xray

Xray is a web security scanning tool built by Chaitin Technology. You point it at a website and it checks for common security problems automatically. It is not open source, so the GitHub repository mainly holds community-contributed detection scripts (called POCs) and fingerprint recognition files that get bundled into each new release.

The scanner can work in two ways. You can give it a starting URL and let its built-in crawler follow links while checking each page it finds. Or you can set it up as an HTTP proxy, point your browser at it, and it will quietly inspect your real browsing traffic for issues. Both modes write results to HTML, text, or JSON reports.

The problems it looks for include SQL injection, cross-site scripting (XSS), command injection, path traversal, file upload issues, XML entity injection, weak passwords, open redirects, and more. A premium version adds checks for specific framework vulnerabilities like Struts2, Shiro, and Fastjson. Users can also write and run their own custom detection scripts.

Version 2.0 is a redesign that groups several tools together. XPOC is a quick-response scanner for supply chain vulnerabilities. XAPP is a separate tool that identifies what technologies a website is built with before testing begins. A plugin repository on GitHub stores community-built scripts that extend what xray can detect.

To use xray you download the prebuilt binary for your operating system and read the license before running it. The documentation site at docs.xray.cool covers configuration, HTTPS traffic capture, and how to write your own detection plugins. Community members can contribute POC scripts through pull requests and receive rewards for accepted submissions.