├── .github ├── FUNDING.yml ├── ISSUE_TEMPLATE │ ├── anything.md │ ├── bug_report.md │ ├── feature_request.md │ └── question.md ├── dependabot.yml └── workflows │ ├── cd_dockerhub.yml │ ├── cd_ghcr_publish.yml │ ├── cd_jekyll.yml │ ├── cd_snapcraft.yml │ ├── ci_docker-image.yml │ ├── ci_go.yml │ ├── codecov.yml │ ├── codeql-analysis.yml │ ├── contributors.yml │ ├── release-binaries.yml │ └── test-functional.yml ├── .gitignore ├── CODE_OF_CONDUCT.md ├── CONTRIBUTING.md ├── CONTRIBUTORS.svg ├── Dockerfile ├── Gemfile ├── Gemfile.lock ├── LICENSE.txt ├── README.md ├── Rakefile ├── SECURITY.md ├── cmd ├── args.go ├── file.go ├── payload.go ├── pipe.go ├── root.go ├── server.go ├── sxss.go ├── url.go └── version.go ├── codecov.yml ├── dalfox.go ├── dalfox_test.go ├── docs ├── .ruby-version ├── CNAME ├── Gemfile ├── Gemfile.lock ├── README.md ├── _advanced │ ├── config.md │ ├── features.md │ ├── features │ │ ├── bav.md │ │ ├── command-flags.md │ │ ├── custom-payload.md │ │ ├── found-action.md │ │ ├── grepping.md │ │ ├── parameter-mining.md │ │ ├── remote-payloads.md │ │ ├── report.md │ │ └── write-har.md │ ├── resources.md │ └── resources │ │ ├── flags.md │ │ ├── format-of-poc.md │ │ ├── ipoint.md │ │ ├── json.md │ │ └── jsonl.md ├── _community │ ├── oneliner.md │ └── resources.md ├── _config.yml ├── _includes │ ├── head_custom.html │ ├── mermaid_config.js │ ├── nav_footer_custom.html │ └── toc.md ├── _plugins │ └── generate_llms_full.rb ├── _sass │ └── color_schemes │ │ └── dalfox.scss ├── favicon.ico ├── images │ ├── bg-2.jpg │ ├── bg.jpg │ ├── favicon │ │ ├── apple-touch-icon.png │ │ ├── favicon-96x96.png │ │ ├── favicon.ico │ │ ├── favicon.svg │ │ ├── site.webmanifest │ │ ├── web-app-manifest-192x192.png │ │ └── web-app-manifest-512x512.png │ ├── illust.jpg │ ├── logo-wide.png │ ├── logo.png │ ├── logonav.png │ ├── page │ │ └── running │ │ │ ├── mcp-claude.jpg │ │ │ └── mcp-vscode.jpg │ └── screen.jpeg ├── index.html ├── llms.txt ├── page │ ├── installation.md │ ├── modes │ │ ├── file-mode.md │ │ ├── payload-mode.md │ │ ├── pipe-mode.md │ │ ├── server-mode.md │ │ ├── sxss-mode.md │ │ └── url-mode.md │ ├── output-handling.md │ ├── overview.md │ ├── running.md │ ├── running │ │ ├── code.md │ │ ├── code │ │ │ └── custom_transport.md │ │ ├── github-action.md │ │ ├── mcp.md │ │ ├── scan-from-rawreq.md │ │ ├── scan-multiple-url.md │ │ └── scan-single-url.md │ ├── update.md │ └── usage.md └── style.css ├── go.mod ├── go.sum ├── internal ├── har │ ├── client_tracer.go │ ├── client_tracer_test.go │ ├── har_test.go │ ├── message_id.go │ ├── message_id_test.go │ ├── round_tripper.go │ ├── round_tripper_test.go │ ├── types.go │ ├── types_test.go │ └── writer.go ├── optimization │ ├── abstraction.go │ ├── abstraction_test.go │ ├── inspectionParam.go │ ├── inspectionParam_test.go │ ├── optimization.go │ ├── optimization_test.go │ ├── replace.go │ └── replace_test.go ├── payload │ ├── bav.go │ ├── bav_test.go │ ├── bulk.go │ ├── bulk_test.go │ ├── entity.go │ ├── entity_test.go │ ├── remote.go │ ├── remote_test.go │ ├── xss.go │ └── xss_test.go ├── printing │ ├── banner.go │ ├── banner_test.go │ ├── codeview.go │ ├── codeview_test.go │ ├── logger.go │ ├── logger_test.go │ ├── multispin.go │ ├── multispin_test.go │ ├── poc.go │ ├── poc_test.go │ ├── scan.go │ ├── util.go │ ├── util_test.go │ └── version.go ├── report │ ├── report.go │ └── report_test.go ├── utils │ ├── multicast.go │ ├── multicast_test.go │ ├── token.go │ ├── token_test.go │ ├── utils.go │ └── utils_test.go └── verification │ ├── verify.go │ └── verify_test.go ├── lib ├── func.go ├── func_test.go ├── interface.go └── interface_test.go ├── pkg ├── model │ ├── options.go │ ├── param.go │ └── result.go ├── scanning │ ├── bav.go │ ├── bav_test.go │ ├── csp.go │ ├── csp_test.go │ ├── discovery.go │ ├── foundaction.go │ ├── foundaction_test.go │ ├── grep.go │ ├── grep_test.go │ ├── headless.go │ ├── headless_test.go │ ├── parameterAnalysis.go │ ├── parameterAnalysis_test.go │ ├── queries.go │ ├── queries_test.go │ ├── ratelimit.go │ ├── scan.go │ ├── scan_test.go │ ├── scanning.go │ ├── scanning_test.go │ ├── sendReq.go │ ├── sendReq_test.go │ ├── staticAnlaysis.go │ ├── staticAnlaysis_test.go │ ├── transport.go │ ├── transport_example.go │ ├── transport_example_test.go │ ├── transport_test.go │ ├── waf.go │ └── waf_test.go └── server │ ├── docs │ ├── docs.go │ ├── swagger.json │ └── swagger.yaml │ ├── mcp.go │ ├── mcp_test.go │ ├── model.go │ ├── scan.go │ ├── scan_test.go │ ├── server.go │ └── server_test.go ├── samples ├── sample_config.json ├── sample_custompayload.txt ├── sample_found_action.sh ├── sample_grep.json ├── sample_lib.go.txt ├── sample_rawdata.txt └── sample_target.txt ├── snap └── snapcraft.yaml └── spec ├── challenges ├── testphp.vulnweb.com │ └── challenge_spec.rb └── xss-game.appspot.com │ └── challenge_spec.rb ├── functional_tests └── basic_spec.rb └── spec_helper.rb /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | github: hahwul -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/anything.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Anything 3 | about: Anything! 4 | title: '' 5 | labels: '' 6 | assignees: '' 7 | 8 | --- 9 | 10 | 11 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/bug_report.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Bug report 3 | about: Create a report to help us improve 4 | title: '' 5 | labels: bug 6 | assignees: '' 7 | 8 | --- 9 | 10 | ## Describe the bug 11 | A clear and concise description of what the bug is. 12 | 13 | ## Environment 14 | * Dalfox Version: 15 | * Installed from: (e.g go-get/snapcraft/homebrew) 16 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/feature_request.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Feature request 3 | about: Suggest an idea for this project 4 | title: '' 5 | labels: Feature request 6 | assignees: '' 7 | 8 | --- 9 | 10 | 11 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/question.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Question 3 | about: If you have any questions, ask. 4 | title: '' 5 | labels: question 6 | assignees: '' 7 | 8 | --- 9 | 10 | ## Question 11 | Your questions 12 | 13 | ## Environment 14 | * Dalfox Version: 15 | * Installed from: (e.g go-get/snapcraft/homebrew) 16 | -------------------------------------------------------------------------------- /.github/dependabot.yml: -------------------------------------------------------------------------------- 1 | version: 2 2 | updates: 3 | - package-ecosystem: gomod 4 | directory: "/" 5 | schedule: 6 | interval: daily 7 | time: "20:00" 8 | open-pull-requests-limit: 10 9 | target-branch: "main" 10 | -------------------------------------------------------------------------------- /.github/workflows/cd_dockerhub.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: docker 3 | on: 4 | push: 5 | tags: [v*.*.