
sqli.txt |
13 | ' OR 1=1 --, ' UNION SELECT, '; DROP TABLE |
xss.txt |
12 | <script>alert(1)</script>, <img onerror=...> |
lfi.txt |
11 | ../../../../etc/passwd, php://filter/... |
DVWA Target Endpoints:
| Vuln Type | URL | Method | Parameters |
|---|---|---|---|
| sqli | /vulnerabilities/sqli/ |
GET | id |
| xss_r | /vulnerabilities/xss_r/ |
GET | name |
| xss_s | /vulnerabilities/xss_s/ |
POST | txtName, mtxMessage |
| lfi | /vulnerabilities/fi/ |
GET | page |
Error Handling:
- Individual injection failures return
None(skipped in results) - Response body truncated to 8000 characters to manage memory
4.3 Module 3 — Analyzer (analyzer.py)
Purpose: Signature-based labeling of each injection result as VULNERABLE or NOT_VULNERABLE.
Detection Logic per Type:
SQLi Detection:
IF body.count("first name:") >= 1 → VULNERABLE (data dump)
ELSE IF any SQL_ERROR_PATTERNS in body → VULNERABLE (SQL error)
ELSE → NOT_VULNERABLE
SQL_ERROR_PATTERNS (8 signatures):
you have an error in your sql syntaxmysql_fetch_array()mysql_num_rows()supplied argument is not a valid mysqlwarning: mysql_unclosed quotation markora-01756syntax error in string in query expression
XSS Detection:
IF payload.lower() in response_body → VULNERABLE (reflection)
ELSE IF any XSS_DANGEROUS_PATTERNS reflected → VULNERABLE
ELSE → NOT_VULNERABLE
LFI Detection:
IF any LFI_SIGNATURES in body → VULNERABLE
ELSE → NOT_VULNERABLE
Severity Assignment:
| Vuln Type | Severity | Rationale |
|---|---|---|
| sqli | HIGH | Direct database access, data exfiltration |
| xss_r | MEDIUM | Requires victim interaction (reflected) |
| xss_s | HIGH | Persistent, affects all users |
| lfi | HIGH | Server-side file disclosure, potential RCE |
4.4 Module 4 — ML Classifier (classifier.py)
(Detailed in Section 5)
4.5 Module 5 — Payload Generator (payload_gen.py)
Purpose: Produce WAF-bypass variants of base payloads via 6 mutation techniques to increase test coverage.
Mutation Techniques:
| # | Technique | Example | Applicability |
|---|---|---|---|
| 1 | Case alternation | OR → oR, Or |
sqli, xss (not lfi) |
| 2 | SQL comment insertion | OR 1=1 → OR/**/1=1 |
sqli only |
| 3 | Quote substitution | ' ↔ " |
sqli, xss (not lfi) |
| 4 | URL encoding | ' → %27 |
all |
| 5 | Double URL encoding | ' → %2527 |
all |
| 6 | Whitespace variation | space → tab, /**/ |
all |
Coverage Expansion:
| Type | Base | Generated | Expansion |
|---|---|---|---|
| sqli | 13 | ~208 | +530% |
| xss | 12 | ~150 | +530% |
| lfi | 11 | ~80 | +300% |
4.6 Module 6 — Reporter (reporter.py)
Purpose: Generate a professional 5-section PDF security report using fpdf2.
Report Structure:
| Section | Content | Page(s) |
|---|---|---|
| Cover | Target, date, tool name, severity summary boxes | 1 |
| Executive Summary | Statistics table by vuln type, detection rates | 1 |
| Detailed Findings | Per-vulnerability cards with severity badge | 1-N |
| Recommendations | 5 remediation steps per vuln type | 1-2 |
| Methodology | Module descriptions, disclaimer | 1 |
Severity Color Coding:
| Severity | RGB Color | Visual |
|---|---|---|
| HIGH | (192, 57, 43) | Red |
| MEDIUM | (243, 156, 18) | Orange |
| LOW | (241, 196, 15) | Yellow |
| INFO | (39, 174, 96) | Green |
5. ML Classifier Design
5.1 Feature Engineering Rationale
The classifier uses 8 purely behavioral features extracted from HTTP responses. This design was chosen after a critical revision that identified data leakage in the previous feature set.
