#💀 Xploit AI: AI-Powered Web Pentest Assistant An intelligent web pentesting tool that automates OWASP Top 10 vulnerability detection and provides real-time remediation guidance using AI.
#🔐 Project Vision "Xploit AI" aims to revolutionize web penetration testing by integrating artificial intelligence and machine learning to automate the detection of common web vulnerabilities. The goal is to create an intelligent assistant that not only identifies security flaws but also guides security professionals through the testing process, offering real-time insights and actionable remediation advice. This tool will significantly reduce the manual effort and expertise required for initial vulnerability assessments, allowing pentesters to focus on more complex, nuanced threats.
#❗ Problem Statement Traditional web penetration testing is often a manual, time-consuming, and expertise-intensive process. Identifying vulnerabilities like XSS, SQLi, and CSRF across large web applications can be prone to human error and inefficiency. Existing automated scanners, while useful, often lack the contextual understanding and adaptive capabilities that an experienced human pentester possesses.
#✨ Solution: Xploit AI's Approach Xploit AI addresses these challenges by combining the power of established security tools with advanced AI/ML models. It provides a user-friendly chat interface, making the complex process of vulnerability scanning more accessible and interactive.
#🚀 Key Features AI/ML-Powered Vulnerability Detection:
Integrates AI/ML models (e.g., leveraging large language models like Gemini-2.0-Flash or fine-tuned models) to analyze web traffic, application behavior, and source code patterns.
OWASP Top 10 Focus: Specifically trained to identify and flag vulnerabilities listed in the OWASP Top 10, including Cross-Site Scripting (XSS), SQL Injection (SQLi), Cross-Site Request Forgery (CSRF), Broken Access Control, Security Misconfigurations, and more.
Interactive Chat Interface:
A conversational AI assistant (like "ChatGPT for Pentesters") that guides the user through the pentesting process.
Users can ask questions about findings, request deeper analysis, or get explanations for specific vulnerabilities.
Provides context-aware suggestions and next steps based on the current scan results.
Automated Scanning and Reporting:
Ability to initiate scans on target websites (with explicit permission from the website owner).
Generates comprehensive, human-readable reports detailing identified vulnerabilities.
Reports include: Vulnerability name, description, affected URLs/parameters, Proof-of-Concept (PoC) examples, severity level, and detailed remediation suggestions.
CVSS Scoring and Risk Prioritization:
Automatically calculates a Common Vulnerability Scoring System (CVSS) score for each identified vulnerability.
Prioritizes vulnerabilities based on their CVSS score and potential impact, helping users focus on the most critical issues first.
Integration with Industry-Standard Tools:
Nmap Integration: For network discovery, port scanning, and service version detection.
sqlmap Integration: Leveraging sqlmap's powerful SQL injection detection and exploitation capabilities.
GitHub Actions for CI: Ensuring code quality, automated testing, and streamlined deployment.
🛠️ Tech Stack Backend: Python (Flask)
AI/ML: OpenAI/GPT (or other LLMs like Gemini-2.0-Flash via API)
Security Tools Integration: Nmap, sqlmap
Database (Optional): SQLite (for local storage of scan history, reports)
Frontend: HTML, CSS (Tailwind CSS), JavaScript
CI/CD: GitHub Actions
#🐧 Getting Started on Linux Follow these steps to set up and run Xploit AI on your Linux machine.
Prerequisites Python 3.8+
pip (Python package installer)
git
Nmap: Install via your package manager (e.g., sudo apt install nmap on Debian/Ubuntu, sudo dnf install nmap on Fedora/RHEL).
sqlmap: Install via your package manager (e.g., sudo apt install sqlmap on Debian/Ubuntu, sudo dnf install sqlmap on Fedora/RHEL).
Installation Clone the repository:
git clone https://github.com/XploitAI/AI-Powered-Web-Pentest-Assistant.git cd AI-Powered-Web-Pentest-Assistant
Create and activate a virtual environment: It's highly recommended to use a virtual environment to manage dependencies.
python3 -m venv venv source venv/bin/activate
Install Python dependencies:
pip install -r requirements.txt
Set Environment Variables: If you are using an AI API (e.g., Gemini, OpenAI), you must set your API key as an environment variable. Never hardcode API keys in your code.
export GEMINI_API_KEY="your_gemini_api_key_here"
For persistent environment variables, add the export line to your ~/.bashrc or ~/.zshrc file and then run source ~/.bashrc (or source ~/.zshrc).
