fray 3.5.6

Open-source WAF Security Testing Platform — 7,200+ attack payloads, 98 WAF/CDN fingerprints, AI-powered bypass engine, recon pipeline, beautiful CLI output

Fray

Vibe security — just point and scan.

Open-source security testing that figures out the rest.
One command. Full pipeline. Zero config.

pip install fray && fray go target.com

Documentation · Quick Start · Discussions · dalisec.io

🌐 English | 日本語

---

FOR AUTHORIZED SECURITY TESTING ONLY — Only test systems you own or have explicit written permission to test.

Why Vibe Security?

Security testing used to mean installing five tools, learning each one's flags, writing config files, and manually correlating results. That's not how it should work.

Vibe security is the idea that security testing should be as easy as vibe coding made development — describe what you want, and the tool handles the rest. Fray embodies this:

• One command does everything — fray go runs recon, finds vulnerabilities, tests them, and generates a report. Zero config.
• You don't need to be a security expert — Fray picks the right checks and payloads based on what it discovers about your target.
• AI-native — built-in MCP server for Claude, ChatGPT, and Cursor. Ask questions in natural language, get security answers.
• Smart, not noisy — adaptive cache learns across scans. Blocked payloads are never re-sent. Each run gets smarter.

Before Fray vs. With Fray

Traditional Security Testing	Vibe Security with Fray
Install 5+ tools (nmap, wafw00f, sqlmap, nikto, nuclei)	pip install fray
Learn each tool's flags and config formats	fray go target.com
Manually correlate findings across tools	Automatic pipeline: recon → test → report
Write custom scripts to chain tools together	Built-in: 35 checks, 12 deep scan modules, 7,400+ payloads
Read hundreds of pages of documentation	Zero config — smart defaults, interactive menus
Security expertise required	Built for anyone who ships web apps

---

Quick Start

pip install fray

The only command you need:

fray go https://target.com        # Full pipeline: recon → vuln test → report

That's it. Fray scans your target, identifies the tech stack and WAF, finds vulnerabilities, tests them, and generates an HTML report — all automatically.

Want more control? Use individual commands:

fray recon https://target.com          # 35-check reconnaissance
fray test https://target.com --smart   # Smart payload selection from recon findings
fray scan https://target.com           # Auto crawl → discover → inject
fray monitor https://target.com        # Continuous monitoring with alerts

Cloudflare R2 sharing (optional)

fray go --share uploads a sanitized recon snapshot to Cloudflare R2 and returns a public URL. Configure credentials once via fray sync --configure or drop a file at ~/.fray/cloud.json:

{
  "r2_endpoint": "https://ACCOUNT_ID.r2.cloudflarestorage.com",
  "r2_bucket": "fray-shares",
  "r2_access_key": "R2AKIA...",
  "r2_secret_key": "super-secret",
  "share_patterns": false
}

Or use environment variables (highest priority):

Variable	Description	Example
FRAY_R2_ENDPOINT	R2 S3 endpoint URL	https://abc123.r2.cloudflarestorage.com
FRAY_R2_BUCKET	Bucket name	fray-shares
FRAY_R2_ACCESS_KEY	Access key ID	R2AKIA...
FRAY_R2_SECRET_KEY	Secret key	super-secret

Run fray share --list --json anytime to view active shares with human-readable expirations.

---

Who is Fray for?

• Developers & founders — shipping a web app? Run fray go before launch. Done.
• Bug bounty hunters — 7,400+ payloads, WAF bypass intelligence, adaptive learning.
• Pentesters — full recon pipeline, 12 deep scan modules, stealth mode, auth support.
• DevSecOps — GitHub Action, CI/CD integration, SARIF output, --json for pipelines.
• Security teams — MCP server for AI agents, VS Code extension, batch scanning.

---

What's New

v3.5 — March 2026

• Dashboard live reload — SSE file watcher, timeline view, side-by-side diff of any two runs
• fray init — scaffold .fray.toml, auth profile, and scope file in one command
• --dry-run — preview destructive commands before executing (fray cache clear --dry-run)
• --quiet / --summary — suppress educational output or get a quick overview
• fray help <cmd> --man — generate man pages from help text
• Config validation — warns about unknown keys in .fray.toml on startup
• fray doctor — checks core module imports and environment health

v3.4 — March 2026

• GitHub Action — test your WAF on every PR (uses: dalisecurity/fray@v1)
• MCP Server — Claude Code & ChatGPT integration (pip install fray[mcp])
• 35-check recon — TLS, CORS, VPN gateways, AI/LLM endpoints, cloud buckets, secrets
• 12 deep scan modules — XSS, SQLi, CMDi, SSTI, CSP bypass, modern WAF bypasses, SSRF, cache poisoning, deserialization, mass assignment, prototype pollution, race conditions
• Interactive post-recon menu — findings-driven next steps, not random payloads

Coming up: TLS fingerprint spoofing · YAML template DSL · race condition testing · NL queries → Full changelog

---

Commands

Fray has 20 commands organized into 6 groups. Run fray --help or fray help for full details.

Core — Security testing workflow

fray go <url>              # ★ Full assessment: recon → smart test → report
fray recon <url>           # Reconnaissance & fingerprinting (35+ checks)
fray test <url>            # Test WAF with payloads (-c xss --smart --blind)
fray scan <url>            # Auto crawl → discover → inject (--bounty)
fray monitor <url>         # Continuous monitoring with alerts

fray <url> is a shortcut for fray go <url> — just point and scan.

Data — Reports & intelligence

fray report <sub>          # generate, company, waf, posture, diff, explain
fray intel <sub>           # feed, cve, poc-recheck, leak, osint, ct
fray auth <sub>            # session, solve, cred
fray export <sub>          # nuclei, ci

Manage — Configuration & data

fray init                  # Scaffold .fray.toml + auth profile + scope file
fray config                # .fray.toml configuration
fray plugin                # Plugin system
fray cache                 # Payload cache & stats (--dry-run for clear)
fray update                # Update payload database

Integrations

fray dashboard             # Web UI (live reload, timeline, diff)
fray mcp                   # AI assistant MCP server
fray completions           # Shell completions (bash/zsh/fish)

Utilities

fray todo list --json      # Internal TODO list (stored at ~/.fray/todo.json)

fray todo is an internal helper for maintainers — it never syncs or touches the repo. The --json flag now returns a structured payload with sorted items:

{
  "summary": {
    "total_count": 4,
    "pending_count": 3,
    "completed_count": 1,
    "showing_count": 3,
    "show_all": false
  },
  "items": [
    {"id": 4, "priority": "high", "status": "pending", "content": "..."}
  ]
}

This makes scripting straightforward (e.g., jq '.summary.pending_count'). Use --all to include completed items in both the summary and item list.

Learn & help

fray ask <query>           # Natural language query
fray learn [topic]         # Interactive security tutorial
fray doctor [--fix]        # Check environment & core imports
fray help [cmd] [--man]    # Full command guide (or man page)

Quick start → · Scan guide →

---

Auth & Stealth

fray test https://target.com --cookie "session=abc123"     # Cookie auth
fray test https://target.com --bearer eyJhbG...             # Bearer token
fray test https://target.com --stealth -d 0.5               # Randomized UA + jitter
fray recon https://target.com --scope scope.txt             # In-scope enforcement

Session profiles, OAuth2 client credentials, and multi-step form login are supported. Auth guide →

---

CI/CD

# .github/workflows/waf.yml
- uses: dalisecurity/fray@v1
  with:
    target: https://staging.example.com
    categories: xss,sqli

Fray exits non-zero on bypass findings, integrates with GitHub Security tab via SARIF, and supports --json for pipeline consumption. CI/CD guide →

---

Payload Coverage

7,400+ payloads across 33 categories, 175 CVEs (2020-2026):

Category	Count	Category	Count
XSS	1,329	AI/LLM Prompt Injection	370
Web Shells	994	Path Traversal	293
WordPress	964	SQL Injection	258
LLM Testing	700	Command Injection	233
Other / Generic	368	SSTI	220
CSP Bypass	177	XXE	178
Modern Bypasses	137	API Security	130
SSRF	123	Prototype Pollution	110
CRLF Injection	94	Open Redirect	91
LDAP Injection	90	XPath Injection	89
Crypto Failures	75	Logging Failures	50
Cache Poisoning	20	Deserialization	16
Mass Assignment	25	Race Condition	16

Full payload database → · CVE coverage →

---

MCP Server — AI Agent Integration

Fray exposes 18 tools via MCP for Claude, ChatGPT, Cursor, and other AI clients.

pip install 'fray[mcp]'

{ "mcpServers": { "fray": { "command": "python", "args": ["-m", "fray.mcp_server"] } } }

Ask "What XSS payloads bypass Cloudflare?" and Fray's tools (suggest_payloads_for_waf, generate_bypass_strategy, search_payloads, analyze_response, hardening_check, +9 more) are called directly.

Claude Code guide → · ChatGPT guide →

---

VS Code Extension

11 commands, right-click scan, inline diagnostics, HTML report panel (Cmd+Shift+R), activity bar sidebar. Extension docs →

---

Community

Have a question? Found a bug? Want to contribute?

• Discussions — ask questions, share ideas, show what you built
• Issues — bug reports and feature requests
• Contributing — PRs welcome. For AI coding agents, see AGENTS.md

---

Legal

MIT License — See LICENSE. Only test systems you own or have explicit authorization to test.

Security issues: soc@dalisec.io · SECURITY.md

dalisec.io · Built by hunters. For defenders.