Xray is an open-source security scanning and vulnerability assessment tool, developed by ProjectDiscovery, designed for web application security testing. It’s used to perform a variety of security tests, such as content discovery, vulnerability scanning, and security audits. Xray offers a robust framework for detecting common web vulnerabilities such as XSS, SQL injection, Open Redirects, Cross-Site Request Forgery (CSRF), and many others, all while being easy to use and highly extensible.
In this tutorial, we will cover everything you need to know to get started with Xray, including installation, configuration, basic usage, advanced features, and troubleshooting.
xray scan -u https://example.com
This command starts a scan of the specified domain and attempts to identify common vulnerabilities.
xray scan -l url_list.txt
Where url_list.txt contains the list of URLs or domains (one per line).
For example, to run only SQL Injection and XSS checks:
xray scan -u https://example.com --modules sqli,xss
You can also run scans with additional modules for testing different types of vulnerabilities like LFI, RCE, CSRF, etc.
#!/bin/bash
for domain in $(cat domains.txt); do
echo "Running scan for $domain"
xray scan -u $domain -o $domain-results.json
done
This script reads a list of domains from a domains.txt file, runs a scan on each domain, and stores the results in a JSON file.
By following this guide, you should now have a solid understanding of how to install, configure, and use Xray for web application security assessments. Whether you're conducting active scanning or content discovery, Xray is a highly efficient tool to integrate into your security testing workflow.
In this tutorial, we will cover everything you need to know to get started with Xray, including installation, configuration, basic usage, advanced features, and troubleshooting.
Table of Contents
- What is Xray?
- System Requirements
- Installation
- Linux Installation
- macOS Installation
- Windows Installation
- Basic Usage
- Running Xray on a Single Target
- Running Xray with a URL List
- Setting Output Formats
- Advanced Usage
- Using Custom Payloads and Wordlists
- Customizing the Scan with Modules
- Configuring Proxy and Authentication
- Integrating Xray with Other Tools
- Automating with Xray
- Troubleshooting
- Conclusion
1. What is Xray?
Xray is a comprehensive security testing tool for web applications that allows you to perform vulnerability scans, identify misconfigurations, and discover critical security flaws in a web application. It supports active scanning of endpoints, subdomain enumeration, and more.Key Features of Xray:
- Active Web Application Scanning: Identifies vulnerabilities such as XSS, SQL Injection, etc.
- Content Discovery: Scans websites for hidden files, paths, and directories.
- Authentication Support: Allows automated testing of web applications requiring authentication.
- Proxy Support: Can be used in conjunction with proxy tools for intercepting and manipulating requests.
- Customizable Payloads: You can provide custom payloads and wordlists for better accuracy.
- Extensibility: Supports a wide range of integrations, including proxying through Burp Suite, and outputting results in various formats (JSON, HTML, etc.).
2. System Requirements
Before you install Xray, ensure that your system meets the following prerequisites:- Operating System: Linux, macOS, or Windows
- Go Language: Xray is built with Go, so Go must be installed if you plan to compile it from source (though precompiled binaries are also available).
- Memory: Minimum 2 GB RAM
- Disk Space: 100 MB free disk space for the tool and its dependencies
3. Installation
Xray can be installed in a few different ways: via precompiled binaries, from source, or through package managers like brew (for macOS).3.1 Linux Installation
- Download Xray Binary: You can download the latest stable release of Xray directly from the GitHub releases page.
Alternatively, if you prefer to compile it yourself, you can use the following steps:- Install Go (if you don't already have it):
sudo apt install golang-go - Clone the Repository:
git clone https://github.com/projectdiscovery/xray.git
cd xray - Build Xray:
go build -o xray - Install Xray: Move the binary to a directory in your PATH:
sudo mv xray /usr/local/bin/
- Install Go (if you don't already have it):
- Verify Installation: Check if Xray is successfully installed by running:
xray --help
3.2 macOS Installation
- Install via Homebrew: Xray is available through the Homebrew package manager:
brew install projectdiscovery/tap/xray - Verify Installation: Check if the installation was successful:
xray --help
3.3 Windows Installation
- Download the Windows Binary: Go to the Xray releases page and download the appropriate version for Windows.
- Extract the Binary: After downloading the ZIP file, extract it to a location of your choice.
- Verify Installation: Open a Command Prompt window and type:
xray --help
4. Basic Usage
4.1 Running Xray on a Single Target
To run Xray on a single target domain (e.g., example.com), use the following command:xray scan -u https://example.com
This command starts a scan of the specified domain and attempts to identify common vulnerabilities.
4.2 Running Xray with a URL List
If you have a list of URLs or domains to scan, you can specify a file using the -l option:xray scan -l url_list.txt
Where url_list.txt contains the list of URLs or domains (one per line).
4.3 Setting Output Formats
By default, Xray outputs results in a human-readable format, but you can change it to JSON, HTML, or other formats for easier post-processing.- JSON Output:
xray scan -u https://example.com -o result.json - HTML Output:
xray scan -u https://example.com -o result.html
5. Advanced Usage
5.1 Using Custom Payloads and Wordlists
You can customize Xray’s scanning by using your own wordlist or payloads. This is particularly useful for content discovery or brute-forcing hidden URLs.- Specify a Custom Wordlist:
xray scan -u https://example.com -w /path/to/wordlist.txt - Use Custom Payloads: You can define custom payloads for testing vulnerabilities like XSS or SQLi by specifying them via a file:
xray scan -u https://example.com --payloads /path/to/payloads.txt
5.2 Customizing the Scan with Modules
Xray offers several modules to test for specific vulnerabilities. These modules can be enabled or disabled depending on your needs.For example, to run only SQL Injection and XSS checks:
xray scan -u https://example.com --modules sqli,xss
You can also run scans with additional modules for testing different types of vulnerabilities like LFI, RCE, CSRF, etc.
5.3 Configuring Proxy and Authentication
Xray allows you to route traffic through a proxy (such as Burp Suite or OWASP ZAP) for intercepting requests.- Configure Proxy:
xray scan -u https://example.com --proxy http://127.0.0.1:8080 - Set Up Authentication: If the web application requires authentication, you can specify authentication details (e.g., a session cookie or login credentials):
xray scan -u https://example.com --cookie "SESSIONID=xyz" --auth "username:password"
6. Integrating Xray with Other Tools
Xray can be integrated with other tools for enhanced functionality. For instance:- Burp Suite: You can use Burp Suite to intercept and modify requests before passing them to Xray.
- OWASP ZAP: Similar to Burp Suite, OWASP ZAP can be configured as a proxy to intercept traffic.
7. Automating with Xray
For large-scale assessments or regular security audits, you can automate Xray scans using shell scripts or scheduling tools like cron.Example Bash Script for Regular Scans
#!/bin/bash
for domain in $(cat domains.txt); do
echo "Running scan for $domain"
xray scan -u $domain -o $domain-results.json
done
This script reads a list of domains from a domains.txt file, runs a scan on each domain, and stores the results in a JSON file.
8. Troubleshooting
Common Issues and Solutions
- Scanning Errors or Timeouts:
- Ensure the target domain is up and running.
- Try scanning smaller sections of the site if the full scan is too large.
- Authentication Failures:
- Double-check your credentials and cookie/session information.
- Test authentication manually (e.g., log in via browser) and ensure that the session is valid.
- Incorrect Output:
- Ensure that you're specifying the correct output format.
- Check the permissions of the output directory or file.
9. Conclusion
Xray is a powerful tool for web application vulnerability scanning and security testing. With its extensive set of features, including customizable payloads, content discovery, vulnerability scanning, and authentication support, it’s an invaluable asset for penetration testers and security professionals.By following this guide, you should now have a solid understanding of how to install, configure, and use Xray for web application security assessments. Whether you're conducting active scanning or content discovery, Xray is a highly efficient tool to integrate into your security testing workflow.