├── .github └── workflows │ ├── docker-image.yml │ └── xss-test.yml ├── Dockerfile ├── LICENSE ├── README.md └── action.yml /.github/workflows/docker-image.yml: -------------------------------------------------------------------------------- 1 | name: Docker build test 2 | 3 | on: 4 | push: 5 | branches: [ main ] 6 | pull_request: 7 | branches: [ main ] 8 | 9 | jobs: 10 | 11 | build: 12 | 13 | runs-on: ubuntu-latest 14 | 15 | steps: 16 | - uses: actions/checkout@v2 17 | - name: Docker image build test 18 | run: docker build . 19 | -------------------------------------------------------------------------------- /.github/workflows/xss-test.yml: -------------------------------------------------------------------------------- 1 | name: Action vaild test 2 | on: [push] 3 | 4 | jobs: 5 | dalfox_scan: 6 | runs-on: ubuntu-latest 7 | name: Test scanning 8 | steps: 9 | - name: Checkout 10 | uses: actions/checkout@v2 11 | with: 12 | ref: main 13 | - name: Dalfox scan 14 | uses: hahwul/action-dalfox@main 15 | id: xss-result 16 | with: 17 | target: 'https://xss-game.appspot.com/level1/frame' 18 | mode: url 19 | cmd_options: '--follow-redirects' 20 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ghcr.io/hahwul/dalfox:main 2 | CMD ["/app/dalfox"] 3 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2020 HAHWUL 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # XSS scanning with Dalfox on Github-action 2 | 3 | ![Docker build test](https://github.com/hahwul/action-dalfox/workflows/Docker%20build%20test/badge.svg) ![Action vaild test](https://github.com/hahwul/action-dalfox/workflows/Action%20vaild%20test/badge.svg) 4 | 5 | ## Getting Started 6 | ### Usage 7 | ```yaml 8 | - name: Dalfox scan 9 | uses: hahwul/action-dalfox@main 10 | id: xss-result 11 | with: 12 | target: 'https://www.hahwul.com' 13 | mode: url 14 | cmd_options: '--follow-redirects' 15 | ``` 16 | - Modes: `url` `pipe` `file` `sxss` 17 | - Options: https://github.com/hahwul/dalfox#usage 18 | 19 | ### Output Handling 20 | Send slack/github issue/Submit JIRA, etc.. with found-action option 21 | ```yaml 22 | - name: Dalfox scan 23 | uses: hahwul/action-dalfox@main 24 | id: xss-result 25 | with: 26 | target: 'https://www.hahwul.com' 27 | mode: url 28 | cmd_options: '--found-action "curl -i -k"https://hooks.your.system"' 29 | - run: echo "XSS result - ${{ steps.xss-result.outputs.result }}" 30 | ``` 31 | - Found-Action: https://github.com/hahwul/dalfox/wiki/Found-action 32 | 33 | ## Sample 34 | ### Single URL Scanning 35 | xss.yaml 36 | ```yaml 37 | on: [push] 38 | 39 | jobs: 40 | dalfox_scan: 41 | runs-on: ubuntu-latest 42 | name: XSS Scanning 43 | steps: 44 | - name: Checkout 45 | uses: actions/checkout@v2 46 | with: 47 | ref: master 48 | - name: Dalfox scan 49 | uses: hahwul/action-dalfox@main 50 | id: xss-result 51 | with: 52 | target: 'https://xss-game.appspot.com/level1/frame' 53 | mode: url 54 | cmd_options: '--follow-redirects' 55 | ``` 56 | 57 | ### Multi URL Scanning 58 | xss.yaml 59 | ```yaml 60 | on: [push] 61 | 62 | jobs: 63 | dalfox_scan: 64 | runs-on: ubuntu-latest 65 | name: XSS Scanning 66 | steps: 67 | - name: Checkout 68 | uses: actions/checkout@v2 69 | with: 70 | ref: master 71 | - name: Dalfox scan 72 | uses: hahwul/action-dalfox@main 73 | id: xss-result 74 | with: 75 | target: 'https://xss-game.appspot.com/level1/frame\nhttps://www.hahwul.com?q=1234' 76 | mode: pipe 77 | ``` 78 | -------------------------------------------------------------------------------- /action.yml: -------------------------------------------------------------------------------- 1 | name: 'XSS Scan with Dalfox' 2 | description: 'XSS Scanning the web application with the Dalfox' 3 | branding: 4 | icon: 'activity' 5 | color: 'purple' 6 | inputs: 7 | mode: 8 | description: 'Scanning Mode ( url / file / pipe / sxss )' 9 | required: true 10 | target: 11 | description: 'Target URL' 12 | required: true 13 | cmd_options: 14 | description: 'Additional command line options' 15 | required: false 16 | outputs: 17 | RESULT: 18 | description: 'Scan Result' 19 | runs: 20 | using: 'docker' 21 | image: 'docker://hahwul/dalfox:latest' 22 | args: 23 | - 'bash' 24 | - '-c' 25 | - 'echo "${{ inputs.target }}" | /app/dalfox ${{ inputs.mode}} "${{ inputs.target }} --silence ${{ inputs.cmd_options }}"' 26 | --------------------------------------------------------------------------------