{"id":13512530,"url":"https://github.com/chaitin/xray","last_synced_at":"2026-01-28T04:34:12.490Z","repository":{"id":37863731,"uuid":"191117123","full_name":"chaitin/xray","owner":"chaitin","description":"一款长亭自研的完善的安全评估工具，支持常见 web 安全问题扫描和自定义 poc | 使用之前务必先阅读文档","archived":false,"fork":false,"pushed_at":"2024-10-29T16:15:53.000Z","size":36681,"stargazers_count":10709,"open_issues_count":62,"forks_count":1847,"subscribers_count":207,"default_branch":"master","last_synced_at":"2025-03-27T07:26:30.029Z","etag":null,"topics":["passive-vulnerability-scanner","poc","security","sqlinjection","vulnerability","vulnerability-scanner","xss"],"latest_commit_sha":null,"homepage":"https://docs.xray.cool","language":"Vue","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/chaitin.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-06-10T07:16:37.000Z","updated_at":"2025-03-26T17:12:31.000Z","dependencies_parsed_at":"2023-02-08T17:46:12.171Z","dependency_job_id":"ae7ae3d2-bd15-403e-a1d5-0880e43bde33","html_url":"https://github.com/chaitin/xray","commit_stats":null,"previous_names":[],"tags_count":79,"template":false,"template_full_name":null,"purl":"pkg:github/chaitin/xray","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chaitin%2Fxray","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chaitin%2Fxray/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chaitin%2Fxray/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chaitin%2Fxray/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/chaitin","download_url":"https://codeload.github.com/chaitin/xray/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chaitin%2Fxray/sbom","scorecard":{"id":273130,"data":{"date":"2025-08-11","repo":{"name":"github.com/chaitin/xray","commit":"aee9f9cecc3d49a1842a33c38b96af35a7d90168"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":2.4,"checks":[{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Code-Review","score":2,"reason":"Found 6/30 approved changesets -- score normalized to 2","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/check_poc.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"License","score":9,"reason":"license file detected","details":["Info: project has a license file: LICENSE.md:0","Warn: project license file does not contain an FSF or OSI license."],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact xpoc-0.1.0 not signed: https://api.github.com/repos/chaitin/xray/releases/166218020","Warn: release artifact xapp-0.0.2 not signed: https://api.github.com/repos/chaitin/xray/releases/166204077","Warn: release artifact EvilPot-0.0.2 not signed: https://api.github.com/repos/chaitin/xray/releases/164732640","Warn: release artifact EvilPot-0.0.1 not signed: https://api.github.com/repos/chaitin/xray/releases/163957547","Warn: release artifact xapp-0.0.1 not signed: https://api.github.com/repos/chaitin/xray/releases/162728002","Warn: release artifact xpoc-0.1.0 does not have provenance: https://api.github.com/repos/chaitin/xray/releases/166218020","Warn: release artifact xapp-0.0.2 does not have provenance: https://api.github.com/repos/chaitin/xray/releases/166204077","Warn: release artifact EvilPot-0.0.2 does not have provenance: https://api.github.com/repos/chaitin/xray/releases/164732640","Warn: release artifact EvilPot-0.0.1 does not have provenance: https://api.github.com/repos/chaitin/xray/releases/163957547","Warn: release artifact xapp-0.0.1 does not have provenance: https://api.github.com/repos/chaitin/xray/releases/162728002"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 12 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Info: Possibly incomplete results: error parsing shell code: \u0026\u0026 must be followed by a statement: tests/vulstudy/DVWA/Dockerfile:10-21","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/check_poc.yml:7: update your workflow using https://app.stepsecurity.io/secureworkflow/chaitin/xray/check_poc.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/check_poc.yml:10: update your workflow using https://app.stepsecurity.io/secureworkflow/chaitin/xray/check_poc.yml/master?enable=pin","Warn: containerImage not pinned by hash: tests/vulstudy/BodgeIt/Dockerfile:6: pin your Docker image by updating tomcat:8.0 to tomcat:8.0@sha256:8ecb10948deb32c34aeadf7bf95d12a93fbd3527911fa629c1a3e7823b89ce6f","Warn: containerImage not pinned by hash: tests/vulstudy/DSVW/Dockerfile:1: pin your Docker image by updating python:2.7-jessie to python:2.7-jessie@sha256:ac92238de3bbb6cbfb5d68690c2c6d9cef89c85cb59d6091f0e836bcb3ba4e6e","Warn: containerImage not pinned by hash: tests/vulstudy/DVWA/Dockerfile:1: pin your Docker image by updating tutum/lamp:latest to tutum/lamp:latest@sha256:d332e7e97606ac6407b0ba9ae9e9383c89d7e04c6f4853332e98f7d326408329","Warn: containerImage not pinned by hash: tests/vulstudy/Hackademic/Dockerfile:1: pin your Docker image by updating tutum/lamp:latest to tutum/lamp:latest@sha256:d332e7e97606ac6407b0ba9ae9e9383c89d7e04c6f4853332e98f7d326408329","Warn: containerImage not pinned by hash: tests/vulstudy/MCIR/Dockerfile:1: pin your Docker image by updating php:5.6.13-apache to php:5.6.13-apache@sha256:4eb19eac7bb850f0259fa4252ea13d922dbadd77a922eb0487b711b3d6034214","Warn: containerImage not pinned by hash: tests/vulstudy/WackoPicko/Dockerfile:1: pin your Docker image by updating tutum/lamp:latest to tutum/lamp:latest@sha256:d332e7e97606ac6407b0ba9ae9e9383c89d7e04c6f4853332e98f7d326408329","Warn: containerImage not pinned by hash: tests/vulstudy/WebGoat/webgoat-server/Dockerfile:1: pin your Docker image by updating openjdk:8-jre-slim to openjdk:8-jre-slim@sha256:53186129237fbb8bc0a12dd36da6761f4c7a2a20233c20d4eb0d497e4045a4f5","Warn: containerImage not pinned by hash: tests/vulstudy/WebGoat/webwolf/Dockerfile:1: pin your Docker image by updating openjdk:8-jre-slim to openjdk:8-jre-slim@sha256:53186129237fbb8bc0a12dd36da6761f4c7a2a20233c20d4eb0d497e4045a4f5","Warn: containerImage not pinned by hash: tests/vulstudy/XSSed/Dockerfile:1: pin your Docker image by updating php:5.5-apache to php:5.5-apache@sha256:be7f9332d3bea49084d74a0718a5400f7b5d128c1937575e76f72df3a41e8eac","Warn: containerImage not pinned by hash: tests/vulstudy/bWAPP/Dockerfile:1: pin your Docker