*] 6 | workflow_dispatch: 7 | jobs: 8 | dockerhub-publish: 9 | runs-on: ubuntu-latest 10 | steps: 11 | - name: Checkout 12 | uses: actions/checkout@v3 13 | - name: Docker meta 14 | id: meta 15 | uses: docker/metadata-action@v4 16 | with: 17 | images: hahwul/dalfox 18 | tags: | 19 | type=semver,pattern=v{{major}} 20 | type=semver,pattern=v{{major}}.{{minor}} 21 | type=semver,pattern=v{{major}}.{{minor}}.{{patch}} 22 | - name: Set up QEMU 23 | uses: docker/setup-qemu-action@v2 24 | with: 25 | platforms: linux/amd64,linux/arm64 26 | - name: Set up Docker Buildx 27 | id: buildx 28 | uses: docker/setup-buildx-action@v2 29 | - name: Login to DockerHub 30 | uses: docker/login-action@v2 31 | with: 32 | username: ${{ secrets.DOCKERHUB_USERNAME }} 33 | password: ${{ secrets.DOCKERHUB_TOKEN }} 34 | - name: Build and push 35 | uses: docker/build-push-action@v3 36 | with: 37 | context: ./ 38 | file: ./Dockerfile 39 | builder: ${{ steps.buildx.outputs.name }} 40 | platforms: linux/amd64,linux/arm64 41 | push: true 42 | tags: ${{ steps.meta.outputs.tags }} 43 | labels: ${{ steps.meta.outputs.labels }} 44 | -------------------------------------------------------------------------------- /.github/workflows/cd_ghcr_publish.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: GHCR Publish 3 | on: 4 | push: 5 | tags: [v*.*.*] 6 | workflow_dispatch: 7 | env: 8 | # Use docker.io for Docker Hub if empty 9 | REGISTRY: ghcr.io 10 | # github.repository as / 11 | IMAGE_NAME: ${{ github.repository }} 12 | jobs: 13 | build: 14 | runs-on: ubuntu-latest 15 | permissions: 16 | contents: read 17 | packages: write 18 | # This is used to complete the identity challenge 19 | # with sigstore/fulcio when running outside of PRs. 20 | id-token: write 21 | steps: 22 | - name: Checkout repository 23 | uses: actions/checkout@v4 24 | 25 | # Install the cosign tool except on PR 26 | # https://github.com/sigstore/cosign-installer 27 | - name: Install cosign 28 | if: github.event_name != 'pull_request' 29 | uses: sigstore/cosign-installer@v3.1.1 30 | with: 31 | cosign-release: v2.1.1 32 | 33 | # Using QEME for multiple platforms 34 | # https://github.com/docker/build-push-action?tab=readme-ov-file#usage 35 | - name: Set up QEMU 36 | uses: docker/setup-qemu-action@v3 37 | 38 | # Workaround: https://github.com/docker/build-push-action/issues/461 39 | - name: Setup Docker buildx 40 | uses: docker/setup-buildx-action@v3 41 | 42 | # Login against a Docker registry except on PR 43 | # https://github.com/docker/login-action 44 | - name: Log into registry ${{ env.REGISTRY }} 45 | if: github.event_name != 'pull_request' 46 | uses: docker/login-action@v3 47 | with: 48 | registry: ${{ env.REGISTRY }} 49 | username: ${{ github.actor }} 50 | password: ${{ secrets.GITHUB_TOKEN }} 51 | 52 | # Extract metadata (tags, labels) for Docker 53 | # https://github.com/docker/metadata-action 54 | - name: Extract Docker metadata 55 | id: meta 56 | uses: docker/metadata-action@v5 57 | with: 58 | images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} 59 | 60 | # Build and push Docker image with Buildx (don't push on PR) 61 | # https://github.com/docker/build-push-action 62 | - name: Build and push Docker image 63 | id: build-and-push 64 | uses: docker/build-push-action@v5 65 | with: 66 | context: . 67 | push: true 68 | tags: ${{ steps.meta.outputs.tags }} 69 | labels: ${{ steps.meta.outputs.labels }} 70 | platforms: linux/amd64, linux/arm64 71 | cache-from: type=gha 72 | cache-to: type=gha,mode=max 73 | -------------------------------------------------------------------------------- /.github/workflows/cd_jekyll.