🌐 Language: English | 日本語
FOR AUTHORIZED SECURITY TESTING ONLY — Only test systems you own or have explicit written permission to test.
Fray is the missing link between wafw00f (detection) and sqlmap (exploitation) — a complete recon → bypass → harden pipeline in one pip install.
| Fray | Nuclei | XSStrike | wafw00f | sqlmap | |
|---|---|---|---|---|---|
| WAF bypass engine | ✅ AI + mutation | ❌ | Partial | ❌ | Tamper scripts |
| WAF detection | 25 vendors + mode | Via templates | Basic | 150+ vendors | Basic |
| Recon pipeline | 27 checks | Separate tools | Crawl only | ❌ | ❌ |
| Payload database | 4,000+ built-in | Community templates | XSS only | ❌ | SQLi only |
| OWASP hardening | ✅ A-F grade | ❌ | ❌ | ❌ | ❌ |
| MCP / AI agent | 14 tools | ❌ | ❌ | ❌ | ❌ |
| HTML recon report | ✅ Auto-saved | ❌ | ❌ | ❌ | ❌ |
| Zero dependencies | ✅ stdlib only | Go binary | pip | pip | pip |
Most payload collections are static text files. Fray is a complete detect → recon → scan → bypass → harden workflow in one pip install.
pip install fray # PyPI (all platforms)
sudo apt install fray # Kali Linux / Debian
brew install fray # macOSfray auto https://example.com # Full pipeline: recon → scan → bypass
fray scan https://example.com # Auto crawl → inject → detect reflection
fray recon https://example.com # 27-check recon + HTML report auto-saved
If Fray helped your recon workflow, please ⭐ star the repo — it helps others find it.
Every fray recon scan automatically generates a self-contained HTML report saved to ~/.fray/recon/{domain}/report.html — open in any browser, share with your team, or print to PDF.
What's in the report:
- Risk score gauge — SVG semi-circle meter with color-coded risk level
- Severity donut chart — Critical / High / Medium / Low breakdown at a glance
- Executive summary — auto-generated narrative with named attack vectors (Account Takeover, Payment Abuse, LLM Prompt Injection, etc.)
- Attack vectors — grouped by type with MITRE ATT&CK references, impact descriptions, and affected paths
- CVE / frontend vulnerabilities — detected library CVEs and supply chain (SRI) issues
- Remediation plan — prioritised action table with severity, explanation, fix steps, and timeline
- Methodology & scope — 14 techniques applied, scan parameters, non-intrusive disclaimer
- Full infrastructure data — subdomains, DNS, TLS, security headers, CSP, WAF detection, gap analysis, rate limits, admin panels, origin IPs, and more
Single-file, zero-dependency HTML. No JavaScript required. Dark theme with print-friendly light mode.
| Command | What it does |
|---|---|
fray auto |
Full pipeline: recon → scan → ai-bypass in one command |
fray scan |
Crawl → discover params → inject payloads → detect reflection |
fray recon |
27 checks + auto-saved HTML report: TLS, DNS, subdomains, attack vectors, CVEs, remediation plan |
fray ai-bypass |
Probe WAF → LLM generates payloads → test → mutate → header tricks |
fray bypass |
5-phase WAF evasion scorer with mutation feedback loop |
fray harden |
Security headers (A-F grade) + OWASP Top 10 misconfig checks + fix snippets |
fray detect |
Fingerprint 25 WAF vendors (signature / anomaly / hybrid) |
fray test |
4,000+ payloads across 23 categories with adaptive throttling |
fray graph |
Visual attack surface tree |
Built-in options: --scope (scope enforcement) · --stealth (randomized UA, jitter) · -w 4 (concurrent) · --cookie / --bearer (auth) · --sarif (GitHub Security tab) · --json · --ai (LLM output)
Scan guide → · Recon guide → · Auth guide → · CI/CD guide →
Run Fray directly from your editor — scan, test, bypass, detect, and harden without leaving VS Code.
Cmd+Shift+P → "Fray: Run Command..."
- 11 commands — Scan, Test, Bypass, Detect, Harden, Recon, OSINT, Leak Search, and more
- Right-click scan — Select a URL in any file → context menu → scan
- HTML report — Rich in-editor report with stat cards and bypass tables (
Cmd+Shift+R) - Inline diagnostics — Bypass findings appear as warnings/errors in the editor
- Activity bar sidebar — Browse results and scan history
- Status bar — Live scan progress indicator
Fray exposes 14 tools via the Model Context Protocol (MCP) — use Fray as an AI security agent from Claude Desktop, Claude Code, ChatGPT, Cursor, or any MCP-compatible client.
pip install 'fray[mcp]'Add to ~/Library/Application Support/Claude/claude_desktop_config.json:
{
"mcpServers": {
"fray": {
"command": "python",
"args": ["-m", "fray.mcp_server"]
}
}
}Ask: "What XSS payloads bypass Cloudflare?" → Fray's 14 MCP tools are called directly.
Claude Code guide → · ChatGPT guide → · mcp.json →
| Tool | What it does |
|---|---|
suggest_payloads_for_waf |
Best bypass payloads for a specific WAF |
generate_bypass_strategy |
Mutation strategies for blocked payloads |
search_payloads |
Full-text search across 4,000+ payloads |
analyze_response |
False negative detection: soft blocks, challenges |
hardening_check |
Security headers audit with grade + rate-limit check |
The largest open-source WAF payload database — curated for real-world penetration testing and bug bounty hunting.
| Category | Count | Category | Count |
|---|---|---|---|
| XSS (Cross-Site Scripting) | 1,209 | SSRF | 122 |
| SQL Injection | 248 | SSTI | 122 |
| Command Injection (RCE) | 200 | XXE | 84 |
| AI/LLM Prompt Injection | 370 | Path Traversal (LFI/RFI) | 109 |
| Modern Bypasses | 137 | CSP Bypass | 104 |
| API Security | 130 | Prototype Pollution | 110 |
Payload database → · CVE coverage →
fray graph example.com --deep # Visual attack surface tree (27 checks)
fray ai-bypass target.com -c xss # AI-assisted adaptive bypass (LLM or local)
fray harden target.com # OWASP hardening audit (A-F grade + fix snippets)
fray explain log4shell # CVE intelligence with payloads
fray diff before.json after.json # Regression testing (exit 1 on bypass)
fray report results.json --html # Client-ready HTML report
WAF detection guide → · All documentation (30 guides) →
See CONTRIBUTING.md. For AI coding agents, see AGENTS.md.
Questions? Open a Discussion or browse the docs.
MIT License — See LICENSE. Only test systems you own or have explicit authorization to test.
Security issues: soc@dalisec.io · SECURITY.md
📖 Docs · Roadmap · PyPI · Issues · Discussions
- wafw00f — WAF fingerprinting and detection (150+ vendors)
- WhatWaf — WAF detection and bypass tool
- XSStrike — Advanced XSS scanner with WAF evasion
- sqlmap — SQL injection detection and exploitation
- Nuclei — Template-based vulnerability scanner
- PayloadsAllTheThings — Web security payloads and bypasses
- SecLists — Security assessment wordlists
- Awesome WAF — Curated list of WAF tools and bypasses