Previous features (REMOVED — data leakage):
has_alert— directly mirrors XSS analyzer decisionhas_first_name— directly mirrors SQLi analyzer decisionpayload_in_response— directly mirrors XSS reflection check
Current 8 behavioral features:
| # | Feature | Description | Rationale |
|---|---|---|---|
| F1 | response_len |
Body length in bytes | Vulnerable responses often contain additional data (SQL dumps, file contents) |
| F2 | status_code |
HTTP status code | Error codes may indicate injection success/failure |
| F3 | payload_len |
Length of injected payload | Complex payloads may have different success rates |
| F4 | vuln_type_encoded |
sqli=0, xss=1, lfi=2 | Different vuln types have different response patterns |
| F5 | response_to_payload_ratio |
len(response)/len(payload) | Normalized response size indicator |
| F6 | has_html_tags |
1 if <html>|<body>|<div>|<p> in body |
Generic structural indicator |
| F7 | response_length_anomaly |
Deviation from per-type mean | Statistical anomaly detection |
| F8 | payload_special_chars_ratio |
Ratio of '"<>(){}[];%&| in payload |
Payload complexity metric |
5.2 Model Selection Justification
| Criterion | Random Forest | Logistic Regression | SVM | Neural Network |
|---|---|---|---|---|
| Interpretability | ✅ High | ✅ High | ⌠Low | ⌠Low |
| Feature importance | ✅ Built-in | ⌠No | ⌠No | ⌠No |
| Small dataset handling | ✅ Robust | ✅ OK | âš ï¸ Medium | ⌠Poor |
| No scaling required | ✅ Yes | ⌠No | ⌠No | ⌠No |
| Overfitting resistance | ✅ Ensemble | âš ï¸ Medium | ✅ Good | ⌠Poor |
| Training speed | ✅ Fast | ✅ Fast | âš ï¸ Medium | ⌠Slow |
Selected: Random Forest — Best balance of interpretability (critical for academic thesis), built-in feature importance, and robustness on small datasets.
Hyperparameters:
n_estimators=100— sufficient ensemble size for stabilityclass_weight="balanced"— handles class imbalance (more NOT_VULNERABLE than VULNERABLE)max_depth=10— prevents overfitting on small DVWA datasetmin_samples_leaf=2— requires minimum support per leafrandom_state=42— reproducibility
5.3 Training/Evaluation Methodology
labeled_results.json
│
â–¼
┌──────────────â”
│ Feature │ → 8 behavioral features per sample
│ Extraction │
└──────┬───────┘
│ (X, y)
â–¼
┌──────────────┠┌──────────────â”
│ Stratified │────>│ Training │ → RandomForest.fit(X_train, y_train)
│ Split 80/20 │ └──────┬───────┘
└──────┬───────┘ │
│ X_test,y_test ▼
│ ┌──────────────â”
└─────────────>│ Evaluation │ → accuracy, F1, confusion matrix
└──────────────┘
│
┌──────────────┠│
│ 5-Fold CV │◄───────────┘ (on full X, y)
└──────┬───────┘
│
â–¼
TrainingReport + model.pkl
Reported Performance on DVWA:
- Accuracy: 100% | F1-Score: 100% | CV: 1.00 ± 0.00
- Top importances:
response_len(55%),vuln_type_encoded(33.5%),payload_len(11.6%)
5.4 Limitations and Generalization Concerns
- DVWA-specific training: Model is trained exclusively on DVWA data; generalization to other applications requires retraining
- Perfect scores warning: 100% accuracy on DVWA indicates clear behavioral separation, but may not hold on more complex targets
- Feature set stability: Behavioral features depend on HTTP response characteristics that may vary across server technologies
- Minimum sample requirement: Needs ≥4 labeled samples; skipped for very small scan results
6. Database / Persistence Design
6.1 JSON File Schemas
results.json (Crawler output):
{
"target": "http://localhost:8080",
"pages_visited": 33,
"forms": [
{
"url": "http://localhost:8080/vulnerabilities/sqli/",
"action": "http://localhost:8080/vulnerabilities/sqli/",
"method": "GET",
"inputs": [
{"name": "id", "type": "text", "value": ""},
{"name": "Submit", "type": "submit", "value": "Submit"}
]
}
],
"url_params": [
{"url": "http://localhost:8080/vulnerabilities/sqli/?id=1", "params": ["id"]}
]
}
injection_results.json (Injector output):
[
{
"target_url": "http://localhost:8080/vulnerabilities/sqli/",
"method": "GET",
"vuln_type": "sqli",
"param": "id",
"payload": "' OR 1=1 --",
"status_code": 200,
"response_len": 4523,
"response_body": "<html>...First name: admin..."