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # This workflow uses actions that are not certified by GitHub. 3 | # They are provided by a third-party and are governed by 4 | # separate terms of service, privacy policy, and support 5 | # documentation. 6 | # Sample workflow for building and deploying a Jekyll site to GitHub Pages 7 | name: Deploy Jekyll site to Pages 8 | on: 9 | # Runs on pushes targeting the default branch 10 | push: 11 | branches: [main] 12 | paths: 13 | - docs/**/* 14 | 15 | # Allows you to run this workflow manually from the Actions tab 16 | workflow_dispatch: 17 | # Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages 18 | permissions: 19 | contents: read 20 | pages: write 21 | id-token: write 22 | # Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued. 23 | # However, do NOT cancel in-progress runs as we want to allow these production deployments to complete. 24 | concurrency: 25 | group: pages 26 | cancel-in-progress: false 27 | jobs: 28 | # Build job 29 | build: 30 | runs-on: ubuntu-latest 31 | steps: 32 | - name: Checkout 33 | uses: actions/checkout@v4 34 | - name: Setup Ruby 35 | uses: ruby/setup-ruby@v1.213.0 36 | with: 37 | ruby-version: '3.4' # Not needed with a .ruby-version file 38 | bundler-cache: true # runs 'bundle install' and caches installed gems automatically 39 | cache-version: 0 # Increment this number if you need to re-download cached gems 40 | working-directory: docs # Needed if your Gemfile is not in the root directory 41 | - name: Setup Pages 42 | id: pages 43 | uses: actions/configure-pages@v4 44 | - name: Build with Jekyll 45 | # Outputs to the './_site' directory by default 46 | run: bundle exec jekyll build --baseurl "${{ steps.pages.outputs.base_path }}" 47 | env: 48 | JEKYLL_ENV: production 49 | working-directory: docs 50 | - name: Upload artifact 51 | # Automatically uploads an artifact from the './_site' directory by default 52 | uses: actions/upload-pages-artifact@v3 53 | with: 54 | path: docs/_site 55 | 56 | # Deployment job 57 | deploy: 58 | environment: 59 | name: github-pages 60 | url: ${{ steps.deployment.outputs.page_url }} 61 | runs-on: ubuntu-latest 62 | needs: build 63 | steps: 64 | - name: Deploy to GitHub Pages 65 | id: deployment 66 | uses: actions/deploy-pages@v4 67 | -------------------------------------------------------------------------------- /.github/workflows/cd_snapcraft.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: Snapcraft tab Publish 3 | on: 4 | push: 5 | tags: [not-trigger-v*.*.*] 6 | workflow_dispatch: 7 | jobs: 8 | snapcraft-releaser: 9 | runs-on: ubuntu-latest 10 | name: snapcraft-releaser 11 | strategy: 12 | fail-fast: false 13 | matrix: 14 | platform: 15 | - amd64 16 | - armhf 17 | - arm64 18 | - ppc64el 19 | steps: 20 | - name: Check out Git repository 21 | uses: actions/checkout@v3 22 | - uses: diddlesnaps/snapcraft-multiarch-action@v1 23 | with: 24 | architecture: ${{ matrix.platform }} 25 | id: build 26 | - uses: diddlesnaps/snapcraft-review-action@v1 27 | with: 28 | snap: ${{ steps.build.outputs.snap }} 29 | - uses: snapcore/action-publish@master 30 | env: 31 | SNAPCRAFT_STORE_CREDENTIALS: ${{ secrets.SNAP_STORE_LOGIN }} 32 | with: 33 | snap: ${{ steps.build.outputs.snap }} 34 | release: stable 35 | -------------------------------------------------------------------------------- /.github/workflows/ci_docker-image.