loading
loading
Vulnerabilities
A fast, powerful parameter analysis and XSS scanner based on a Go DOM parser.
overview
dalfox does two jobs most setups split across separate tools: it mines a target for parameters, then tests each one for cross-site scripting. A Go-based DOM parser drives the analysis, so it tracks where a value lands in the page, whether that is the HTML body, an attribute, inside a script, or a DOM sink, and it sends only the payloads that can execute in that context. The headless engine then loads the response and confirms whether the injection fired, so reflected noise stays out of the results.
It is built to run unattended. Point it at a single URL, a file of targets, or a raw Burp or ZAP request, and switch modes as the job needs: stored-XSS mode with a --trigger URL, a --blind callback domain for payloads that fire out of band, or remote payload sets from PortSwigger and PayloadBox. Set --report-format to plain, json, or jsonl, and --found-action runs a command on every confirmed hit.
In a Trickest pipeline, dalfox sits after URL collection. Feed it the parameterized links a crawler or gau gathered, let it mine parameters and verify XSS, and route the confirmed findings straight into triage. Because it reads a target list and emits structured output, a scheduled run turns fresh URLs into fresh XSS findings with no manual step in between.
source github.com/hahwul/dalfox
use cases
Let DalFox discover parameters in the DOM and dictionary, then test each for reflected, stored, and DOM-based cross-site scripting in one pass.
Use stored-XSS mode with a trigger URL so DalFox injects on one page and verifies execution on the page that renders the stored value.
Set a blind XSS domain so payloads call back when they fire in contexts you cannot see, catching issues a reflected check would miss.
Emit JSON or JSONL and use found-action to fire a command on each hit, so a scheduled scan notifies or routes findings automatically.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| single-url | STRING | url | Single target mode: scan one URL and its parameters. |
| target-list | FILE | file | File mode: a list of target URLs, or raw Burp/ZAP data. |
| param | STRING | --param | Only test the parameters you name. |
| blind-xss-domain | STRING | --blind | Blind XSS callback domain for out-of-band payloads. |
| custom-payloads | FILE | --custom-payload | Load extra XSS payloads from a file. |
| report-format | STRING | --report-format | Report format: plain, json, or jsonl. |
| deep-domxss | BOOLEAN | --deep-domxss | Run more DOM XSS payloads through the headless browser. |
| found-action | FILE | --found-action | Run a command on each weak or confirmed finding. |
Showing key inputs. dalfox exposes 67 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| sxss | STRING | sxss | Use Stored XSS mode |
| debug | BOOLEAN | --debug | Debug mode |
| param | STRING | --param | Only testing selected parameters |
| cookie | STRING | --cookie | Add custom cookie |
| report | BOOLEAN | --report | Show detail report |
| payload | BOOLEAN | payload | Payload mode, make and enum payloads |
| use-bav | BOOLEAN | --use-bav | Skipping BAV(Basic Another Vulnerability) analysis |
| workers | STRING | --worker | Number of worker (default 100) |
| no-color | BOOLEAN | --no-color | Not use colorize |
| only-poc | STRING | --only-poc | Shows only the PoC code for the specified pattern (g: grep / r: reflected / v: verified) |
| post-data | STRING | --data | Using POST Method and add Body data |
| use-proxy | STRING | --proxy | Send all request to proxy server. Example: http://127.0.0.1:8080 |
| mining-dom | BOOLEAN | --mining-dom | Find new parameter in DOM (attribute/js value) (default true) |
| no-spinner | BOOLEAN | --no-spinner | Not use spinner |
| output-all | BOOLEAN | --output-all | All log write mode |
| single-url | STRING | url | Use single target mode |
| config-file | FILE | --config | Using config from file |
| deep-domxss | BOOLEAN | --deep-domxss | DOM XSS Testing with more payloads on headless [so slow] |
| http-method | STRING | --method | Force overriding HTTP Method. Example: PUT (default "GET") |
| mining-dict | BOOLEAN | --mining-dict | Find new parameter with dictionary attack, default is Gf-Patterns=>XSS (default true) |
| target-list | FILE | file | Use file mode(targets list or rawdata) |
| timeout-sec | STRING | --timeout | Second of timeout (default 10) |
| found-action | FILE | --found-action | If found weak/vuln, action(cmd) to next. Example: './notify.sh' |
| ignore-param | STRING | --ignore-param | Ignore this parameter when scanning. Example: --ignore-param api_token --ignore-param csrf_token |
| custom-header | STRING | --header | Add custom headers |
| report-format | STRING | --report-format | Format of --report flag [plain/json/jsonl] (default "plain") |
| skip-grepping | BOOLEAN | --skip-grepping | Skipping built-in grepping |
| skip-headless | BOOLEAN | --skip-headless | Skipping headless browser base scanning[DOM XSS and inJS verify] |
| stdout-format | STRING | --format | Stdout output format. Supported plain / json |
| file-mode-http | BOOLEAN | --http | Using force http on rawdata mode |
| only-discovery | BOOLEAN | --only-discovery | Only testing parameter analysis |
| output-request | BOOLEAN | --output-request | Include raw HTTP requests in the results |