}
]
labeled_results.json (Analyzer output):
[
{
"target_url": "...", "method": "GET", "vuln_type": "sqli",
"param": "id", "payload": "' OR 1=1 --",
"status_code": 200, "response_len": 4523, "response_body": "...",
"label": "VULNERABLE",
"reason": "Data dump: 5 rows returned",
"severity": "HIGH"
}
]
model.pkl (Classifier output):
{
"model": <sklearn.ensemble.RandomForestClassifier>,
"mean_response_len_per_type": {0: 4523.0, 1: 3200.0, 2: 2100.0}
}
all_payloads.json (PayloadGenerator output):
{
"sqli": {"base": 13, "generated": 208, "added": 195, "payloads": ["...", "..."]},
"xss": {"base": 12, "generated": 150, "added": 138, "payloads": ["..."]},
"lfi": {"base": 11, "generated": 80, "added": 69, "payloads": ["..."]}
}
6.2 Results Directory Structure
IntelliScan/
├── results/
│ ├── results.json # Crawler output
│ ├── injection_results.json # Injector output
│ ├── labeled_results.json # Analyzer output
│ ├── all_payloads.json # PayloadGenerator output
│ └── report.pdf # Reporter output
├── models/
│ └── model.pkl # Trained RF model (joblib)
└── payloads/
├── sqli.txt # 13 base SQLi payloads
├── xss.txt # 12 base XSS payloads
└── lfi.txt # 11 base LFI payloads
7. Interface Design
7.1 CLI Interface (Click + Rich)
Command Structure:
intelliscan [OPTIONS] COMMAND [ARGS]
Options:
-v, --verbose Enable debug logging
--version Show version and exit
--help Show help message
Commands:
scan Run the full 6-module scan pipeline
crawl Run the crawler only
train Train the ML classifier on labeled data
generate-payloads Apply 6 mutation techniques to base payloads
Scan Command Options:
| Option | Type | Default | Description |
|---|---|---|---|
--target |
STRING | (required) | Target URL |
--auth |
STRING | None | Credentials user:password |
--report |
STRING | report.pdf |
PDF output path |
--no-ml |
FLAG | False | Skip ML classifier |
--discord |
STRING | None | Discord webhook URL |
--no-tls-verify |
FLAG | False | Disable TLS verification |
CLI Output Example:
â•──────────────────────────────────────────╮
│ IntelliScan v1.0.0 │
│ AI-Powered Web Vulnerability Scanner │
│ SQLi | XSS | LFI | Random Forest ML │
╰──────────────────────────────────────────╯
Scan Summary
┌──────────────────┬───────────────â”
│ Metric │ Value │
├──────────────────┼───────────────┤
│ Target │ localhost:8080│
│ Duration │ 45.2s │
│ Pages crawled │ 33 │
│ Forms found │ 12 │
│ Injections │ 144 │
│ Vulnerabilities │ 38 / 144 │
│ ML Accuracy │ 100.0% │
│ PDF Report │ report.pdf │
└──────────────────┴───────────────┘
Findings by Type
┌──────┬────────┬────────────┬──────â”
│ Type │ Tested │ Vulnerable │ Rate │
├──────┼────────┼────────────┼──────┤
│ SQLI │ 52 │ 13 │ 100% │
│ XSS_R│ 48 │ 12 │ 100% │
│ XSS_S│ 48 │ 12 │ 100% │
│ LFI │ 44 │ 1 │ 10% │
└──────┴────────┴────────────┴──────┘
7.2 Web Dashboard (Flask)
Planned Endpoints:
| Endpoint | Method | Description |
|---|---|---|
/ |
GET | Dashboard home with scan history |
/scan |
POST | Trigger a new scan |
/scan/<id> |
GET | View scan results |
/api/scan |
POST | REST API — start scan |
/api/results/<id> |
GET | REST API — fetch results JSON |