Running the Application Once everything is set up, you can run the Flask application:
python main.py
The application will typically start on http://127.0.0.1:5000. Open this URL in your web browser to access the Xploit AI chat interface.
When you run main.py, you'll see the custom "Xploit AI" skull design in your terminal:
██╗ ██╗██╗ ██╗██╗ ██╗██╗ ██╗███████╗██╗ ██╗██╗ ██╗██████╗ ██╗ ██║ ██║██║ ██║██║ ██║██║ ██║██╔════╝██║ ██║██║ ██║██╔══██╗██║ ███████║███████║██║ ██║███████║█████╗ ██║ ██║██║ ██║██████╔╝██║ ██╔══██║██╔══██║██║ ██║██╔══██║██╔══╝ ██║ ██║██║ ██║██╔══██╗╚═╝ ██║ ██║██║ ██║╚██████╔╝██║ ██║███████╗╚██████╔╝███████╗██║██║ ██║██╗ ╚═╝ ╚═╝╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚═╝╚══════╝ ╚═════╝ ╚══════╝╚═╝╚═╝ ╚═╝╚═╝
💀 Xploit AI: AI-Powered Web Pentest Assistant 💀
Starting server...
📂 Project Structure The project is organized into modular components for clarity and maintainability:
AI-Powered-Web-Pentest-Assistant/ ├── main.py # Main entry point to run the Flask app. ├── app.py # Flask application creation and configuration. ├── index.py # Defines the main web routes (homepage, chat interface). ├── requirements.txt # Python dependencies. ├── modules/ │ ├── init.py # Makes 'modules' a Python package. │ ├── cvss.py # Handles CVSS scoring and vulnerability prioritization. │ ├── nmap_scanner.py # Integrates with Nmap for network scanning. │ ├── sql_injector.py # Integrates with sqlmap for SQL Injection detection. │ ├── dns_enum.py # Performs DNS enumeration tasks. │ ├── subdomain_finder.py # Identifies subdomains. │ └── owasp_analyzer.py # AI-powered detection of OWASP Top 10 vulnerabilities (XSS, CSRF, etc.). └── templates/ ├── index.html # Main web interface (chat, results display). ├── 404.html # Custom 404 Not Found error page. └── 500.html # Custom 500 Internal Server Error page.
#🗺️ Roadmap & Future Enhancements Robust AI Integration: Implement actual API calls to LLMs (Gemini, OpenAI) for dynamic vulnerability analysis, report generation, and interactive guidance.
Advanced Parsing: Develop more sophisticated parsers for Nmap and sqlmap outputs to extract richer, structured data.
More OWASP Top 10 Modules: Expand owasp_analyzer.py to cover more vulnerability categories (e.g., Broken Access Control, Security Misconfigurations, Insecure Deserialization).
Web UI Enhancements: Improve the frontend with more interactive elements, real-time scan progress, and better visualization of results.
Reporting Features: Generate downloadable, formatted reports (PDF, HTML).
Authentication & User Management: For multi-user environments or persistent scan history.
Dockerization: Provide Docker containers for easier deployment across different environments.
Database Integration: Persist scan results, chat history, and user preferences.
Proxy Integration: Allow Xploit AI to integrate with web proxies (e.g., Burp Suite, OWASP ZAP) for passive analysis.
#🤝 Contributing We welcome contributions to Xploit AI! If you have ideas for new features, bug fixes, or improvements, please:
Fork the repository.
Create a new branch (git checkout -b feature/your-feature-name).
Make your changes and ensure tests pass.
Commit your changes (git commit -m 'Add new feature').
Push to your branch (git push origin feature/your-feature-name).
Open a Pull Request.
Please ensure your code adheres to PEP 8 standards and includes appropriate documentation and comments.Xploit AI