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: CI Docker 3 | on: 4 | push: 5 | branches: [main] 6 | paths: 7 | - cmd/**/* 8 | - pkg/**/* 9 | - lib/**/* 10 | - go.mod 11 | - dalfox.go 12 | - Dockerfile 13 | pull_request: 14 | branches: [main] 15 | paths: 16 | - cmd/**/* 17 | - pkg/**/* 18 | - lib/**/* 19 | - go.mod 20 | - dalfox.go 21 | - Dockerfile 22 | jobs: 23 | build: 24 | runs-on: ubuntu-latest 25 | steps: 26 | - uses: actions/checkout@v2 27 | - name: Build the Docker image 28 | run: docker build . --file Dockerfile --tag hahwul/dalfox:$(date +%s) 29 | -------------------------------------------------------------------------------- /.github/workflows/ci_go.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: CI Go 3 | on: 4 | push: 5 | branches: [main] 6 | paths: 7 | - cmd/**/* 8 | - pkg/**/* 9 | - lib/**/* 10 | - go.mod 11 | - dalfox.go 12 | - Dockerfile 13 | pull_request: 14 | branches: [main] 15 | paths: 16 | - cmd/**/* 17 | - pkg/**/* 18 | - lib/**/* 19 | - go.mod 20 | - dalfox.go 21 | - Dockerfile 22 | jobs: 23 | build: 24 | name: Build 25 | runs-on: ubuntu-latest 26 | strategy: 27 | matrix: 28 | go: ['1.23'] 29 | steps: 30 | - name: Set up Go ${{ matrix.go }} 31 | uses: actions/setup-go@v4 32 | with: 33 | go-version: ${{ matrix.go }} 34 | id: go 35 | - name: Check out code into the Go module directory 36 | uses: actions/checkout@v3 37 | - name: Get dependencies 38 | run: | 39 | go get -v -t -d ./... 40 | if [ -f Gopkg.toml ]; then 41 | curl https://raw.githubusercontent.com/golang/dep/master/install.sh | sh 42 | dep ensure 43 | fi 44 | - name: Build 45 | run: go build -v . 46 | - name: Library unit-test 47 | run: go test lib/* 48 | -------------------------------------------------------------------------------- /.github/workflows/codecov.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: Coverage 3 | on: 4 | push: 5 | branches: [main] 6 | paths: 7 | - pkg/**/* 8 | - lib/**/* 9 | - go.mod 10 | - dalfox.go 11 | - Dockerfile 12 | - codecov.yml 13 | pull_request: 14 | branches: [main] 15 | paths: 16 | - pkg/**/* 17 | - lib/**/* 18 | - go.mod 19 | - dalfox.go 20 | - Dockerfile 21 | - codecov.yml 22 | workflow_dispatch: 23 | inputs: 24 | logLevel: 25 | description: manual run 26 | required: false 27 | default: '' 28 | jobs: 29 | build: 30 | runs-on: ubuntu-latest 31 | steps: 32 | - uses: actions/checkout@v2 33 | with: 34 | fetch-depth: 2 35 | - uses: actions/setup-go@v2 36 | with: 37 | go-version: '1.24' 38 | - name: Run coverage 39 | run: go test -coverprofile=coverage.txt -covermode=atomic ./... 40 | - name: Upload results to Codecov 41 | uses: codecov/codecov-action@v5 42 | with: 43 | token: ${{ secrets.CODECOV_TOKEN }} 44 | -------------------------------------------------------------------------------- /.github/workflows/codeql-analysis.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # For most projects, this workflow file will not need changing; you simply need 3 | # to commit it to your repository. 4 | # 5 | # You may wish to alter this file to override the set of languages analyzed, 6 | # or to provide custom queries or build logic. 7 | # 8 | # ******** NOTE ******** 9 | # We have attempted to detect the languages in your repository. Please check 10 | # the `language` matrix defined below to confirm you have the correct set of 11 | # supported CodeQL languages. 