| cookie-from-raw | FILE | --cookie-from-raw | Load cookie from burp raw http request. Example: request.txt |
| custom-payloads | FILE | --custom-payload | Add custom payloads from file |
| output-response | BOOLEAN | --output-response | Include raw HTTP responses in the results |
| remote-payloads | STRING | --remote-payloads | Using remote payload for XSS testing. Supported: portswigger/payloadbox. Example: portswigger,payloadbox |
| skip-mining-all | BOOLEAN | --skip-mining-all | Skipping ALL parameter mining |
| skip-mining-dom | BOOLEAN | --skip-mining-dom | Skipping DOM base parameter mining |
| blind-xss-domain | STRING | --blind | Add your blind xss domain. Example: hahwul.xss.ht |
| custom-grep-file | FILE | --grep | Using custom grepping file.Example: ./samples/sample_grep.json |
| follow-redirects | BOOLEAN | --follow-redirects | Following redirection |
| mining-dict-word | FILE | --mining-dict-word | Custom wordlist file for param mining. Example: word.txt |
| remote-wordlists | STRING | --remote-wordlists | Using remote wordlists for param mining. Supported: burp/assetnote. Example: burp |
| skip-mining-dict | BOOLEAN | --skip-mining-dict | Skipping Dict base parameter mining |
| custom-alert-type | STRING | --custom-alert-type | Change alert value type. Example: none / str,none (default "none") |
| custom-user-agent | STRING | --user-agent | Add custom UserAgent |
| delay-miliseconds | STRING | --delay | Milliseconds between send to same host (1000==1s) |
| file-mode-rawdata | FILE | --rawdata | Using req rawdata from Burp/ZAP |
| skip-xss-scanning | BOOLEAN | --skip-xss-scanning | Skipping XSS Scanning |
| sxss-mode-trigger | STRING | --trigger | Checking this url after inject sxss code. Example: https://~~/profile |
| custom-alert-value | STRING | --custom-alert-value | Change alert value. Example: document.cookie (default "1") |
| sxss-mode-sequence | STRING | --sequence | Set sequence to first number. Example: https://~/view?no=SEQNC 3 (default -1) |
| ignore-status-codes | STRING | --ignore-return | Ignore scanning from return code. Example: 302,403,404 |
| do-not-print-all-logs | BOOLEAN | --silence | Not printing all logs |
| payload-mode-entity-gf | BOOLEAN | --entity-gf | Enumerate a gf-patterns xss params |
| payload-mode-enum-attr | BOOLEAN | --enum-attr | Enumerate a in-attr xss payloads |
| payload-mode-enum-html | BOOLEAN | --enum-html | Enumerate a in-html xss payloads |
| payload-mode-enum-injs | BOOLEAN | --enum-injs | Enumerate a in-js xss payloads |
| payload-mode-make-bulk | BOOLEAN | --make-bulk | Make bulk payloads for stored xss |
| use-only-custom-payload | BOOLEAN | --only-custom-payload | Only testing custom payload (required parameter custom-payloads) |
| payload-mode-encoder-url | BOOLEAN | --encoder-url | Encoding output |
| payload-mode-enum-common | BOOLEAN | --enum-common | Enumerate a common xss payloads |
| payload-mode-remote-payloadbox | BOOLEAN | --remote-payloadbox | Enumerate a payloadbox's xss payloads |
| payload-mode-entity-useful-tags | BOOLEAN | --entity-useful-tags | Enumerate a useful tags for xss |
| payload-mode-remote-portswigger | BOOLEAN | --remote-portswigger | Enumerate a portswigger xss cheatsheet payloads |
| payload-mode-entity-event-handler | BOOLEAN | --entity-event-handler | Enumerate a event handlers for xss |
| payload-mode-entity-special-chars | BOOLEAN | --entity-special-chars | Enumerate a special chars for xss |
example
# single URL: mine params, test for XSS, verify DOM/inJS in headless, emit jsonldalfox url 'https://example.com/?q=test' --blind https://xss.example.com --report-format jsonl # many targets from a file, run a command on every confirmed hitdalfox file urls.txt --found-action './notify.sh' --report-format jsonl[*] Mining parameters via DOM and dictionary (Gf-Patterns)...[I] Found 3 testing points in DOM mining[*] Start scanning https://example.com/ ...[V] Triggered XSS payload (verified in headless) on param: q[POC][V][GET] https://example.com/?q=%22%3E%3Csvg%2Fonload%3Dalert%281%29%3E[POC][R][GET] https://example.com/search?keyword=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E[POC][G][GET] https://example.com/item?id=1%27%22%3E%3C[*] Finished: 1 verified, 1 reflected, 1 grep-only across 3 paramsguidance
Use DalFox when you have parameterized URLs and want focused parameter analysis plus XSS testing in one tool. For a broad multi-class scan, run nuclei; for CRLF specifically, use crlfuzz. Feed DalFox the URLs a crawler or gau collected.
Ruby XSS scanner. DalFox is faster and has richer parameter mining.
Template-driven scanner covering many classes. Broader than DalFox's XSS focus.
Lightweight reflected-XSS finder. Faster triage, far less depth than DalFox.
faq
related
A Go script for bypassing 403 forbidden responses.
An open-source tool that automates detecting and exploiting command injection.
Detect and abuse vulnerable implementations of stateless sessions.
A Python tool to find Cross-Origin Resource Sharing misconfigurations.
A tool to find HTTP splitting vulnerabilities.
Multi-threaded, IPv6-aware username enumeration via CVE-2018-15473.
A target feeds gau to collect parameterized URLs, then DalFox mines and tests them for XSS and writes the confirmed findings as a queryable output.
Facts on this page come from the live Trickest tool library.