image by updating tutum/lamp:latest to tutum/lamp:latest@sha256:d332e7e97606ac6407b0ba9ae9e9383c89d7e04c6f4853332e98f7d326408329","Warn: containerImage not pinned by hash: tests/vulstudy/mutillidae/Dockerfile:1: pin your Docker image by updating tutum/lamp:latest to tutum/lamp:latest@sha256:d332e7e97606ac6407b0ba9ae9e9383c89d7e04c6f4853332e98f7d326408329","Warn: containerImage not pinned by hash: tests/vulstudy/sqli-labs/Dockerfile:1: pin your Docker image by updating tutum/lamp:latest to tutum/lamp:latest@sha256:d332e7e97606ac6407b0ba9ae9e9383c89d7e04c6f4853332e98f7d326408329","Warn: containerImage not pinned by hash: tests/vulstudy/vulnerable-node/Dockerfile:1: pin your Docker image by updating ubuntu:xenial to ubuntu:xenial@sha256:1f1a2d56de1d604801a9671f301190704c25d604a416f59e03c04f5c6ffee0d6","Warn: containerImage not pinned by hash: tests/vulstudy/vulnerable-node/postgresql/Dockerfile:1: pin your Docker image by updating library/postgres to library/postgres@sha256:7a554f408a1bc37f29e1e81757368cffa330619d017d235822223be538d37f5a","Warn: containerImage not pinned by hash: tests/vulstudy/www/Dockerfile:1: pin your Docker image by updating tutum/lamp:latest to tutum/lamp:latest@sha256:d332e7e97606ac6407b0ba9ae9e9383c89d7e04c6f4853332e98f7d326408329","Warn: pipCommand not pinned by hash: tests/vulstudy/DSVW/Dockerfile:5-8","Warn: npmCommand not pinned by hash: tests/vulstudy/vulnerable-node/Dockerfile:7-25","Warn: pipCommand not pinned by hash: .github/workflows/check_poc.yml:17","Info:   0 out of   2 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of  15 containerImage dependencies pinned","Info:   0 out of   2 pipCommand dependencies pinned","Info:   0 out of   1 npmCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Vulnerabilities","score":0,"reason":"81 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-968p-4wvh-cqc8","Warn: Project is vulnerable to: GHSA-67hx-6x53-jw92","Warn: Project is vulnerable to: GHSA-whgm-jr23-g3j9","Warn: Project is vulnerable to: GHSA-93q8-gq69-wqmw","Warn: Project is vulnerable to: GHSA-fwr7-v2mv-hh25","Warn: Project is vulnerable to: GHSA-qwcr-r2fm-qrc7","Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw","Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg","Warn: Project is vulnerable to: GHSA-x9w5-v3q2-3rhw","Warn: Project is vulnerable to: GHSA-pxg6-pf52-xh8x","Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275","Warn: Project is vulnerable to: GHSA-w573-4hg7-7wgq","Warn: Project is vulnerable to: GHSA-phwq-j96m-2c2q","Warn: Project is vulnerable to: GHSA-ghr5-ch3p-vcr6","Warn: Project is vulnerable to: GHSA-434g-2637-qmqr","Warn: Project is vulnerable to: GHSA-49q7-c7j4-3p7m","Warn: Project is vulnerable to: GHSA-977x-g7h5-7qgw","Warn: Project is vulnerable to: GHSA-f7q4-pwc6-w24p","Warn: Project is vulnerable to: GHSA-fc9h-whq2-v747","Warn: Project is vulnerable to: GHSA-vjh7-7g9h-fjfh","Warn: Project is vulnerable to: GHSA-6h5x-7c5m-7cr7","Warn: Project is vulnerable to: GHSA-rv95-896h-c2vc","Warn: Project is vulnerable to: GHSA-qw6h-vgh9-j6wx","Warn: Project is vulnerable to: GHSA-74fj-2j2h-c42q","Warn: Project is vulnerable to: GHSA-pw2r-vq6v-hr8c","Warn: Project is vulnerable to: GHSA-jchw-25xp-jwwc","Warn: Project is vulnerable to: GHSA-cxjh-pqwp-8mfp","Warn: Project is vulnerable to: GHSA-fjxv-7rqg-78g4","Warn: Project is vulnerable to: GHSA-pfq8-rq6v-vf5m","Warn: Project is vulnerable to: GHSA-c7qv-q95q-8v27","Warn: Project is vulnerable to: GHSA-78xj-cgh5-2h22","Warn: Project is vulnerable to: GHSA-2p57-rm9w-gvfp","Warn: Project is vulnerable to: GHSA-896r-f27r-55mw","Warn: Project is vulnerable to: GHSA-9c47-m6qq-7p4h","Warn: Project is vulnerable to: GHSA-76p3-8jx3-jpfq","Warn: Project is vulnerable to: GHSA-3rfm-jhwj-7488","Warn: Project is vulnerable to: GHSA-hhq3-ff78-jv3g","Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv","Warn: Project is vulnerable to: GHSA-f8q6-p94x-37v3","Warn: Project is vulnerable to: GHSA-xvch-5gv4-984h","Warn: Project is vulnerable to: GHSA-8hfj-j24r-96c4","Warn: Project is vulnerable to: GHSA-wc69-rhjr-hc9g","Warn: Project is vulnerable to: GHSA-5rrq-pxf6-6jx5","Warn: Project is vulnerable to: GHSA-8fr3-hfg3-gpgp","Warn: Project is vulnerable to: GHSA-gf8q-jrpm-jvxq","Warn: Project is vulnerable to: GHSA-2r2c-g63r-vccr","Warn: Project is vulnerable to: GHSA-cfm4-qjh2-4765","Warn: Project is vulnerable to: GHSA-x4jg-mjrx-434g","Warn: Project is vulnerable to: GHSA-rp65-9cf3-cjxr","Warn: Project is vulnerable to: GHSA-76c9-3jph-rj3q","Warn: Project is vulnerable to: GHSA-9wv6-86v2-598j","Warn: Project is vulnerable to: GHSA-rhx6-c78j-4q9w","Warn: Project is vulnerable to: GHSA-h7cp-r72f-jxh6","Warn: Project is vulnerable to: GHSA-v62p-rq8g-8h59","Warn: Project is vulnerable to: GHSA-7fh5-64p2-3v2j","Warn: Project is vulnerable to: GHSA-hrpp-h998-j3pp","Warn: Project is vulnerable to: GHSA-p8p7-x288-28g6","Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw","Warn: Project is vulnerable to: GHSA-m6fv-jmcg-4jfg","Warn: Project is vulnerable to: GHSA-cm22-4g7w-348p","Warn: Project is vulnerable to: GHSA-4wf5-vphf-c2xc","Warn: Project is vulnerable to: GHSA-52f5-9888-hmc6","Warn: Project is vulnerable to: GHSA-72xf-g2v4-qvf3","Warn: Project is vulnerable to: GHSA-rqff-837h-mm52","Warn: Project is vulnerable to: GHSA-8v38-pw62-9cw2","Warn: Project is vulnerable to: GHSA-hgjh-723h-mx2j","Warn: Project is vulnerable to: GHSA-jf5r-8hm2-f872","Warn: Project is vulnerable to: GHSA-5j4c-8p2g-v4jx","Warn: Project is vulnerable to: GHSA-g3ch-rx76-35fx","Warn: Project is vulnerable to: GHSA-wr3j-pwj9-hqq6","Warn: Project is vulnerable to: GHSA-4v9v-hfq4-rm2v","Warn: Project is vulnerable to: GHSA-9jgg-88mc-972h","Warn: Project is vulnerable to: GHSA-j8xg-fqg3-53r7","Warn: Project is vulnerable to: GHSA-3h5v-q93c-6h6q","Warn: Project is vulnerable to: PYSEC-2023-62 / GHSA-m2qf-hxjv-5gpq","Warn: Project is vulnerable to: PYSEC-2020-176 / GHSA-3pqx-4fqf-j49f","Warn: Project is vulnerable to: PYSEC-2020-96 / GHSA-6757-jp84-gxfx","Warn: Project is vulnerable to: PYSEC-2021-142 / GHSA-8q59-q68h-6hv4","Warn: Project is vulnerable to: GHSA-9hjg-9r4m-mvj7","Warn: Project is vulnerable to: GHSA-9wx4-h78v-vm56","Warn: Project is