Xray: A Binary-Only Web Vulnerability Scanner Powered by Community POCs
Hook
With over 11,000 GitHub stars, xray is one of China’s most popular security tools—yet you can’t see a single line of its core scanning engine. This isn’t an oversight; it’s the business model.
Context
Web vulnerability scanners traditionally fall into two camps: open-source tools with transparent detection logic but slower innovation cycles, or commercial products with proprietary engines and expensive licensing. Chaitin’s xray attempts a hybrid approach that’s particularly interesting: distribute a closed-source binary for free, but open-source the vulnerability signatures (POCs) and build a gamified community around contribution. The repository itself doesn’t contain the scanner—just documentation, POC files, and a growing ecosystem of 20+ detection modules.
This architecture emerged from a practical need in the Chinese security market. Frameworks like ThinkPHP, Struts2, and Shiro dominate Chinese web development, creating specific vulnerability patterns that Western tools often miss. Rather than maintaining a massive internal POC database, Chaitin created a contribution system where security researchers submit vulnerability signatures in exchange for virtual currency redeemable for merchandise and gift cards. It’s OSINT meets bug bounty meets community-driven security research.
Technical Insight
Xray operates in three distinct modes, each suited for different penetration testing workflows. The active crawler mode initiates discovery from a seed URL, while passive proxy mode analyzes traffic between your browser and target applications. Single-URL mode provides surgical testing without crawling:
# Active crawling with comprehensive vulnerability scanning
xray webscan --basic-crawler http://example.com --html-output vuln.html
# Passive proxy mode for manual testing workflows
xray webscan --listen 127.0.0.1:7777 --html-output proxy.html
# Surgical single-URL testing without crawling
xray webscan --url http://example.com/?a=b --html-output single-url.html
# Selective plugin execution for targeted assessments
xray webscan --plugins cmd-injection,sqldet --url http://example.comThe detection module architecture is modular and plugin-based, with the community edition shipping 16 built-in modules covering XSS, SQL injection, command/code injection, directory enumeration, path traversal, XXE, file upload, brute force, JSONP, SSRF, baseline checks, redirects, CRLF injection, XStream, and POC management. What’s notable is the technical depth in specific modules—XSS detection uses semantic analysis rather than simple pattern matching. SQL injection detection covers error-based, boolean-based, and time-based blind injection techniques.
The POC management system (phantasm module) deserves special attention. Community contributions live in the /pocs directory as YAML files following xray’s DSL format. The gamification layer is sophisticated: contributors earn virtual currency based on POC quality and uniqueness, creating economic incentives for security research. This model has generated hundreds of community POCs targeting Chinese frameworks that Western tools rarely cover.
For blind vulnerabilities like XXE and SSRF, xray appears to support reverse connection platform detection—essentially out-of-band callback detection for vulnerabilities where in-band response analysis won’t work:
# Multiple output formats for different reporting needs
xray webscan --url http://example.com/?a=b \
--text-output result.txt \
--json-output result.json \
--html-output report.htmlThe xray 2.0 ecosystem expands beyond web scanning. xpoc is described as a rapid emergency response tool designed for supply chain vulnerability scanning. xapp is a dedicated web fingerprinting tool for identifying technologies before security assessment. This separation suggests Chaitin recognized that monolithic security tools become unwieldy, and focused tools with clear responsibilities perform better than Swiss Army knives.
The advanced edition (commercial license required) unlocks framework-specific modules for Struts2, ThinkPHP, Shiro, and Fastjson—popular Java and PHP frameworks in China with well-documented vulnerability histories. This licensing boundary appears to represent xray’s revenue model: free general-purpose scanning to build market share, paid framework-specific detection for professional penetration testers.
Gotcha
The elephant in the room: xray is closed-source binary distribution. You’re executing code you can’t audit on security assessments where trust is paramount. For organizations with compliance requirements around open-source tooling, or security policies prohibiting closed-source executables, xray is a non-starter. The README explicitly states: “xray系列不开源,直接下载构建的二进制文件即可” (xray series is not open source, just download the pre-built binaries).
Documentation and community support skew heavily toward Chinese speakers. While an English README exists, the comprehensive documentation, community forums, and POC submission guidelines are primarily Chinese. If you don’t read Chinese, you’ll struggle with advanced configuration and troubleshooting. The POC contribution system requires interaction with CT Stack (Chaitin’s platform), creating friction for international contributors. The most valuable detection modules—those targeting Struts2, ThinkPHP, Shiro, and Fastjson—require commercial licensing, meaning the free community edition has limited value for assessing Chinese framework-heavy applications unless you’re willing to pay.
Verdict
Use xray if you’re conducting security assessments on Chinese web applications where ThinkPHP, Struts2, or other regional frameworks dominate, and you value the community-contributed POC library targeting these ecosystems. It’s particularly compelling if you need both active and passive scanning modes integrated into existing workflows, and closed-source binaries don’t violate your organizational policies. The gamified POC contribution system means detection coverage improves continuously through crowdsourced research. Skip it if you require open-source tools for compliance, auditing, or customization needs, or if your team lacks Chinese language capabilities for documentation and support. Organizations with policies against executing closed-source binaries in security-sensitive contexts should look elsewhere. For Western web stacks or international teams, OWASP ZAP or Nuclei provide better transparency and English-first ecosystems, even if they lack xray’s China-specific framework coverage.