Dashboard Visualizations (Chart.js):
- Pie chart: vulnerability distribution by type
- Bar chart: detection rates per vuln type
- Timeline: scan history with severity trends
- Gauge: ML confidence score
7.3 PDF Report Layout
┌─────────────────────────────────────────â”
│ PAGE 1 — COVER │
│ │
│ IntelliScan Security Report │
│ AI-Powered Vulnerability Assessment │
│ │
│ ┌─────────────────────────────────┠│
│ │ Target: http://localhost:8080 │ │
│ │ Date: 2026-05-11T19:00:00 │ │
│ │ Tool: IntelliScan v1.0 │ │
│ └─────────────────────────────────┘ │
│ │
│ Findings by severity │
│ ┌──────┠┌──────┠┌──────┠┌──────┠│
│ │ HIGH │ │MEDIUM│ │ LOW │ │ INFO │ │
│ │ 26 │ │ 12 │ │ 0 │ │ 0 │ │
│ │ RED │ │ORANGE│ │YELLOW│ │GREEN │ │
│ └──────┘ └──────┘ └──────┘ └──────┘ │
└─────────────────────────────────────────┘
┌─────────────────────────────────────────â”
│ PAGE 2 — EXECUTIVE SUMMARY │
│ │
│ ┌──────┬──────┬──────┬──────┬──────┠│
│ │ Type │Tested│ Vuln │ Rate │ Sev │ │
│ ├──────┼──────┼──────┼──────┼──────┤ │
│ │ SQLI │ 52 │ 13 │ 100% │ HIGH │ │
│ │ XSS_R│ 48 │ 12 │ 100% │MEDIUM│ │
│ │ XSS_S│ 48 │ 12 │ 100% │ HIGH │ │
│ │ LFI │ 44 │ 1 │ 10% │ HIGH │ │
│ └──────┴──────┴──────┴──────┴──────┘ │
└─────────────────────────────────────────┘
┌─────────────────────────────────────────â”
│ PAGE 3+ — DETAILED FINDINGS │
│ │
│ ┌─────┠Finding #1 — SQLI │
│ │ HIGH│ │
│ └─────┘ │
│ URL: /vulnerabilities/sqli/ │
│ Method: GET │
│ Param: id │
│ Payload: ' OR 1=1 -- │
│ Reason: Data dump: 5 rows returned │
│ Status: 200 │
│ Resp: 4523 bytes │
│ │
│ (repeated for each vulnerability) │
└─────────────────────────────────────────┘
┌─────────────────────────────────────────â”
│ PAGE N — RECOMMENDATIONS │
│ │
│ For SQLI vulnerabilities: │
│ • Use prepared statements (PDO) │
│ • Apply ORM frameworks │
│ • Deploy WAF with SQLi rules │
│ • Input validation (whitelist) │
│ • Least-privilege DB accounts │
└─────────────────────────────────────────┘
┌─────────────────────────────────────────â”
│ PAGE N+1 — METHODOLOGY │
│ │
│ • Crawler: BFS + CSRF handling │
│ • Injector: GET/POST concurrent │
│ • Analyzer: Signature-based detection │
│ • ML: Random Forest (100 trees) │
│ • Payload Gen: 6 mutation techniques │
│ • Reporter: Professional PDF │
│ │
│ Disclaimer: authorized testing only │
└─────────────────────────────────────────┘
7.4 Discord Notification Format
â•”â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•—
â•‘ IntelliScan: scan complete â•‘
â• â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•£
â•‘ Target: localhost:8080 â•‘
â•‘ Duration: 45.2s â•‘
â• â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•£
║ SQLI: 13 │ XSS_R: 12 │ LFI: 1 ║
â• â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•£
â•‘ Color: RED (vulnerabilities found) â•‘
â•‘ Footer: IntelliScan v1.0 â•‘
╚â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•
8. Security & Ethical Design
8.1 Authorization Model
IntelliScan operates under a strict authorization-first model:
- No default target: The
--targetflag is mandatory; no automatic scanning - User-Agent identification: Every request is tagged with