12 | # 13 | name: CodeQL 14 | on: 15 | push: 16 | branches: [main] 17 | paths: 18 | - cmd/**/* 19 | - pkg/**/* 20 | - lib/**/* 21 | - go.mod 22 | - dalfox.go 23 | - Dockerfile 24 | pull_request: 25 | # The branches below must be a subset of the branches above 26 | branches: [main] 27 | paths: 28 | - cmd/**/* 29 | - pkg/**/* 30 | - lib/**/* 31 | - go.mod 32 | - dalfox.go 33 | - Dockerfile 34 | schedule: 35 | - cron: 40 14 * * 2 36 | jobs: 37 | analyze: 38 | name: Analyze 39 | runs-on: ubuntu-latest 40 | strategy: 41 | fail-fast: false 42 | matrix: 43 | language: [go] 44 | # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ] 45 | # Learn more: 46 | # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed 47 | steps: 48 | - name: Checkout repository 49 | uses: actions/checkout@v2 50 | 51 | # Initializes the CodeQL tools for scanning. 52 | - name: Initialize CodeQL 53 | uses: github/codeql-action/init@v1 54 | with: 55 | languages: ${{ matrix.language }} 56 | # If you wish to specify custom queries, you can do so here or in a config file. 57 | # By default, queries listed here will override any specified in a config file. 58 | # Prefix the list here with "+" to use these queries and those in the config file. 59 | # queries: ./path/to/local/query, your-org/your-repo/queries@main 60 | 61 | # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). 62 | # If this step fails, then you should remove it and run the build manually (see below) 63 | - name: Autobuild 64 | uses: github/codeql-action/autobuild@v1 65 | 66 | # ℹ️ Command-line programs to run using the OS shell. 67 | # 📚 https://git.io/JvXDl 68 | 69 | # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines 70 | # and modify them (or add more) to build your code if your project 71 | # uses a compiled language 72 | 73 | #- run: | 74 | # make bootstrap 75 | # make release 76 | - name: Perform CodeQL Analysis 77 | uses: github/codeql-action/analyze@v1 78 | -------------------------------------------------------------------------------- /.github/workflows/contributors.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: Contributors 3 | on: 4 | schedule: 5 | - cron: 0 1 * * 0 # At 01:00 on Sunday. 6 | push: 7 | branches: [main] 8 | workflow_dispatch: 9 | inputs: 10 | logLevel: 11 | description: manual run 12 | required: false 13 | default: '' 14 | jobs: 15 | contributors: 16 | runs-on: ubuntu-latest 17 | steps: 18 | - uses: wow-actions/contributors-list@v1 19 | with: 20 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 21 | round: false 22 | includeBots: true 23 | -------------------------------------------------------------------------------- /.github/workflows/release-binaries.yml: -------------------------------------------------------------------------------- 1 | name: Release Binaries 2 | 3 | on: 4 | release: 5 | types: [published] 6 | 7 | permissions: 8 | contents: write # Required to write release assets 9 | 10 | jobs: 11 | build-and-upload: 12 | runs-on: ubuntu-latest 13 | steps: 14 | - name: Checkout code 15 | uses: actions/checkout@v4 16 | 17 | - name: Set up Go 18 | uses: actions/setup-go@v4 19 | with: 20 | go-version: '1.24' # Or a version appropriate for the project 21 | 22 | - name: Build for Linux (amd64) 23 | run: | 24 | GOOS=linux GOARCH=amd64 go build -v -o dalfox-linux-amd64 ./dalfox.go 25 | tar -czvf dalfox-linux-amd64.tar.gz dalfox-linux-amd64 26 | 27 | - name: Build for Linux (arm64) 28 | run: | 29 | GOOS=linux GOARCH=arm64 go build -v -o dalfox-linux-arm64 ./dalfox.go 30 | tar -czvf dalfox-linux-arm64.tar.gz dalfox-linux-arm64 31 | 32 | - name: Build for Windows (amd64) 33 | run: | 34 | GOOS=windows GOARCH=amd64 go build -v -o