fray 3.5.12

Open-source WAF Security Testing Platform — 7,200+ attack payloads, 98 WAF/CDN fingerprints, AI-powered bypass engine, recon pipeline, beautiful CLI output

Fray

Vibe security — just point and scan.

Open-source security testing that figures out the rest.
One command. Full pipeline. Zero config.

pip install fray && fray go target.com

Documentation · Quick Start · Discussions · dalisec.io

🌐 English | 日本語

---

FOR AUTHORIZED SECURITY TESTING ONLY — Only test systems you own or have explicit written permission to test.

Why Vibe Security?

Security testing used to mean installing five tools, learning each one's flags, writing config files, and manually correlating results. That's not how it should work.

Vibe security is the idea that security testing should be as easy as vibe coding made development — describe what you want, and the tool handles the rest. Fray embodies this:

• One command does everything — fray go runs recon, finds vulnerabilities, tests them, and generates a report. Zero config.
• You don't need to be a security expert — Fray picks the right checks and payloads based on what it discovers about your target.
• AI-native — built-in MCP server for Claude, ChatGPT, and Cursor. Ask questions in natural language, get security answers.
• Smart, not noisy — adaptive cache learns across scans. Blocked payloads are never re-sent. Each run gets smarter.

Before Fray vs. With Fray

Traditional Security Testing	Vibe Security with Fray
Install 5+ tools (nmap, wafw00f, sqlmap, nikto, nuclei)	pip install fray
Learn each tool's flags and config formats	fray go target.com
Manually correlate findings across tools	Automatic pipeline: recon → test → report
Write custom scripts to chain tools together	Built-in: 42 checks, 12 deep scan modules, 7,800+ payloads
Read hundreds of pages of documentation	Zero config — smart defaults, interactive menus
Security expertise required	Built for anyone who ships web apps

---

Quick Start

pip install fray

The only command you need:

fray go https://target.com        # Full pipeline: recon → vuln test → report

That's it. Fray scans your target, identifies the tech stack and WAF, finds vulnerabilities, tests them, and generates an HTML report — all automatically.

Want more control? Use individual commands:

fray recon https://target.com          # 35-check reconnaissance
fray test https://target.com --smart   # Smart payload selection from recon findings
fray scan https://target.com           # Auto crawl → discover → inject
fray monitor https://target.com        # Continuous monitoring with alerts

Cloudflare R2 sharing (optional)

fray go --share uploads a sanitized recon snapshot to Cloudflare R2 and returns a public URL. Configure credentials once via fray sync --configure or drop a file at ~/.fray/cloud.json:

{
  "r2_endpoint": "https://ACCOUNT_ID.r2.cloudflarestorage.com",
  "r2_bucket": "fray-shares",
  "r2_access_key": "R2AKIA...",
  "r2_secret_key": "super-secret",
  "share_patterns": false
}

Or use environment variables (highest priority):

Variable	Description	Example
FRAY_R2_ENDPOINT	R2 S3 endpoint URL	https://abc123.r2.cloudflarestorage.com
FRAY_R2_BUCKET	Bucket name	fray-shares
FRAY_R2_ACCESS_KEY	Access key ID	R2AKIA...
FRAY_R2_SECRET_KEY	Secret key	super-secret

Run fray share --list --json anytime to view active shares with human-readable expirations.

---

Who is Fray for?

• Developers & founders — shipping a web app? Run fray go before launch. Done.
• Bug bounty hunters — 7,800+ payloads, WAF bypass intelligence, adaptive learning.
• Pentesters — full recon pipeline, 12 deep scan modules, stealth mode, auth support.
• DevSecOps — GitHub Action, CI/CD integration, SARIF output, --json for pipelines.
• Security teams — MCP server for AI agents, VS Code extension, batch scanning.

---

What's New

v3.5.6 — March 2026 (current)

• 42 recon checks — Next.js CVEs (CVE-2025-29927, CVE-2026-27978/79/29057), Log4Shell, Spring4Shell, WordPress, Drupal auto-dispatched by fingerprinted tech stack
• Wappalyzer integration — 3,920 tech patterns from npm + 321 body + 82 header fingerprints; 35 DNS providers; Zero Trust header stripping (cf-team, x-zscaler-*)
• 18 vendor feeds — Unit 42, F5 Labs, Cloudflare, Imperva, PortSwigger, MSRC CVRF (Patch Tuesday), Cloudflare Radar API, Mandiant, Project Zero + 9 more
• fray analyze — per-pattern WAF bypass analysis with box-drawing table, injection mechanics, 15 attack categories, 152 canary patterns
• fray vendor-intel — latest CVEs + posts from all 18 security feeds in one terminal view
• fray smoke --local/--real/--llm — 5 test zones: QA vulnerable apps, localhost Docker lab, real domains (Sony/JAL/Grab/BBC), AI companies
• PoC validation gate — blocks misclassified payloads (SQLi-as-DoS) before DB write; auto-smoke after fray feed --auto-add
• Report improvements — RDAP domain age, origin cloud provider, security grade A–F with improvement steps, VPN CVEs in Known Vulnerabilities

v3.5.0 — March 2026

• Dashboard live reload — SSE file watcher, timeline view, side-by-side diff of any two runs
• fray init — scaffold .fray.toml, auth profile, and scope file in one command
• fray doctor — environment health check, dependency validation, wappalyzer DB status

v3.4 — March 2026

• GitHub Action — test your WAF on every PR (uses: dalisecurity/fray@v1)
• MCP Server — Claude Code & ChatGPT integration (pip install fray[mcp])
• 42-check recon — TLS, CORS, VPN gateways, AI/LLM endpoints, cloud buckets, secrets, CVE probes
• 12 deep scan modules — XSS, SQLi, CMDi, SSTI, CSP bypass, modern WAF bypasses, SSRF, cache poisoning, deserialization, mass assignment, prototype pollution, race conditions
• Interactive post-recon menu — findings-driven next steps, not random payloads

Coming up: Content-Type WAF bypass testing · WebSocket injection · SARIF v2.1 output · GraphQL attack surface · live mutation feedback loop → Full changelog

---

Commands

Fray has 20 commands organized into 6 groups. Run fray --help or fray help for full details.

