DalFox is a powerful open source XSS scanning tool and parameter analyzer and utility that fast the process of detecting and verify XSS flaws. It comes with a powerful testing engine, many niche features for the cool hacker!
I talk about naming. Dal(λ¬) is the Korean pronunciation of moon, and Fox are made to mean "Finder Of XSS" or π¦
- Key features
- How to Install
- Usage
- POC format
- In the Code
- Screenshots
- Wiki
- Question
- Changelog
- Contributing
Mode: url sxss pipe file server payload
| Class | Key Feature | Description |
|---|---|---|
| Discovery | Parameter analysis | - Find reflected param - Find alive/bad special chars, event handler and attack code - Identification of injection points(HTML/JS/Attribute) inHTML-none inJS-none inJS-double inJS-single inJS-backtick inATTR-none inATTR-double inATTR-single |
| Static analysis | - Check bad-header like CSP, XFO, etc.. with req/res base | |
| BAV analysis | - Testing BAV(Basic Another Vulnerability) , e.g sqli ssti open-redirects, crlf, esii |
|
| Parameter Mining | - Find new param with Dictionary attack (default is GF-Patterns) - Support custom dictionary file ( --mining-dict-word)- Find new param with DOM - Use remote wordlist to mining ( --remote-wordlists) |
|
| Built-in Grepping | - It Identify the basic info leak of SSTi, Credential, SQL Error, and so on | |
| WAF Detection and Evasion | - Detect to WAF(Web Application Firewall). - if found waf and using special flag, evasion using slow request - --waf-evasion |
|
| Scanning | XSS Scanning | - Reflected XSS / Stored XSS / DOM XSS - DOM base verifying - Headless base verifying - Blind XSS testing with param, header( -b , --blind options)- Only testing selected parameters ( -p, --param)- Only testing parameter analysis ( --only-discovery) |
| Friendly Pipeline | - Single url mode (dalfox url)- From file mode ( dalfox file urls.txt)- From IO(pipeline) mode ( dalfox pipe)- From raw http request file mode ( dalfox file raw.txt --rawdata) |
|
| Optimization query of payloads | - Check the injection point through abstraction and generated the fit payload. - Eliminate unnecessary payloads based on badchar |
|
| Encoder | - All test payloads(build-in, your custom/blind) are tested in parallel with the encoder. - To Double URL Encoder - To HTML Hex Encoder |
|
| Sequence | - Auto-check the special page for stored xss (--trigger) - Support ( --sequence) options for Stored XSS , only sxss mode |
|
| HTTP | HTTP Options | - Overwrite HTTP Method (-X, --method)- Follow redirects ( --follow-redirects)- Add header ( -H, --header)- Add cookie ( -C, --cookie)- Add User-Agent ( --user-agent)- Set timeout ( --timeout)- Set Delay ( --delay)- Set Proxy ( --proxy)- Set ignore return codes ( --ignore-return)- Load cookie from raw request ( --cookie-from-raw) |
| Concurrency | Worker | - Set worker's number(-w, --worker) |
| N * hosts | - Use multicast mode (--multicast) , only file / pipe mode |
|
| Output | Output | - Only the PoC code and useful information is write as Stdout - Save output ( -o, --output) |
| Format | - JSON / Plain (--format) |
|
| Printing | - Silence mode (--silence)- You may choose not to print the color ( --no-color)- You may choose not to print the spinner ( --no-spinner)- You may choose show only special poc code ( --only-poc) |
|
| Report | - Show detail report (--report and --report-format=<plain/json>) |
|
| Extensibility | REST API | - API Server and Swagger (dalfox server) |
| Payload Mode | - Generate and Enumerate Payloads for XSS Testing (dalfox payload) |
|
| Found Action | - Lets you specify the actions to take when detected. - Notify, for example ( --found-action) |
|
| Custom Grepping | - Can grep with custom regular expressions on response - If duplicate detection, it performs deduplication ( --grep) |
|
| Custom Payloads | - Use custom payloads list file (--custom-payload) - Custom alert value ( --custom-alert-value) - Custom alert type ( --custom-alert-type) |
|
| Remote Payloads | - Use remote payloads from portswigger, payloadbox, etc.. (--remote-payloads) |
|
| Package | Package manager | - pkg.go.dev - homebrew with tap - snapcraft |
| Docker ENV | - docker hub - github package of docker |
|
| Other | - github action |
And the various options required for the testing :D
go1.17
go install github.com/hahwul/dalfox/v2@latest
go1.16
GO111MODULE=on go get github.com/hahwul/dalfox/v2
brew tap hahwul/dalfox
brew install dalfox
sudo snap install dalfox
More information? please read Installation guide
βΆ dalfox [mode] [target] [flags]
Single target mode
βΆ dalfox url http://testphp.vulnweb.com/listproducts.php\?cat\=123\&artist\=123\&asdf\=ff -b https://hahwul.xss.ht
Multiple target mode from file
βΆ dalfox file urls_file --custom-payload ./mypayloads.txt
Pipeline mode
βΆ cat urls_file | dalfox pipe -H "AuthToken: bbadsfkasdfadsf87"
Other tips, See wiki for detailed instructions!
