X-Scanner is a Flask web application for authenticated vulnerability scanning with Firebase-backed user management and scan history storage.
It currently supports:
- Cross-Site Scripting (XSS) checks
- SQL Injection checks
- Port scanning
- Basic RCE probe logic
⚠️ Important: Use this tool only on systems you own or have explicit permission to test.
This repository contains multiple historical folders. The active app is the root-level code:
app.pyforms.pyfirebase_config.pymodules/templates/static/
Folders like old code/ and new code/ contain legacy/alternate versions.
- Backend: Flask, Flask-Login, Flask-WTF
- Auth/DB: Firebase Authentication + Firestore (via
firebase_admin) - Scanner modules: Custom Python scanners under
modules/ - Frontend: Jinja templates, static CSS/JS
- User registration and login
- Profile view/update and account deletion
- Admin panel:
- List users
- Promote/demote admin
- Edit/delete users
- View/delete user scan history
- Multi-scan selection from UI (
/start_scanning) - Asynchronous scan execution using background thread
- Scan result persistence in Firestore (
scanscollection)
.
├─ app.py
├─ forms.py
├─ firebase_config.py
├─ modules/
│ ├─ port_scanning.py
│ ├─ xss_scanning.py
│ ├─ sql_injection_scanning.py
│ ├─ rce_scanning.py
│ ├─ payload/
│ ├─ plugins/
│ └─ lib/
├─ templates/
├─ static/
├─ xss.txt
└─ openedports.txt
- Python 3.10+ (3.11 recommended)
- A Firebase project with:
- Authentication enabled (Email/Password)
- Firestore database enabled
- Service account JSON key
Install these packages in your virtual environment:
pip install flask flask-login flask-wtf wtforms firebase-admin requests beautifulsoup4 colorama urllib3Optional (already present in repo):
package.jsonincludes Firebase web SDK dependency for frontend-related workflows.
The app currently initializes Firebase Admin using a JSON file path directly in app.py and firebase_config.py.
Place your service account JSON in the project root and update:
app.pyfirebase_config.py
to point to your file name.
/login uses Firebase Identity Toolkit REST API with a hardcoded API key in app.py.
Update that key with your Firebase Web API key.
If your templates use static/js/firebase-config.js, update the values there to match your Firebase project.
From the project root:
python -m venv .venvActivate venv:
- Windows PowerShell:
.\.venv\Scripts\Activate.ps1Install deps:
pip install flask flask-login flask-wtf wtforms firebase-admin requests beautifulsoup4 colorama urllib3Start app:
python app.pyApp runs in debug mode by default at:
http://127.0.0.1:5000
- Register a user at
/register - Login at
/login - Go to
/start_scanning - Enter target URL and choose scan types:
- XSS
- SQL Injection
- Port Scan
- RCE
- Submit scan request
- View results in
/view_scan_history
Expected fields:
uidusernameemailadmin_status(0or1)
Stored fields include:
user_idhostport_scan_resultssql_scan_resultsxss_scan_resultsrce_scan_resultstimestamp
- Scanner logic is proof-of-concept and can produce false positives/negatives.
- Some scanner modules write/read local files (e.g.,
xss.txt). - No centralized
requirements.txtis currently included. - Secrets/keys are currently hardcoded in code and should be moved to environment variables for production.
ModuleNotFoundError: Ensure venv is active and dependencies are installed.- Firebase init/auth errors: Verify service account file path, project config, and API keys.
- No scan results shown: Confirm selected scan type, target reachability, and Firestore write permissions.
- Move secrets to
.envand load via environment variables - Add
requirements.txt - Add unit/integration tests for scanner modules and routes
- Add rate limiting and stricter scan target validation
This project is for educational and authorized security testing purposes only. You are responsible for complying with all applicable laws and policies.