Some experience sharing of Xray use

Preface

xrayPassive scanner is the scanner I feel best to use during my personal digging process. This blog, share some of the things I use xraycarefully

Official github:

https://github.com/chaitin/xray

Official website document:

https://xray.cool/

Use of xray+burp

Common use configuration

1. The browser is configured with burp (including certificates, etc., omitted)

2. Chrome plugin SwitchyOmega
   

3. Start xray

   # 进目录
   .\xray_windows_amd64.exe webscan --listen 127.0.0.1:7777 --html-output result.html
   

4. burp configuration proxy
   

5. over

Advanced use

1. Do white list
   govof what not to say, can add white SwitchyOmegaand Xraytwo are set to prevent misuse. Misoperation, no authorization, needless to say what the consequences might be~
   
   

2. What is best not to use xray, or even not to use?

   For example, if your weak password has entered the management background, or in places such as posting, it is best not to use it. First of all, crawlers have no sensitivity distinction, and may misuse, such as causing devastating blows in the management background;

   Secondly, in postings and other places, the crawler may run out hundreds of posts in an instant, which will have a negative impact on the tested community. It is better to silently mark the test and test within one post.

   Here you need to grasp it yourself, remember that the first point of penetration testing is to protect the interests of the tested object!

3. xraySet up proxy exit | Request frequency

   Setting the frequency is naturally to prevent being blocked due to too fast access ip; setting the export proxy is mainly to ensure the progress of the test, because it xrayis ipnormal to be blocked (one is the frequency of access, and the other is the possibility of wafdetecting a large number of sensitive words), we need to use a proxy Let xrayuse, so as to ensure that this machine ipwill not be blocked
   

   One additional sentence: For very small sites, the number of concurrent sessions should also be reduced to prevent the site from being killed

4. burpPlug-in

   Project address: passive-scan-client

   Instructions for use: burp plug-in series 1 passive-scan-client

Understanding of automation

Using crawlergodynamic crawlers + xraypassive scanning is now a very popular automated idea. It is said that people sit at home and the hole comes from the sky, but the facts are not so wonderful. Say a few points of your own understanding

• The first is that if you don't give it cookies, the crawler can crawl to a limited interface, and can access more limited. With this limited interface, it is harder to find loopholes in xray.
• If you give it cookies, awvs cookieswhat is the difference between this kind of test and the test after the assignment , or that sentence, the crawler is not controllable (you developed it for a specific site when I did not say), yes cookies, in case you touch a sensitive operation How to do?
• The advantage of passive scanning is that I found a packet and I am too lazy to manually test for vulnerabilities such as xss, various injections, etc., and write an automated script to run it. The premise of all this is that you can control this data packet. Once it is uncontrollable, it is no different from ordinary scanners. The difference is nothing more than poc and crawler.
• Don't cause a lot of trouble in order to discover loopholes, you must control the risks!

That is all!