XecureX is a powerful open-source security audit tool designed for red team operations. It analyzes repositories to detect common security vulnerabilities and helps developers secure their code before deployment.
- Hardcoded Credentials - Detects passwords, API keys, secrets, tokens hardcoded in source code
- SQL Injection - Identifies string concatenation in SQL queries that could lead to injection attacks
- Command Injection - Finds dangerous system calls (os.system, eval, shell=True, subprocess)
- Path Traversal - Detects dynamic file paths that could be exploited
- XSS Vulnerabilities - Identifies unsafe DOM manipulation (innerHTML, document.write)
- Weak Cryptography - Finds usage of weak hash algorithms (MD5, SHA1)
- Insecure Deserialization - Detects unsafe deserialization patterns (pickle, yaml.load)
- Sensitive Data Exposure - Finds secrets logged to console or printed
# Clone the repository
git clone https://github.com/s1d9e/xecurex.git
cd xecurex
# Install dependencies
pip install -r requirements.txt# Basic scan
python src/main.py /path/to/repository
# JSON output
python src/main.py /path/to/repository --format json
# Save results to file
python src/main.py /path/to/repository -o results.json
# Exclude additional directories
python src/main.py /path/to/repository --exclude test_data cache| Language | Extensions |
|---|---|
| Python | .py |
| JavaScript/TypeScript | .js, .ts, .jsx, .tsx |
| Java | .java |
| PHP | .php |
| Ruby | .rb |
| Go | .go |
| Shell | .sh |
| C# | .cs |
| SQL | .sql |
| Severity | Color | Categories |
|---|---|---|
| HIGH | π΄ | Hardcoded Credentials, Command Injection, SQL Injection, Insecure Deserialization |
| MEDIUM | π‘ | XSS Vulnerabilities, Path Traversal, Weak Crypto |
| LOW | π’ | Sensitive Data Exposure, Hardcoded IP/URL |
======================================================================
SECURITY AUDIT REPORT
======================================================================
π Statistics:
Files scanned: 42
Lines scanned: 1583
[!] Found 5 potential security issues:
π΄ HIGH Severity (2)
--------------------------------------------------
π src/auth.py:15
[Hardcoded Credentials] Hardcoded password detected
π src/database.py:42
[SQL Injection] SQL query with string concatenation
π‘ MEDIUM Severity (2)
--------------------------------------------------
π frontend/app.js:23
[XSS Vulnerabilities] Dangerous innerHTML assignment
π utils/crypto.py:8
[Weak Crypto] MD5 hash usage - weak cryptographic
π’ LOW Severity (1)
--------------------------------------------------
π src/config.py:5
[Hardcoded IP/URL] Hardcoded IP address
# Run tests
python -m pytest tests/ -v
# Run with coverage
python -m pytest tests/ --cov=src --cov-report=htmlThis project is licensed under the MIT License - see the LICENSE file for details.
This tool is intended for authorized security testing only. Always ensure you have explicit permission before scanning any repository that you do not own. The authors assume no liability for any damages caused by misuse of this tool.
Made with π by s1d9e