Skip to content

khaled-muhammad/v8_scanner

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

7 Commits
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 

Repository files navigation

V-8 Scanner

V-8 Scanner

V-8 Scanner is an AI-augmented web vulnerability scanner. It discovers, tests, and reports security flaws in web applications using a mix of traditional scanning, WAF evasion, and optional LLM-based validation. Built as a research project to explore whether adaptive scanning plus AI validation can cut down noise while keeping critical findings.

BASEF 2026 β€” 1st Place. This project won first place at the British Academy of Science and Engineering Fair (BASEF) 2026 and will represent Egypt at the International Science and Engineering Fair (ISEF) 2026 in Phoenix, Arizona.


What it does

  • 11 vulnerability modules β€” SQLi, XSS, RCE, LFI, SSRF, IDOR, JWT, CSRF, broken access control, HTTP smuggling, open redirect
  • Dynamic discovery β€” HTML crawl, JavaScript endpoint extraction, API schema detection
  • WAF evasion β€” 25+ WAF profiles, polyglot payloads, TLS fingerprinting, adaptive technique switching
  • AI Brain (optional) β€” Scan planning, payload crafting, response analysis, chain detection. Works fine without it.
  • Output β€” JSON and HTML reports with CVSS scores, remediation notes, and curl-ready evidence

On an authorized test run against a deliberately vulnerable target, V-8 reported 100 raw findings. After AI validation, that dropped to 41 validated findings with 53 duplicates and 6 false positives removed (59% noise reduction), while keeping high-impact issues like SQLi, RCE, SSRF, and XSS.


Comparisons

Capability vs. ZAP, Nikto, Burp

Capability ZAP Nikto Burp V-8
FP elimination via AI No No No Yes
Local LLM (privacy-first) No No No Yes
WAF / Cloudflare bypass No No Ltd 25+ profiles
TLS fingerprint mimicry No No No Yes
Executive report generation No No Manual Auto
Autonomous agent No No No ReAct

Head-to-head: V-8 vs Wapiti vs Nikto

Same demo app (17 intentional vulnerabilities, Flask). Same target, same conditions.

Vulnerability class Nikto Wapiti V-8
SQL injection 0 0 6
XSS 0 1 4
RCE 0 1 5
LFI 0 0 1
SSRF 0 1 1
IDOR 0 0 4
CSRF 0 0 6
Open redirect 0 0 1
Info disclosure 0 0 4
Missing headers 3 5 1

Vulnerability classes detected: Nikto 1, Wapiti 4, V-8 10. Validated findings: Nikto 3, Wapiti 7, V-8 41. Wapiti missed SQLi, CSRF, and IDOR entirely; Nikto only checks server config, not app logic or parameters.


Quick start

# Install
pip install -r requirements.txt

# Scan a target (authorized testing only)
python main.py scan https://your-target.com

# Stealth mode with WAF evasion
python main.py scan https://your-target.com --profile stealth --adaptive

# API server
python api_server.py --port 8080

Architecture

V-8 Scanner Architecture

Entry points: CLI (main.py), Flask API (api_server.py), and MCP server for AI agent integration. The pipeline runs fingerprinting, discovery, parallel scanning, and enrichment (CVSS, remediation, evidence) before outputting reports.


Documentation

Resource Location
Project summary docs/project/PROJECT_SUMMARY.md
Architecture details docs/project/ARCHITECTURE.md
Research plan docs/research/research_plan.md
Abstract docs/research/abstract.md
User guide docs/user-guide/

Project structure

β”œβ”€β”€ main.py              # CLI entry
β”œβ”€β”€ api_server.py        # REST API
β”œβ”€β”€ mcp_server.py        # MCP server for AI agents
β”œβ”€β”€ src/                 # Core engine (scanners, evasion, AI, discovery)
β”œβ”€β”€ hexstrike/           # MCP tools and Flask routes
β”œβ”€β”€ demo-app/            # Intentionally vulnerable test app
└── docs/                # Research, presentations, user guide

Ethics and safety

All testing is done only on systems with explicit authorization. No malware development or deployment. The project is intended for defensive evaluation and responsible disclosure.


V-8 Scanner β€” V-8 Security Research Team. BASEF 2026 1st Place. Representing Egypt at ISEF 2026, Phoenix, Arizona.

About

πŸ† BASEF 2026 Winner β€’ AI-augmented web vulnerability scanner with adaptive scanning, WAF evasion, and intelligent validation β€’ ISEF 2026 qualifier

Resources

Stars

1 star

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages