[update] 添加evilpot信息

chaitin · Jul 4, 2024 · 01deed5 · 01deed5
1 parent cb8b04a
commit 01deed5
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 8 deletions.
diff --git a/README.md b/README.md
@@ -62,7 +62,7 @@ xapp是一款专注于web指纹识别的工具。你可以使用xapp对web目标
     xray webscan --basic-crawler http://example.com --html-output vuln.html
     ```
 
-1. 使用 HTTP 代理进行被动扫描
+2. 使用 HTTP 代理进行被动扫描
 
     ```bash
     xray webscan --listen 127.0.0.1:7777 --html-output proxy.html
@@ -71,13 +71,13 @@ xapp是一款专注于web指纹识别的工具。你可以使用xapp对web目标
 
    >如需扫描 https 流量，请阅读下方文档 `抓取 https 流量` 部分
 
-1. 只扫描单个 url，不使用爬虫
+3. 只扫描单个 url，不使用爬虫
 
     ```bash
     xray webscan --url http://example.com/?a=b --html-output single-url.html
     ```
 
-1. 手动指定本次运行的插件
+4. 手动指定本次运行的插件
 
    默认情况下，将会启用所有内置插件，可以使用下列命令指定本次扫描启用的插件。
 
@@ -86,7 +86,7 @@ xapp是一款专注于web指纹识别的工具。你可以使用xapp对web目标
    xray webscan --plugins cmd-injection,sqldet --listen 127.0.0.1:7777
    ```
 
-1. 指定插件输出
+5. 指定插件输出
 
     可以指定将本次扫描的漏洞信息输出到某个文件中:
 
@@ -173,6 +173,14 @@ xray的进步离不开各位师傅的支持，秉持着互助共建的精神，
 
 ## 🔧周边生态
 
+### POC质量确认靶场
+
+[**Evil Pot**](https://github.com/chaitin/xray/tree/master/tests/evilpot)
+
+一个专门用于让扫描器产生误报的靶场
+
+编写插件应该尽量避免能在这个靶场扫描出结果
+
 ### POC编写辅助工具
 
 该工具可以辅助生成POC，且在线版支持**poc查重**，本地版支持直接发包验证

diff --git a/README_EN.md b/README_EN.md
@@ -62,7 +62,7 @@ Project address: https://github.com/chaitin/xray-plugins
     xray webscan --basic-crawler http://example.com --html-output vuln.html
     ```
 
-1. Use HTTP proxy for passive scanning
+2. Use HTTP proxy for passive scanning
 
     ```bash
     xray webscan --listen 127.0.0.1:7777 --html-output proxy.html
@@ -71,13 +71,13 @@ Project address: https://github.com/chaitin/xray-plugins
 
    > To scan HTTPS traffic, please read the "Capture HTTPS Traffic" section below.
 
-1. Scan a single URL without using a crawler
+3. Scan a single URL without using a crawler
 
     ```bash
     xray webscan --url http://example.com/?a=b --html-output single-url.html
     ```
 
-1. Manually specify plugins for this run
+4. Manually specify plugins for this run
 
    By default, all built-in plugins will be enabled. You can specify the plugins to be enabled for this scan with the following commands.
 
@@ -86,7 +86,7 @@ Project address: https://github.com/chaitin/xray-plugins
    xray webscan --plugins cmd-injection,sqldet --listen 127.0.0.1:7777
    ```
 
-1. Specify Plugin Output
+5. Specify Plugin Output
 
    You can specify to output the vulnerability information of this scan to a file:
 
@@ -175,6 +175,15 @@ Refer to: https://docs.xray.cool/#/guide/contribute
 
 ## 🔧 Surrounding Ecosystem
 
+
+### POC Quality Confirmation Range
+
+[**Evil Pot**](https://github.com/chaitin/xray/tree/master/tests/evilpot)
+
+A range specifically designed to allow scanners to generate false positives
+
+Plugins should be written to try to avoid being able to scan results in this range
+
 ### POC Writing Assistant Tools
 
 This tool can assist in generating POCs, and the online version supports **POC duplication checks**, while the local version supports direct packet verification.