vulnerable to: PYSEC-2023-74 / GHSA-j8r2-6x86-q33q"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-17T13:52:00.572Z","repository_id":37863731,"created_at":"2025-08-17T13:52:00.572Z","updated_at":"2025-08-17T13:52:00.572Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28838485,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-28T02:10:51.810Z","status":"ssl_error","status_checked_at":"2026-01-28T02:10:50.806Z","response_time":57,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["passive-vulnerability-scanner","poc","security","sqlinjection","vulnerability","vulnerability-scanner","xss"],"created_at":"2024-08-01T03:01:59.558Z","updated_at":"2026-01-28T04:34:12.475Z","avatar_url":"https://github.com/chaitin.png","language":"Vue","funding_links":[],"categories":["\u003ca id=\"5dd93fbc2f2ebc8d98672b2d95782af3\"\u003e\u003c/a\u003e工具","\u003ca id=\"1233584261c0cd5224b6e90a98cc9a94\"\u003e\u003c/a\u003e渗透\u0026\u0026offensive\u0026\u0026渗透框架\u0026\u0026后渗透框架","Vue","Vulnerability Scanning","Vue (45)","漏洞扫描","扫描器、资产收集、子域名","Application Recommendation","LLM分析过程"],"sub_categories":["\u003ca id=\"2e40f2f1df5d7f93a7de47bf49c24a0e\"\u003e\u003c/a\u003e未分类-Pentest","xray","网络服务_其他","🔒 Cybersecurity"],"readme":"\u003ch1 align=\"center\"\u003eWelcome to xray 👋\u003c/h1\u003e\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"https://img.shields.io/github/release/chaitin/xray.svg\" /\u003e\n  \u003cimg src=\"https://img.shields.io/github/release-date/chaitin/xray.svg?color=blue\u0026label=update\" /\u003e\n  \u003cimg src=\"https://img.shields.io/badge/go report-A+-brightgreen.svg\" /\u003e\n  \u003ca href=\"https://docs.xray.cool/\"\u003e\n    \u003cimg alt=\"Documentation\" src=\"https://img.shields.io/badge/documentation-yes-brightgreen.svg\" target=\"_blank\" /\u003e\n  \u003c/a\u003e\n\u003c/p\u003e\n\n\u003ch3 align=\"center\"\u003e一款功能强大的安全评估工具 \u003c/h3\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://docs.xray.cool\"\u003e🏠使用文档\u003c/a\u003e •\n  \u003ca href=\"https://github.com/chaitin/xray/releases\"\u003e⬇️xray下载\u003c/a\u003e •\n  \u003ca href=\"https://github.com/chaitin/xpoc\"\u003e⬇️xpoc下载\u003c/a\u003e •\n  \u003ca href=\"https://github.com/chaitin/xapp\"\u003e⬇️xapp下载\u003c/a\u003e •\n  \u003ca href=\"https://github.com/chaitin/xray-plugins\"\u003e📖插件存储库\u003c/a\u003e\n\u003c/p\u003e\n\n[**English Version**](./README_EN.md)\n\n\u003e 注意：xray系列不开源，直接下载构建的二进制文件即可，仓库内主要为社区贡献的 poc，每次 xray 发布将自动打包。\n\n## ✨ xray2.0\n\n为了解决 xray 1.0在功能增加过程中变得复杂且臃肿的问题，我们推出了 xray 2.0。\n\n这一全新版本致力于提升功能使用的流畅度，降低使用门槛，并帮助更多安全行业从业者以更高效的模式收获更好的体验。xray 2.0 将整合一系列新的安全工具，形成一个全面的安全工具集。\n\n**xray2.0系列的第二款工具xapp已经上线，欢迎体验！**\n\n### XPOC\n\nxpoc是xray2.0系列的第一款工具，它是一款为供应链漏洞扫描设计的快速应急响应工具\n\n项目地址：https://github.com/chaitin/xpoc\n\n### XAPP\n\nxapp是一款专注于web指纹识别的工具。你可以使用xapp对web目标所使用的技术进行识别，为安全测试做好准备。\n\n项目地址：https://github.com/chaitin/xapp\n\n### 插件存储库\n\n我们为各类插件创建了一个专门的存储库，旨在方便大家共享和使用各种插件。\n\n这里主要收录的是开源的、转化成 xray格式的脚本，以供大家使用。\n\n我们会不定期地往这里推送一些新的插件，同时也希望大家能积极踊跃的优化或者提交插件，共同丰富这个仓库。\n\n项目地址：https://github.com/chaitin/xray-plugins\n\n## 🚀 快速使用\n\n**在使用之前，请务必阅读并同意 [License](https://github.com/chaitin/xray/blob/master/LICENSE.md) 文件中的条款，否则请勿安装使用本工具。