IntelliScan/1.0 - Credential handling: Auth credentials are passed via CLI, never stored on disk
- Session isolation: Each scan creates a new
requests.Session, closed after scan
8.2 Rate Limiting and Responsible Scanning
| Control | Value | Purpose |
|---|---|---|
RATE_LIMIT_DELAY |
0.1s | Minimum inter-request delay |
MAX_CONCURRENT |
8 | Thread pool worker limit |
MAX_PAGES |
200 | Maximum pages crawled |
MAX_CRAWL_DEPTH |
5 | Maximum BFS depth |
RESPONSE_BODY_TRUNCATE |
8000 | Memory protection |
DEFAULT_TIMEOUT |
10s | Request timeout |
| Retry backoff | 0.5s exponential | Avoids flooding on errors |
8.3 Data Handling
- Scan results may contain sensitive data (SQL dumps, file contents). Results are stored locally in
results/with no automatic transmission - Model files (
model.pkl) contain only statistical model weights, no raw data - PDF reports may contain payload/response excerpts; treat as confidential
- Discord notifications transmit only aggregate counts, never raw payloads
8.4 Legal Compliance
| Regulation | Applicability | IntelliScan Compliance |
|---|---|---|
| Loi 09-08 (Morocco) | Processing scan data containing PII | Results stored locally; user responsible for data retention policy |
| RGPD/GDPR (EU) | Scanning EU-hosted targets | No personal data collected beyond HTTP responses; data minimization via truncation |
| CFAA (US) | Unauthorized computer access | Tool requires explicit --target and --auth; documentation mandates written authorization |
| Computer Misuse Act (UK) | Unauthorized access | Same as CFAA compliance |
9. Test Strategy
9.1 Unit Test Coverage Plan
| Module | Test File | Key Tests | Coverage Target |
|---|---|---|---|
| Analyzer | test_analyzer.py |
SQLi detection, XSS reflection, LFI signatures, severity mapping | >90% |
| Classifier | test_classifier.py |
Feature extraction, training on mock data, model persistence | >85% |
| Payload Gen | test_payload_gen.py |
Each mutation technique, deduplication, type-specific filtering | >90% |
| Reporter | test_reporter.py |
PDF generation, section creation, sanitization | >80% |
| Crawler | (planned) | BFS traversal, form extraction, blacklist, same-domain | >85% |
| Injector | (planned) | Task building, concurrent execution, CSRF handling | >80% |
9.2 Integration Test Strategy
Docker-based integration testing:
┌────────────┠HTTP ┌──────────â”
│ IntelliScan│ ◄──────────────►│ DVWA │
│ (pytest) │ port 8080 │ (Docker) │
└────────────┘ └──────────┘
- Start DVWA via Docker Compose
- Run full scan pipeline against
http://localhost:8080 - Verify: crawl discovers ≥4 forms, injector produces results, analyzer labels correctly
- Verify: ML trains with accuracy ≥90%, report PDF is generated
9.3 Test Fixtures (conftest.py)
| Fixture | Content | Used By |
|---|---|---|
sample_injection_results |
4 mock injection entries (2 sqli, 1 xss, 1 lfi) | Analyzer, Classifier |
sample_labeled_results |
4 labeled entries (2 VULNERABLE, 2 NOT_VULNERABLE) | Classifier, Reporter |
9.4 CI/CD Pipeline (GitHub Actions)
# .github/workflows/ci.yml
Strategy:
matrix:
python-version: [3.10, 3.11, 3.12]
Steps:
