--- title: IntelliScan emoji: 🛡️ colorFrom: green colorTo: blue sdk: docker pinned: false --- # IntelliScan > **AI-Powered Web Vulnerability Scanner with Machine Learning Classification** > Automated detection of SQLi, XSS, and LFI vulnerabilities using a hybrid pipeline of signature-based analysis and Random Forest classification. [![Python 3.10+](https://img.shields.io/badge/python-3.10+-blue.svg)](https://www.python.org/downloads/) [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT) [![Code style: black](https://img.shields.io/badge/code%20style-black-000000.svg)](https://github.com/psf/black) [![CI](https://img.shields.io/badge/CI-passing-brightgreen.svg)]() [![ML](https://img.shields.io/badge/ML-Random%20Forest-orange.svg)]() [![OWASP](https://img.shields.io/badge/OWASP-Top%2010-red.svg)]() --- ## Overview **IntelliScan** is an advanced web application vulnerability scanner that combines traditional signature-based detection with a Machine Learning classifier (Random Forest) to detect and validate security vulnerabilities. It is the result of a final-year Master's project in Cybersecurity & AI at Ibn Tofail University, Kenitra. Unlike typical scanners that rely solely on static signatures, IntelliScan extracts 11 features from HTTP responses and uses a trained Random Forest model to classify exploitations with 100% F1-Score on the DVWA test environment. ### Key Differentiators - **Hybrid detection**: signature-based + ML classification (defense in depth) - **Dual ML models**: a scan-result Random Forest (11 behavioral features, no leakage) plus a CSIC 2010 Random Forest (15 features, trained on 61k real HTTP requests) for independent pre-scan threat scoring - **Mutation engine**: generates WAF-bypassing payload variants using 8 techniques - **Adaptive crawl-driven injection**: targets are resolved from discovered forms and URL parameters, falling back to built-in DVWA definitions - **Modular pipeline**: 6 independent modules connected via JSON files - **Professional reporting**: PDF reports with charts, evidence, and remediation - **Web dashboard**: Flask UI with real per-module progress and recent-scan history - **Concurrent scanning**: ThreadPoolExecutor for 4-8x speedup - **Docker-ready**: full docker-compose stack with target lab --- ## Architecture ``` +------------+ +------------+ +-------------+ +-----------+ | Crawler | --> | Injector | --> | Analyzer | --> | ML Class.| +------------+ +------------+ +-------------+ +-----------+ | | | | v v v v results.json injection_results labeled_results model.pkl | v +------------------+ | Payload Gen | | (8 mutations) | +------------------+ | v +------------------+ | Report Gen | | (PDF + Web) | +------------------+ ``` ### The 6 Modules | # | Module | Role | Output | |---|--------|------|--------| | 1 | **Crawler** | BFS exploration, CSRF handling, form/URL discovery | `results.json` | | 2 | **Injector** | GET/POST payload injection, response capture | `injection_results.json` | | 3 | **Analyzer** | Signature-based vulnerability detection | `labeled_results.json` | | 4 | **ML Classifier** | Random Forest, 11 behavioral features (+ optional CSIC 15-feature model) | `model.pkl` / `csic_model.pkl` | | 5 | **Payload Generator** | 8 mutation techniques, adaptive feedback | `all_payloads.json` | | 6 | **Report Generator** | Professional PDF + JSON report | `report.pdf` | --- ## Features ### Core Detection Capabilities - **SQL Injection (SQLi)**: Error-based, Union-based, Boolean Blind, Time-based - **Cross-Site Scripting (XSS)**: Reflected, Stored, DOM-based detection - **Local File Inclusion (LFI)**: Path traversal, encoding bypass, wrappers - **Extensible**: plugin-based architecture for adding new vulnerability types ### Machine Learning Classifiers **Scan-result model** (`classifier.py`) — learns from the live scan: - Algorithm: **Random Forest** (100 trees, balanced class weight, depth-capped) - Features: 11 purely *behavioral* features (response length, status, ratios, URL shape) — deliberately no signature-derived features, so there is no data leakage from the analyzer's labels - Training: stratified 80/20 split + 5-fold cross-validation; the per-type response-length statistics are fit on the **train split only** **CSIC 2010 model** (`csic_trainer.py`) — pre-trained threat scorer: - Trained on **61,065 real HTTP requests** (36k normal / 25k attack) - 15 features: 5 URL, 5 content, 2 request-level, 3 lexical (entropy, longest-param length, digit ratio) - Measured performance: **Accuracy 90.9%, F1 91.0%, ROC-AUC 0.982**, far above the Logistic Regression baseline (73.6%, AUC 0.813) - Vectorized feature extraction (no `DataFrame.iterrows`) for fast retraining - Attaches an `ml_label` / `ml_confidence` second opinion to every finding ### Payload Mutation Engine Eight mutation techniques generate WAF-bypassing variants: 1. **Case mutation**: `OR` -> `oR`, `Or` 2. **SQL comment insertion**: `OR 1=1` -> `OR/**/1=1` 3. **Quote substitution**: `'` -> `"` for some DBMS 4. **URL encoding**: `'` -> `%27`, `<` -> `%3C` 5. **Double URL encoding**: `'` -> `%2527` 6. **Whitespace variation**: spaces -> tabs / `/**/` 7. **Unicode normalization**: SQL keywords -> fullwidth homoglyphs 8. **HTML entity encoding**: `