**\n\n1. 使用基础爬虫爬取并对爬虫爬取的链接进行漏洞扫描\n    \n    ```bash\n    xray webscan --basic-crawler http://example.com --html-output vuln.html\n    ```\n\n2. 使用 HTTP 代理进行被动扫描\n    \n    ```bash\n    xray webscan --listen 127.0.0.1:7777 --html-output proxy.html\n    ```\n   设置浏览器 http 代理为 `http://127.0.0.1:7777`，就可以自动分析代理流量并扫描。\n   \n   \u003e如需扫描 https 流量，请阅读下方文档 `抓取 https 流量` 部分\n\n3. 只扫描单个 url，不使用爬虫\n    \n    ```bash\n    xray webscan --url http://example.com/?a=b --html-output single-url.html\n    ```\n\n4. 手动指定本次运行的插件\n   \n   默认情况下，将会启用所有内置插件，可以使用下列命令指定本次扫描启用的插件。\n   \n   ```bash\n   xray webscan --plugins cmd-injection,sqldet --url http://example.com\n   xray webscan --plugins cmd-injection,sqldet --listen 127.0.0.1:7777\n   ```\n      \n5. 指定插件输出\n\n    可以指定将本次扫描的漏洞信息输出到某个文件中:\n    \n    ```bash\n    xray webscan --url http://example.com/?a=b \\\n    --text-output result.txt --json-output result.json --html-output report.html\n    ```\n    \n    [报告样例](https://docs.xray.cool/assets/report_example.html)\n\n其他用法请阅读文档： https://docs.xray.cool\n\n## 🪟 检测模块\n\n新的检测模块将不断添加\n\n| 名称             | Key              | 版本  | 说明                                                                              |\n|----------------|------------------|-----|---------------------------------------------------------------------------------|\n| XSS漏洞检测        | `xss`            | 社区版 | 利用语义分析的方式检测XSS漏洞                                                                |\n| SQL 注入检测       | `sqldet`         | 社区版 | 支持报错注入、布尔注入和时间盲注等                                                               |\n| 命令/代码注入检测      | `cmd-injection`  | 社区版 | 支持 shell 命令注入、PHP 代码执行、模板注入等                                                    |\n| 目录枚举           | `dirscan`        | 社区版 | 检测备份文件、临时文件、debug 页面、配置文件等10余类敏感路径和文件                                           |\n| 路径穿越检测         | `path-traversal` | 社区版 | 支持常见平台和编码                                                                       |\n| XML 实体注入检测     | `xxe`            | 社区版 | 支持有回显和反连平台检测                                                                    |\n| poc 管理         | `phantasm`       | 社区版 | 默认内置部分常用的 poc，用户可以根据需要自行构建 poc 并运行。文档：[POC](https://docs.xray.cool/#/guide/poc) |\n| 文件上传检测         | `upload`         | 社区版 | 支持常见的后端语言                                                                       |\n| 弱口令检测          | `brute-force`    | 社区版 | 社区版支持检测 HTTP 基础认证和简易表单弱口令，内置常见用户名和密码字典                                          |\n| jsonp 检测       | `jsonp`          | 社区版 | 检测包含敏感信息可以被跨域读取的 jsonp 接口                                                       |\n| ssrf 检测        | `ssrf`           | 社区版 | ssrf 检测模块，支持常见的绕过技术和反连平台检测                                                      |\n| 基线检查           | `baseline`       | 社区版 | 检测低 SSL 版本、缺失的或错误添加的 http 头等                                                    |\n| 任意跳转检测         | `redirect`       | 社区版 | 支持 HTML meta 跳转、30x 跳转等                                                         |\n| CRLF 注入        | `crlf-injection` | 社区版 | 检测 HTTP 头注入，支持 query、body 