# IntelliScan — Conception & Design Document **Project:** IntelliScan — AI-Powered Web Vulnerability Scanner **Version:** 1.0.0 **Author:** SABKARI Mohamed **Institution:** Ibn Tofail University, Kenitra, Morocco **Academic Context:** Master's Thesis (PFE) — Cybersecurity & AI, 2025–2026 **Supervisor:** Pr. Youssef FAKHRI **License:** MIT **Date:** May 2026 --- ## Table of Contents 1. [Project Overview](#1-project-overview) 2. [Functional Requirements](#2-functional-requirements) 3. [System Architecture](#3-system-architecture) 4. [Detailed Module Design](#4-detailed-module-design) 5. [ML Classifier Design](#5-ml-classifier-design) 6. [Database / Persistence Design](#6-database--persistence-design) 7. [Interface Design](#7-interface-design) 8. [Security & Ethical Design](#8-security--ethical-design) 9. [Test Strategy](#9-test-strategy) 10. [Deployment Design](#10-deployment-design) 11. [Technology Choices Justification](#11-technology-choices-justification) 12. [Limitations & Future Work](#12-limitations--future-work) --- ## 1. Project Overview ### 1.1 Problem Statement Web application vulnerabilities remain one of the most exploited attack vectors in cybersecurity. According to the OWASP Top 10 (2021), injection flaws (SQLi), Cross-Site Scripting (XSS), and insecure file handling (LFI) consistently rank among the most critical threats. Existing vulnerability scanners present several limitations: | Scanner | Limitation | |---------|-----------| | **OWASP ZAP** | Complex UI, steep learning curve, no ML-based detection | | **Burp Suite** | Commercial license required for advanced features | | **Nikto** | Signature-only, no adaptive classification | | **SQLMap** | Single vulnerability type (SQLi only) | | **w3af** | Discontinued maintenance, outdated engine | **IntelliScan** addresses these gaps by combining **signature-based detection** with **machine learning classification** in a unified, open-source, modular pipeline. The dual-approach design provides both the reliability of known-pattern matching and the adaptability of behavioral ML classification. ### 1.2 Objectives and Scope **Primary Objectives:** 1. Automate authenticated crawling and vulnerability detection for SQLi, XSS, and LFI 2. Provide a dual detection engine (signature + Random Forest ML) to improve detection confidence 3. Generate professional PDF reports suitable for stakeholder communication 4. Offer a modular, extensible architecture enabling future vulnerability type additions **Scope Boundaries:** - **In scope:** SQLi, reflected XSS, stored XSS, LFI on HTTP/HTTPS targets - **Out of scope (v1.0):** CSRF, SSRF, command injection, blind SQLi, DOM XSS, API fuzzing ### 1.3 Target Users | Actor | Profile | Use Case | |-------|---------|----------| | **Penetration Tester** | Security professional with CLI experience | Authorized vulnerability assessments | | **Developer** | Web developer integrating security into CI/CD | Pre-deployment security checks | | **Academic Researcher** | Student/professor studying ML-based detection | Benchmarking detection algorithms | | **Security Auditor** | Compliance officer reviewing application security | Generating audit evidence (PDF reports) | ### 1.4 Ethical and Legal Framework IntelliScan is designed exclusively for **authorized security testing**. The tool enforces: - **Explicit consent requirement:** Users must have written authorization before scanning - **Identification header:** All HTTP requests include `User-Agent: IntelliScan/1.0` - **Rate limiting:** 0.1s delay between requests to minimize target impact - **Scope restriction:** Crawler enforces same-domain policy and blacklists sensitive paths **Legal compliance:** - **Morocco — Loi 09-08:** Data protection for scan results containing PII - **EU — RGPD/GDPR:** Applicable when scanning EU-hosted targets - **US — CFAA:** Unauthorized access prohibition; IntelliScan requires explicit authorization - **Responsible Disclosure:** Tool documentation recommends coordinated disclosure practices --- ## 2. Functional Requirements ### 2.1 Use Cases ``` ┌──────────────────────────────────────────────────────────────┠│ IntelliScan System │ │ │ │ ┌─────────┠┌──────────────────────────────────────┠│ │ │ Security │───>│ UC-01: Run Full Scan Pipeline │ │ │ │ Analyst │ └──────────────────────────────────────┘ │ │ │ │ ┌──────────────────────────────────────┠│ │ │ │───>│ UC-02: Crawl