Core — Security testing workflow

fray go <url>              # ★ Full assessment: recon → smart test → report
fray recon <url>           # Reconnaissance & fingerprinting (42 checks)
fray test <url>            # Test WAF with payloads (-c xss --smart --blind)
fray scan <url>            # Auto crawl → discover → inject (--bounty)
fray monitor <url>         # Continuous monitoring with alerts

fray <url> is a shortcut for fray go <url> — just point and scan.

Data — Reports & intelligence

fray report <sub>          # generate, company, waf, posture, diff, explain
fray intel <sub>           # feed, cve, poc-recheck, leak, osint, ct
fray auth <sub>            # session, solve, cred
fray export <sub>          # nuclei, ci

Manage — Configuration & data

fray init                  # Scaffold .fray.toml + auth profile + scope file
fray config                # .fray.toml configuration
fray plugin                # Plugin system
fray cache                 # Payload cache & stats (--dry-run for clear)
fray update                # Update payload database

Integrations

fray dashboard             # Web UI (live reload, timeline, diff)
fray mcp                   # AI assistant MCP server
fray completions           # Shell completions (bash/zsh/fish)

Utilities

fray todo list --json      # Internal TODO list (stored at ~/.fray/todo.json)

fray todo is an internal helper for maintainers — it never syncs or touches the repo. The --json flag now returns a structured payload with sorted items:

{
  "summary": {
    "total_count": 4,
    "pending_count": 3,
    "completed_count": 1,
    "showing_count": 3,
    "show_all": false
  },
  "items": [
    {"id": 4, "priority": "high", "status": "pending", "content": "..."}
  ]
}

This makes scripting straightforward (e.g., jq '.summary.pending_count'). Use --all to include completed items in both the summary and item list.

Learn & help

fray ask <query>           # Natural language query
fray learn [topic]         # Interactive security tutorial
fray doctor [--fix]        # Check environment & core imports
fray help [cmd] [--man]    # Full command guide (or man page)

Quick start → · Scan guide →

---

Auth & Stealth

fray test https://target.com --cookie "session=abc123"     # Cookie auth
fray test https://target.com --bearer eyJhbG...             # Bearer token
fray test https://target.com --stealth -d 0.5               # Randomized UA + jitter
fray recon https://target.com --scope scope.txt             # In-scope enforcement

Session profiles, OAuth2 client credentials, and multi-step form login are supported. Auth guide →

---

CI/CD

# .github/workflows/waf.yml
- uses: dalisecurity/fray@v1
  with:
    target: https://staging.example.com
    categories: xss,sqli

Fray exits non-zero on bypass findings, integrates with GitHub Security tab via SARIF, and supports --json for pipeline consumption. CI/CD guide →

---

Payload Coverage

7,800+ payloads across 43 categories, 175 CVEs (2020-2026):

Category	Count	Category	Count
XSS	1,329	AI/LLM Prompt Injection	410
Web Shells	994	Path Traversal	293
WordPress	964	SQL Injection	258
LLM Testing	740	Command Injection	233
Other / Generic	368	SSTI	220
CSP Bypass	177	XXE	178
Modern Bypasses	137	API Security	130
SSRF Cloud Metadata	123	Prototype Pollution	110
CRLF Injection	94	Open Redirect	91
LDAP Injection	90	XPath Injection	89
JWT Attack	32	Supply Chain	46
Cache Poisoning	20	Deserialization	16
Mass Assignment	25	Race Condition	16
Auth Bypass	20	GraphQL Attacks	24
RAG Security	16	HTTP Smuggling	17
Host Header Injection	15	CORS	15

Full payload database → · CVE coverage →

---

MCP Server — AI Agent Integration

Fray exposes 18 tools via MCP for Claude, ChatGPT, Cursor, and other AI clients.

pip install 'fray[mcp]'

{ "mcpServers": { "fray": { "command": "python", "args": ["-m", "fray.mcp_server"] } } }

Ask "What XSS payloads bypass Cloudflare?" and Fray's tools (suggest_payloads_for_waf, generate_bypass_strategy, search_payloads, analyze_response, hardening_check, +9 more) are called directly.

Claude Code guide → · ChatGPT guide →

---

VS Code Extension

11 commands, right-click scan, inline diagnostics, HTML report panel (Cmd+Shift+R), activity bar sidebar. Extension docs →

---

Community

Have a question? Found a bug? Want to contribute?

• Discussions — ask questions, share ideas, show what you built
• Issues — bug reports and feature requests
• Contributing — PRs welcome. For AI coding agents, see AGENTS.md

---

Legal

MIT License — See LICENSE. Only test systems you own or have explicit authorization to test.

Security issues: soc@dalisec.io · SECURITY.md

dalisec.io · Built by hunters. For defenders.