等位置的参数                                                |\n| XStream漏洞检测    | `xstream`        | 社区版 | 检测XStream系列漏洞                                                                   |\n| Struts2 系列漏洞检测 | `struts`         | 高级版 | 检测目标网站是否存在Struts2系列漏洞，包括s2-016、s2-032、s2-045、s2-059、s2-061等常见漏洞                 |\n| Thinkphp系列漏洞检测 | `thinkphp`       | 高级版 | 检测ThinkPHP开发的网站的相关漏洞                                                            |\n| shiro反序列化漏洞检测  | `shiro`          | 高级版 | 检测Shiro反序列化漏洞                                                                   |\n| fastjson系列检测   | `fastjson`       | 高级版 | 检测fastjson系列漏洞                                                                  |\n\n\n## ⚡️ 进阶使用\n\n下列高级用法请查看 https://docs.xray.cool/ 使用。\n\n - 修改配置文件\n - 抓取 https 流量\n - 修改 http 发包配置\n - 反连平台的使用\n - ...\n\n## 😘 贡献 POC\n\nxray的进步离不开各位师傅的支持，秉持着互助共建的精神，为了让我们共同进步，xray也开通了“PoC收录”的渠道！在这里你将会得到：\n\n### 提交流程\n\n1. 贡献者以 PR 的方式向 github xray 社区仓库内提交， POC 提交位置: https://github.com/chaitin/xray/tree/master/pocs, 指纹识别脚本提交位置: https://github.com/chaitin/xray/tree/master/fingerprints\n2. PR 中根据 Pull Request 的模板填写 POC 信息\n3. 内部审核 PR，确定是否合并入仓库\n4. 但需要注意，如果想要获得POC的奖励，需要将你的POC提交到CT stack，才能获取到奖励\n\n### 丰厚的奖励\n\n- 贡献PoC将获得**丰厚的金币奖励**，成就感满满；\n- **丰富的礼品**兑换专区，50余种周边礼品任你挑选；\n- 定期更有京东卡上线兑换，离**财富自由**又近了一步；\n- 进入核心社群的机会，领取特殊任务，赚取**高额赏金**；\n\n### 完善的教程\n\n- 完善的**PoC编写教程和指导**，让你快速上手，少走弯路；\n\n### 学习与交流\n\n- **与贡献者、开发者面对面**学习交流的机会，各项能力综合提高；\n- 免笔试的**直通面试机会**，好工作不是梦；\n\n如果你已经成功贡献过PoC但是还没有进群，请添加客服微信：\n\n\u003cimg src=\"./asset/customer_service.png\" height=\"200px\"\u003e\n\n提供平台注册id进行验证，验证通过后即可进群！\n\n参照: https://docs.xray.cool/#/guide/contribute\n\n## 🔧周边生态\n\n### POC质量确认靶场\n\n[**Evil Pot**](https://github.com/chaitin/xray/tree/master/tests/evilpot)\n\n[Releases](https://github.com/chaitin/xray/releases?q=EvilPot\u0026expanded=true)\n\n一个专门用于让扫描器产生误报的靶场\n\n编写插件应该尽量避免能在这个靶场扫描出结果\n\n### POC编写辅助工具\n\n该工具可以辅助生成POC，且在线版支持**poc查重**，本地版支持直接发包验证\n\n#### 在线版\n- [**规则实验室**](https://poc.xray.cool)\n- 在线版支持对**poc查重**\n#### 本地版\n- [**gamma-gui**](https://github.com/zeoxisca/gamma-gui)\n\n### xray gui辅助工具\n\n本工具仅是简单的命令行包装，并不是直接调用方法。在 xray 的规划中，未来会有一款真正的完善的 GUI 版 XrayPro 工具，敬请期待。\n\n- [**super-xray**](https://github.com/4ra1n/super-xray)\n\n## 📝 讨论区\n\n各位开发者和 xray 粉丝们，欢迎来[讨论区投票](https://github.com/chaitin/xray/discussions/1804)，决定 xray 2.0 工具的开发优先级，让你的声音塑造 xray 的未来！ 🚀\n\n提交误报漏报需求等等请务必先阅读 https://docs.xray.cool/#/guide/feedback\n\n如有问题可以在 GitHub 提 issue, 也可在下方的讨论组里\n\n1. GitHub:\n   - https://github.com/chaitin/xray/issues\n   - https://github.com/chaitin/xray/discussions\n\n2. 微信公众号：微信扫描以下二维码，关注我们\n\n    \u003cimg src=\"./asset/wechat.jpg\" height=\"200px\"\u003e\n\n3. 微信群: 请添加微信公众号并点击\"联系我们\" -\u003e \"加群\"，然后扫描二维码加群\n\n4. QQ 群: 717365081\n\n## Star History\n\n[![Star History Chart](https://api.star-history.com/svg?repos=chaitin/xray\u0026type=Date)](https://star-history.com/#chaitin/xray\u0026Date)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchaitin%2Fxray","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fchaitin%2Fxray","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchaitin%2Fxray/lists"}