1. Checkout code
2. Setup Python ${{ matrix.python-version }}
3. Install dependencies (pip install -e .[dev])
4. Run linters (ruff check, black --check, mypy)
5. Run unit tests (pytest --cov=intelliscan --cov-report=xml)
6. Upload coverage report
7. Build Docker image (docker build .)
10. Deployment Design
10.1 Docker Compose Architecture
┌─────────────────────────────────────────────────────────â”
│ Docker Compose Network │
│ (intelliscan-net, bridge) │
│ │
│ ┌─────────────────────┠┌─────────────────────┠│
│ │ intelliscan │ │ dvwa │ │
│ │ │ │ │ │
│ │ Python 3.10+ │ │ Apache + PHP │ │
│ │ Flask :5000 ◄──────┼───┼── :80 (ext :8080) │ │
│ │ CLI (Click) │ │ MySQL embedded │ │
│ │ │ │ │ │
│ │ Volumes: │ │ Image: │ │
│ │ ./results:/app/res │ │ vulnerables/ │ │
│ │ ./models:/app/mod │ │ web-dvwa:latest │ │
│ └─────────────────────┘ └─────────────────────┘ │
│ :5000 :8080 │
└─────────┬───────────────────────────┬───────────────────┘
│ │
Host port 5000 Host port 8080
10.2 Environment Variables
| Variable | Default | Description |
|---|---|---|
INTELLISCAN_TIMEOUT |
10 |
HTTP request timeout (seconds) |
INTELLISCAN_RESULTS |
./results |
Results directory path |
10.3 Volume Mounts
| Host Path | Container Path | Purpose |
|---|---|---|
./results |
/app/results |
Persist scan results between container restarts |
./models |
/app/models |
Persist trained ML models |
10.4 Scaling Considerations
- Horizontal: v3.0 roadmap includes Celery + Redis distributed scanning
- Vertical:
MAX_CONCURRENTadjustable from 1 to 32 workers - Storage: JSON files are stateless; multiple scan runs can coexist with unique filenames
11. Technology Choices Justification
11.1 Python 3.10+
| Reason | Detail |
|---|---|
| Type hints | Full PEP 604 union syntax (str | None), PEP 585 generics |
| Match statement | PEP 634 structural pattern matching (future use) |
| Ecosystem | scikit-learn, requests, BeautifulSoup — mature, well-documented |
| Academic context | Most taught language in cybersecurity curricula |
11.2 Random Forest (scikit-learn)
| Reason | Detail |
|---|---|
| Interpretability | feature_importances_ enables academic analysis |
| No scaling required | Tree-based models handle heterogeneous features natively |
| Ensemble robustness | 100 trees reduce variance vs single decision tree |
| Balanced class weights | Built-in handling of class imbalance |
| Reproducibility | random_state=42 ensures deterministic results |
11.3 fpdf2
| Reason | Detail |
|---|---|
| Pure Python | No system dependencies (unlike ReportLab, WeasyPrint) |
| Lightweight | ~200KB package, no C extensions |
| Sufficient features | Tables, colored cells, multi-cell, header/footer hooks |
| License | LGPL — compatible with MIT project license |
11.4 Flask
| Reason | Detail |
|---|---|
| Lightweight | Minimal framework, ideal for prototype dashboard |
| Familiar | Widely used in academic projects |
| REST-friendly | Easy API endpoint creation for future integrations |
| Jinja2 templates | Built-in templating for dashboard views |
11.5 Click + Rich
| Reason | Detail |
|---|---|
| Click | Decorator-based CLI definition, automatic help generation, type validation |
| Rich | Colored output, tables, progress bars, tracebacks — professional DX |
| Combination | RichHandler integrates logging with Rich console output |
