Fray v3.4.0 — 4,000+ Payloads, VS Code Extension, GitHub Action

What's New

Payload Database Expansion (2,913 → 4,003)

• +1,090 new payloads across 18 categories
• 4 new categories: File Upload (60), Web Shells (50), WordPress (50), LLM Testing (50)
• Major expansions: XSS (+220), SQLi (+100), Command Injection (+75), SSTI (+60), XXE (+50), SSRF (+50), API Security (+50), Path Traversal (+50)

VS Code Extension

• Published to VS Code Marketplace as Fray Security Scanner
• 11 commands: scan, test, bypass, detect, harden, recon, OSINT, leak search
• HTML report webview (Cmd+Shift+R), inline diagnostics, activity bar sidebar
• Right-click any URL to scan directly

GitHub Action

• uses: dalisecurity/fray@v3 — add WAF security testing to any CI/CD pipeline
• Auto WAF detection → payload testing → PR comment with results
• fail-on-bypass to block PRs with WAF bypasses
• Webhook notifications (Slack/Discord/Teams)

Other

• Homebrew formula scaffold (brew install fray)
• Full documentation site at dalisec.io/docs
• Product landing page at dalisec.io/fray

Quick Start

pip install fray
fray auto https://example.com

v3.2.0 — Parallel Recon, Fast/Deep Modes, Origin IP Discovery, WAF Intel

What's New

Performance

• 3.8x faster recon — parallelized 13 independent network checks (108s → 29s)
• Thread pools inside admin panel (8.5x), exposed files (5.5x), API discovery (8.4x)

Scan Modes

• fray recon <url> --fast — ~15s, core checks only
• fray recon <url> — ~30s, full scan (default)
• fray recon <url> --deep — extended DNS (SOA/CAA/SRV/PTR), 300-word subdomain list, Wayback 500

Origin IP Discovery

• Discovers real server IPs behind CDN/WAF via MX records, SPF chains, TLS cert SANs, mail subdomains
• HTTP Host header verification confirms bypassed origins
• Integrated into recon output with curl reproduction commands

WAF Intelligence

• Per-vendor bypass strategy knowledge base (10 vendors)
• WAF rule gap analysis — auto cross-reference vendor against known bypasses
• Differential response analysis with timing signatures

Reconnaissance

• Active subdomain enumeration with WAF bypass detection
• Attack surface summary with risk scoring
• Pipe-friendly: cat domains.txt | fray recon
• LinkFinder-style JS endpoint extraction
• --ai flag for LLM-optimized JSON output
• fray graph attack surface visualization

Full changelog

v3.1.0...v3.2.0

Fray v1 — GitHub Action for WAF Security Testing

feat: GitHub Action for CI/CD — dalisecurity/fray@v1

New action.yml (composite action, Marketplace-ready):
- 15 inputs: target, mode, max-payloads, stealth, cookie, bearer,
  scope-file, fail-on-bypass, comment-on-pr, webhook, etc.
- 6 outputs: total, blocked, bypassed, block-rate, waf-vendor, results-file
- Steps: install Fray, detect WAF, run tests, upload artifact,
  comment on PR, fail on bypass

New .github/workflows/example-fray-test.yml:
- Quick PR scan (smart mode, 50 payloads, fail-on-bypass)
- Deep weekly authenticated scan (all categories, 200 payloads, stealth)

Updated both READMEs (EN + JA) with GitHub Actions section.

Fray v3.0.0 — AI-Powered WAF Security Testing Platform

Fray v3.0.0 — PyPI Package Release

Install

pip install fray

What's New

• PyPI package — pip install fray with CLI entry points
• Clean CLI — fray detect, test, report, payloads, version
• fray doctor — Environment diagnostics + auto-fix
• fray test --webhook — Slack/Discord/Teams notifications on scan completion
• fray submit-payload — Community payload contribution via auto GitHub PR
• fray ci init — GitHub Actions workflow generator for PR-based WAF testing
• fray learn — Interactive CTF-style security tutorial (XSS, SQLi, SSRF, Command Injection)
• 5,500+ attack payloads across 25+ categories (XSS, SQLi, SSRF, SSTI, XXE, etc.)
• 25 WAF vendor fingerprints (Cloudflare, Akamai, AWS WAF, Imperva, Azure, and more)
• AI/LLM payloads — prompt injection, jailbreaks, indirect injection
• Zero dependencies — uses Python stdlib only for core functionality
• MCP server — AI assistant integration for security workflows

Quick Start

fray detect https://example.com
fray test https://example.com -c xss --max 10
fray payloads
fray doctor
fray learn xss
fray ci init

Links

• Blog
• Docs
• PyPI