Xray: China's Most Popular Closed-Source Vulnerability Scanner

Hook

With over 11,000 GitHub stars, xray represents a fascinating paradox: a wildly popular closed-source security tool where the community contributes POCs but can't audit the scanner itself. How did proprietary software win over China's security research community?

Context

Web application security testing has long been dominated by Western tools—OWASP ZAP, Burp Suite, and open-source scanners built around transparency principles. Yet in China's cybersecurity landscape, a different philosophy emerged. Chaitin, a Beijing-based security firm, released xray as a pre-compiled binary with an unusual model: closed-source core engine, open community contributions, and monetary rewards for POC submissions.

The tool addresses a specific gap in the Chinese market: comprehensive scanning for both international vulnerabilities (XSS, SQLi, XXE) and China-specific framework exploits (ThinkPHP, Shiro deserialization). While Western scanners excel at OWASP Top 10 coverage, they often miss vulnerabilities in frameworks popular in Chinese development ecosystems. Xray bridges this gap with built-in detection for 20+ vulnerability types, passive scanning via HTTP proxy interception, and a custom POC engine called 'phantasm' that allows security researchers to write detection scripts without touching the core codebase. The GitHub repository serves as a community hub—housing documentation, POC contributions, and integration points—while the actual scanning engine remains proprietary.

Technical Insight

Xray's architecture revolves around three operational modes that security testers can combine for comprehensive coverage. The passive scanning mode operates as an HTTP/HTTPS proxy, intercepting traffic between your browser and target applications—similar to Burp Suite's passive scanner. The active scanning mode deploys built-in crawlers to automatically discover and test endpoints. The third mode accepts direct URL inputs for targeted testing of specific attack surfaces.

The plugin system is where xray's design becomes interesting. Each vulnerability type is encapsulated as a separate module—xss, sqldet, xxe, ssrf, cmd-injection, and framework-specific exploits. These aren't simple pattern-matching plugins. The SQL injection module, for example, implements multiple detection techniques: error-based (analyzing database error messages), boolean-based (testing logical conditions), and time-based (using database sleep functions). The XSS detector performs semantic analysis rather than just regex matching, understanding JavaScript context to reduce false positives.

The real differentiator is the phantasm POC engine. While the core scanner is closed-source, security researchers can write custom detection scripts in YAML format. Here's an example POC structure for detecting a hypothetical ThinkPHP vulnerability:

name: poc-yaml-thinkphp-rce-example
manual: true
transport: http
rules:
  r0:
    request:
      method: GET
      path: /index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]={{params}}
      headers:
        Content-Type: application/x-www-form-urlencoded
    expression: response.status == 200 && response.body.bcontains(b'root:')
expression: r0()
detail:
  author: security-researcher
  links:
    - https://example.com/vulnerability-disclosure

This YAML-based approach allows the community to extend detection capabilities without accessing proprietary code. The expression field supports complex logical operations, and researchers can chain multiple requests with state management. Xray's phantasm engine evaluates these POCs during scans, executing them against targets and parsing responses based on defined conditions.

The tool's output system supports multiple formats—HTML reports for manual review, JSON for CI/CD pipeline integration, and plain text for quick terminal analysis. The HTML reports include request/response pairs, vulnerability classifications, and remediation guidance. For teams running automated security testing, the JSON output can feed directly into vulnerability management platforms:

{
  "target": "https://example.com/api/user",
  "plugin": "sqldet",
  "vuln_class": "sqli",
  "severity": "high",
  "detail": {
    "payload": "1' AND SLEEP(5)--",
    "param": "id",
    "method": "GET",
    "evidence": "Response time: 5.2s"
  }
}

What makes xray particularly effective in production environments is its Evil Pot honeypot integration. When the scanner submits POCs, Evil Pot validates detection accuracy by identifying false positives—essentially testing your tests. This feedback loop helps community contributors refine POCs before they enter the main detection database, maintaining high precision rates that enterprise security teams demand.

The xray 2.0 ecosystem expands beyond web scanning. The xpoc tool focuses on supply chain vulnerabilities, scanning dependencies and third-party libraries. The xapp component performs web fingerprinting, identifying frameworks, CMS platforms, and technology stacks before vulnerability testing begins. This multi-tool approach mirrors modern attack chains: reconnaissance (xapp), vulnerability identification (xray), and supply chain analysis (xpoc).

Gotcha

The closed-source nature creates fundamental trust and flexibility barriers. You're running a binary that performs security-sensitive operations—sending crafted payloads, analyzing responses, potentially interacting with authentication systems—without ability to audit what it's actually doing. For organizations with strict security policies or compliance requirements (government contractors, financial institutions), this opacity is a non-starter. You can't verify that the scanner isn't exfiltrating data, performing unauthorized actions, or introducing vulnerabilities itself.

The feature tiering is aggressive and frustrating. Critical vulnerability types that are prevalent in modern applications—Struts2 RCE, ThinkPHP exploits, Shiro deserialization, Fastjson vulnerabilities—are locked behind the paid 'high-level version.' The community edition handles basic OWASP Top 10 reasonably well, but if you're testing applications built on popular Chinese frameworks (which is ostensibly xray's differentiator), you'll hit paywalls constantly. The documentation doesn't clearly delineate what's available in which edition, leading to disappointing discoveries mid-assessment. Additionally, while the README has English translation, the detailed documentation, community forums, and POC submission platform (CT Stack) are primarily Chinese-language, creating practical barriers for international teams. Error messages and output often mix English and Chinese, complicating automated parsing.

Verdict

Use xray if: You're conducting security assessments in China-focused environments where ThinkPHP, Shiro, and Chinese frameworks dominate your target landscape, you value turnkey scanning solutions over customization freedom, you're willing to pay for the advanced edition to unlock framework-specific detection, or you need passive proxy-based scanning that doesn't require deep configuration. The tool excels when integrated into manual penetration testing workflows where experienced testers use it for initial vulnerability discovery before deeper exploitation. Skip xray if: Your organization requires open-source tools for compliance, audit, or security policy reasons, you need to customize the core scanning engine beyond YAML POCs, you primarily test Western frameworks where tools like Nuclei or ZAP provide equal coverage with full transparency, or you're uncomfortable running closed-source binaries with extensive network access. International teams without Chinese language capabilities will struggle with advanced features, documentation, and community support—making fully open alternatives like OWASP ZAP or Nuclei more practical choices despite their different operational models.