12. Limitations & Future Work
12.1 Current Limitations
| # | Limitation | Impact | Mitigation |
|---|---|---|---|
| 1 | LFI detection: ~10% on DVWA | PHP realpath() in Docker blocks traversal |
Higher rates on production configs; expand LFI signatures |
| 2 | ML trained on DVWA only | Model may not generalize to other apps | Retrain on diverse datasets; transfer learning in v2.0 |
| 3 | Hardcoded DVWA_FORMS | Fallback forms specific to DVWA endpoints | Crawler dynamically discovers forms in real scans |
| 4 | No blind SQLi | Time-based and boolean-based SQLi not detected | Planned for v1.1 |
| 5 | No DOM XSS | Client-side JavaScript execution not analyzed | Selenium-based detection in v2.0 |
| 6 | Single-machine only | No distributed scanning capability | Celery + Redis in v3.0 |
12.2 Roadmap
v1.1 — Extended Detection (Near-term)
- CSRF detection module
- Command Injection detection
- SSRF detection
- GraphQL endpoint support
- OAuth2/JWT authentication
- Blind SQLi (time-based inference)
v2.0 — Advanced ML (Medium-term)
- LSTM sequence classifier for payload/response analysis
- Active learning loop: analyst labels → model retraining
- DOM XSS detection via Selenium headless browser
- CI/CD plugins: GitHub Action, Jenkins plugin
- Multi-target scanning with priority queue
v3.0 — Enterprise Scale (Long-term)
- Distributed scanning with Celery + Redis task queue
- CVE knowledge base integration (NVD, MITRE)
- Auto-remediation suggestions via LLM (GPT-4 / local models)
- Web-based management console with user roles
- Compliance report templates (PCI-DSS, SOC 2)
Appendix A — Generating Architecture Diagrams
All diagrams referenced in this document can be generated as high-resolution PNG files using the provided script.
Prerequisites:
pip install matplotlib graphviz
Additionally install the Graphviz system package:
- Windows:
winget install graphvizor download from https://graphviz.org/download/ - Linux:
sudo apt install graphviz - macOS:
brew install graphviz
Generate all diagrams:
python docs/generate_diagrams.py
Output files in docs/images/:
| File | Diagram |
|---|---|
01_pipeline_diagram.png |
6-module sequential pipeline |
02_dependency_graph.png |
Module dependency graph |
03_data_flow_diagram.png |
Data flow between modules |
04_ml_feature_importance.png |
RF feature importance bar chart |
05_class_diagram.png |
Class/component UML diagram |
06_deployment_diagram.png |
Docker Compose architecture |
07_ml_training_flow.png |
ML training & evaluation pipeline |
08_mutation_pipeline.png |
Payload mutation techniques |
If Graphviz is not installed, DOT source files (.dot) are saved for manual rendering.
Appendix B — References
- OWASP Top 10 (2021). https://owasp.org/Top10/
- Breiman, L. (2001). Random forests. Machine Learning, 45(1), 5-32.
- DVWA — Damn Vulnerable Web Application. https://github.com/digininja/DVWA
- scikit-learn documentation. https://scikit-learn.org/stable/
- fpdf2 documentation. https://py-pdf.github.io/fpdf2/
- Click documentation. https://click.palletsprojects.com/
- Rich documentation. https://rich.readthedocs.io/
Document generated for the Master's thesis (PFE) at Ibn Tofail University, Kenitra, Morocco.
Supervisor: Pr. Youssef FAKHRI — Academic year 2025–2026.