Sample poc log
[POC][G][BUILT-IN/dalfox-error-mysql/GET] http://testphp.vulnweb.com/listproducts.php?artist=123&asdf=ff&cat=123DalFox
[POC][V][GET] http://testphp.vulnweb.com/listproducts.php?artist=123&asdf=ff&cat=123%22%3E%3Csvg%2Fclass%3D%22dalfox%22onLoad%3Dalert%2845%29%3E
Format
| Identity | Type | Information | BLANK | PoC Code |
|---|---|---|---|---|
| POC | G | BUILT-IN/dalfox-error-mysql/GET | http://testphp.vulnweb.com/listproducts.php?artist=123&asdf=ff&cat=123DalFox | |
| POC | R | GET | http://testphp.vulnweb.com/listproducts.php?artist=123&asdf=ff&cat=123%22%3E%3Csvg%2Fclass%3D%22dalfox%22onLoad%3Dalert%2845%29%3E | |
| POC | V | GET | http://testphp.vulnweb.com/listproducts.php?artist=123&asdf=ff&cat=123%22%3E%3Csvg%2Fclass%3D%22dalfox%22onLoad%3Dalert%2845%29%3E |
- Type:
G(Grep) ,R(Reflected) ,V(Verify) - Information: Method, grepping name, etc..
Why is there a gap? It is a method to make it easier to parse only the poc code through cut etc. For example, you can do this.
βΆ dalfox url http://testphp.vulnweb.com/listproducts.php\?cat\=123\&artist\=123\&asdf\=ff | cut -d " " -f 2 > output
βΆ cat output
http://testphp.vulnweb.com/listproducts.php?artist=123&asdf=ff&cat=123DalFox
http://testphp.vulnweb.com/listproducts.php?artist=123&asdf=ff&cat=123%22%3E%3Csvg%2FOnLoad%3D%22%60%24%7Bprompt%60%60%7D%60%22+class%3Ddalfox%3Epackage main
import (
"fmt"
dalfox "github.com/hahwul/dalfox/v2/lib"
)
func main() {
opt := dalfox.Options{
Cookie: "ABCD=1234",
}
result, err := dalfox.NewScan(dalfox.Target{
URL: "https://xss-game.appspot.com/level1/frame",
Method: "GET",
Options: opt,
})
if err != nil {
fmt.Println(err)
} else {
fmt.Println(result)
}
}$ go build -o xssapp ; ./xssapp
[] [{V GET https://xss-game.appspot.com/level1/frame?query=%3Ciframe+srcdoc%3D%22%3Cinput+onauxclick%3Dprint%281%29%3E%22+class%3Ddalfox%3E%3C%2Fiframe%3E}] 2.618998247s 2021-07-11 10:59:26.508483153 +0900 KST m=+0.000794230 2021-07-11 10:59:29.127481217 +0900 KST m=+2.619792477}
| Single URL Scanning | Massive(Multicast/Mass) Scanning |
| REST API Server Mode | Output and Customizing (found-action / grepping) |
Please use discussions actively!
Detailed changes for each release are documented in the release notes.
DalFox's open-source project and made it with β€οΈ if you want contribute this project, please see CONTRIBUTING.md and Pull-Request with cool your contents.