Target Only │ │ │ │ │ └──────────────────────────────────────┘ │ │ │ │ ┌──────────────────────────────────────┠│ │ │ │───>│ UC-03: Train ML Classifier │ │ │ │ │ └──────────────────────────────────────┘ │ │ │ │ ┌──────────────────────────────────────┠│ │ │ │───>│ UC-04: Generate Payload Variants │ │ │ │ │ └──────────────────────────────────────┘ │ │ │ │ ┌──────────────────────────────────────┠│ │ │ │───>│ UC-05: View PDF Report │ │ │ └─────────┘ └──────────────────────────────────────┘ │ │ │ │ ┌─────────┠┌──────────────────────────────────────┠│ │ │ CI/CD │───>│ UC-06: Automated Scan (CLI) │ │ │ │ Pipeline│ └──────────────────────────────────────┘ │ │ └─────────┘ │ │ │ │ ┌─────────┠┌──────────────────────────────────────┠│ │ │ Discord │<───│ UC-07: Receive Scan Notification │ │ │ │ Channel │ └──────────────────────────────────────┘ │ │ └─────────┘ │ └──────────────────────────────────────────────────────────────┘ ``` ### 2.2 Functional Requirements per Module #### Module 1 — Crawler | ID | Requirement | Priority | |----|-------------|----------| | FR-CRAWL-01 | Authenticate via POST /login.php with CSRF token extraction | Must | | FR-CRAWL-02 | Set DVWA security level to "low" automatically | Must | | FR-CRAWL-03 | BFS traversal with configurable MAX_DEPTH (default=5) | Must | | FR-CRAWL-04 | Limit to MAX_PAGES (default=200) to prevent infinite crawling | Must | | FR-CRAWL-05 | Extract HTML forms with action, method, input names/types/values | Must | | FR-CRAWL-06 | Extract URL query parameters from discovered pages | Must | | FR-CRAWL-07 | Enforce same-domain policy (no off-site crawling) | Must | | FR-CRAWL-08 | Blacklist sensitive paths (/logout.php, /setup.php, /.git/, /.env) | Must | | FR-CRAWL-09 | Output results.json with structured crawl data | Must | #### Module 2 — Injector | ID | Requirement | Priority | |----|-------------|----------| | FR-INJ-01 | Load payloads from payloads/ directory (sqli.txt, xss.txt, lfi.txt) | Must | | FR-INJ-02 | Support GET and POST injection methods | Must | | FR-INJ-03 | Concurrent injection via ThreadPoolExecutor (MAX_CONCURRENT=8) | Must | | FR-INJ-04 | Auto-fetch CSRF token for POST forms (user_token) | Must | | FR-INJ-05 | Capture status_code, response_len, response_body (truncated 8000 chars) | Must | | FR-INJ-06 | Support DVWA_FORMS fallback definitions for 4 endpoints | Should | | FR-INJ-07 | Output injection_results.json | Must | #### Module 3 — Analyzer | ID | Requirement | Priority | |----|-------------|----------| | FR-ANAL-01 | Detect SQLi via "first name:" count and SQL_ERROR_PATTERNS (8 patterns) | Must | | FR-ANAL-02 | Detect XSS via payload reflection check and XSS_DANGEROUS_PATTERNS | Must | | FR-ANAL-03 | Detect LFI via LFI_SIGNATURES (root:x:0:0, /bin/bash, etc.) | Must | | FR-ANAL-04 | Assign severity: sqli=HIGH, xss_r=MEDIUM, xss_s=HIGH, lfi=HIGH | Must | | FR-ANAL-05 | Label each result as VULNERABLE or NOT_VULNERABLE with reason | Must | | FR-ANAL-06 | Output labeled_results.json | Must | #### Module 4 — ML Classifier | ID | Requirement | Priority | |----|-------------|----------| | FR-ML-01 | Extract 8 behavioral features (no data leakage) | Must | | FR-ML-02 | Train RandomForestClassifier (100 trees, balanced, max_depth=10) | Must | | FR-ML-03 | 80/20 stratified train-test split | Must | | FR-ML-04 | 5-fold cross-validation with F1-weighted scoring | Must | | FR-ML-05 | Persist model + mean_response_len_per_type via joblib | Must | | FR-ML-06 | Require minimum 4 samples to train | Must | | FR-ML-07 | Produce TrainingReport with metrics and feature importances | Must | #### Module 5 — Payload Generator | ID | Requirement | Priority | |----|-------------|----------| | FR-GEN-01 | Case alternation mutation (not for LFI) | Must | | FR-GEN-02 | SQL comment insertion (sqli only) | Must | | FR-GEN-03 | Quote substitution ' ↔ " (not for LFI) | Must | | FR-GEN-04 | URL encoding (urllib.parse.quote) | Must | | FR-GEN-05 | Double URL encoding | Must | | FR-GEN-06 | Whitespace variation (double space, tab, /**/) | Must | | FR-GEN-07 | Deduplicate generated variants | Must | #### Module 6 — Reporter | ID | Requirement | Priority | |----|-------------|----------| | FR-REP-01 | Cover page with target, date, severity summary boxes | Must | | FR-REP-02 | Executive summary with statistics table by vuln type | Must | | FR-REP-03 | Detailed findings with severity badge, URL, payload, reason | Must | | FR-REP-04 | Remediation recommendations (5 per vuln type) | Must | | FR-REP-05 | Methodology & disclaimer section | Must | | FR-REP-06 | Output report.pdf using fpdf2 | Must | ### 2.3 Non-Functional Requirements | ID | Category | Requirement | Target | |----|----------|-------------|--------| | NFR-01 | **Performance** | Complete full scan of DVWA in < 5 minutes | < 300s | | NFR-02 | **Performance** | Concurrent injection with 8 workers | 4-8x speedup | | NFR-03 | **Reliability** | Retry failed HTTP requests (3 retries, exponential backoff) | 99% delivery | | NFR-04 | **Security** | Rate limit requests to 0.1s minimum interval | Responsible scanning | | NFR-05 | **Portability** | Run on Python 3.10+ across Windows, Linux, macOS | Cross-platform | | NFR-06 | **Portability** | Docker Compose deployment with DVWA test target | One-command setup | | NFR-07 | **Maintainability** | Modular pipeline architecture (6 independent modules) | Low coupling | | NFR-08 | **Maintainability** | >80% unit test coverage | pytest-cov | | NFR-09 | **Usability** | Rich CLI output with colored tables and progress | Developer UX | | NFR-10 | **Extensibility** | JSON intermediate files enable module replacement | Plugin-ready | ## 3. System Architecture ### 3.1 High-Level Pipeline Diagram ``` ┌─────────────┠┌─────────────┠┌─────────────┠│ TARGET │ │ PAYLOADS │ │ CONFIG │ │ Web App │ │ sqli.txt │ │ config.py │ │ (DVWA) │ │ xss.txt │ │ Constants │ └──────┬───────┘ │ lfi.txt │ └──────┬───────┘ │ └──────┬──────┘ │ ▼ │ │ ┌──────────────┠│ ┌─────────▼────────┠│ MODULE 1 │ │ │ HttpClient │ │ Crawler │◄───────────┼─────────│ (Session, │ │ BFS + Auth │ │ │ Retry, CSRF) │ └──────┬───────┘ │ └──────────────────┘ │ │ ▼ results.json │ ┌──────────────┠│ │ MODULE 2 │◄───────────┘ │ Injector │ │ GET / POST │ └──────┬───────┘ │ ▼ injection_results.json ┌──────────────┠│ MODULE 3 │ │ Analyzer │ │ Signatures │ └──────┬───────┘ │ ▼ labeled_results.json ┌────┴─────────────────┠│ │ ▼ ▼ ┌──────────────┠┌──────────────┠│ MODULE 4 │ │ MODULE 6 │ │ ML Class. │ │ Reporter │ │ Rand Forest │ │ PDF (fpdf2) │ └──────┬───────┘ └──────┬───────┘ │ │ ▼ ▼ model.pkl report.pdf ┌──────────────┠│ MODULE 5 │ (independent — can run standalone) │ Payload Gen │ │ 6 Mutations │ └──────┬───────┘ │ ▼ all_payloads.json ``` > **Note:** Generate high-resolution PNG versions with `python docs/generate_diagrams.py` ### 3.2 Module Dependency Graph ``` ┌─────────────────┠│ __main__.py │ │ CLI (Click) │ └────────┬────────┘ │ ┌────────▼────────┠│ core.py │ │ IntelliScan │ └────────┬────────┘ │ ┌───────┬───────┬───┼───┬───────┬───────┠▼ ▼ ▼ │ ▼ ▼ ▼ crawler injector anal │ classif pgen reporter .py .py .py │ .py .py .py │ │ │ │ │ │ │ ▼ ▼ │ │ │ │ │ http_client.py │ │ │ │ │ ▼ ▼ ▼ ▼ ▼ ┌──────────────────────────┠│ config.py │ │ (All constants, Final) │ └──────────────────────────┘ ``` ### 3.3 Component Interaction Description The **IntelliScan** orchestrator (`core.py`) implements the **Pipeline** design pattern: 1. **Crawler** authenticates and explores the target via BFS, producing a site map 2. **Injector** reads discovered forms/params and delivers payloads concurrently 3. **Analyzer** applies signature-based heuristics to label each injection result 4. **ML Classifier** trains a Random Forest on the labeled data for secondary classification 5. **Payload Generator** produces WAF-bypass variants (runs independently) 6. **Reporter** compiles all findings into a professional PDF report **Key design principles:** - **Loose coupling:** Modules communicate exclusively via JSON files - **Single responsibility:** Each module has one clearly defined role - **Fail-safe orchestration:** ML training is skipped if <4 samples; individual module failures don't crash the pipeline --- ## 4. Detailed Module Design ### 4.1 Module 1 — Crawler (`crawler.py`) **Purpose:** Authenticated BFS exploration of the target web application to discover all injectable forms and URL parameters. **Input/Output:** | Direction | Data | Format | |-----------|------|--------| | Input | Target URL, optional credentials (user:password) | CLI arguments | | Output | Site map with forms and URL params | `results.json` | **Key Algorithms:** - **BFS traversal** using `collections.deque` with `(url, depth)` tuples - **CSRF token extraction** via BeautifulSoup parsing of `input[name=user_token]` - **Form extraction** parsing `