dalfox-windows-amd64.exe ./dalfox.go 35 | zip dalfox-windows-amd64.zip dalfox-windows-amd64.exe 36 | 37 | - name: Build for Windows (arm64) 38 | run: | 39 | GOOS=windows GOARCH=arm64 go build -v -o dalfox-windows-arm64.exe ./dalfox.go 40 | zip dalfox-windows-arm64.zip dalfox-windows-arm64.exe 41 | 42 | - name: Build for macOS (amd64) 43 | run: | 44 | GOOS=darwin GOARCH=amd64 go build -v -o dalfox-darwin-amd64 ./dalfox.go 45 | tar -czvf dalfox-darwin-amd64.tar.gz dalfox-darwin-amd64 46 | 47 | - name: Build for macOS (arm64) 48 | run: | 49 | GOOS=darwin GOARCH=arm64 go build -v -o dalfox-darwin-arm64 ./dalfox.go 50 | tar -czvf dalfox-darwin-arm64.tar.gz dalfox-darwin-arm64 51 | 52 | - name: Upload Linux (amd64) artifact 53 | uses: svenstaro/upload-release-action@v2 54 | with: 55 | repo_token: ${{ secrets.GITHUB_TOKEN }} 56 | file: dalfox-linux-amd64.tar.gz 57 | asset_name: dalfox-linux-amd64.tar.gz 58 | tag: ${{ github.ref }} 59 | overwrite: true 60 | 61 | - name: Upload Linux (arm64) artifact 62 | uses: svenstaro/upload-release-action@v2 63 | with: 64 | repo_token: ${{ secrets.GITHUB_TOKEN }} 65 | file: dalfox-linux-arm64.tar.gz 66 | asset_name: dalfox-linux-arm64.tar.gz 67 | tag: ${{ github.ref }} 68 | overwrite: true 69 | 70 | - name: Upload Windows (amd64) artifact 71 | uses: svenstaro/upload-release-action@v2 72 | with: 73 | repo_token: ${{ secrets.GITHUB_TOKEN }} 74 | file: dalfox-windows-amd64.zip 75 | asset_name: dalfox-windows-amd64.zip 76 | tag: ${{ github.ref }} 77 | overwrite: true 78 | 79 | - name: Upload Windows (arm64) artifact 80 | uses: svenstaro/upload-release-action@v2 81 | with: 82 | repo_token: ${{ secrets.GITHUB_TOKEN }} 83 | file: dalfox-windows-arm64.zip 84 | asset_name: dalfox-windows-arm64.zip 85 | tag: ${{ github.ref }} 86 | overwrite: true 87 | 88 | - name: Upload macOS (amd64) artifact 89 | uses: svenstaro/upload-release-action@v2 90 | with: 91 | repo_token: ${{ secrets.GITHUB_TOKEN }} 92 | file: dalfox-darwin-amd64.tar.gz 93 | asset_name: dalfox-darwin-amd64.tar.gz 94 | tag: ${{ github.ref }} 95 | overwrite: true 96 | 97 | - name: Upload macOS (arm64) artifact 98 | uses: svenstaro/upload-release-action@v2 99 | with: 100 | repo_token: ${{ secrets.GITHUB_TOKEN }} 101 | file: dalfox-darwin-arm64.tar.gz 102 | asset_name: dalfox-darwin-arm64.tar.gz 103 | tag: ${{ github.ref }} 104 | overwrite: true 105 | -------------------------------------------------------------------------------- /.github/workflows/test-functional.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: Functional Test 3 | on: 4 | workflow_dispatch: 5 | # push: 6 | # branches: [main] 7 | # pull_request: 8 | # branches: [main] 9 | jobs: 10 | test: 11 | strategy: 12 | fail-fast: false 13 | runs-on: ubuntu-latest 14 | steps: 15 | - uses: actions/checkout@v4 16 | - name: Set up Go 17 | uses: actions/setup-go@v5 18 | with: 19 | go-version: '1.24' # Match your go.mod 20 | - name: Build dalfox 21 | run: go build -o dalfox . 22 | - name: Setup Ruby 23 | uses: ruby/setup-ruby@v1.213.0 24 | with: 25 | ruby-version: 3.4.0 # Match bundle path 26 | bundler-cache: true 27 | cache-version: 1 28 | - name: Install Ruby dependencies 29 | run: bundle install # Default gem location 30 | - name: Run RSpec tests 31 | run: bundle exec rspec 32 | env: 33 | PATH: ${{ github.workspace }}:$PATH # Ensure dalfox is in PATH 34 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | ### Go ### 2 | # Binaries for programs and plugins 3 | *.exe 4 | *.exe~ 5 | *.dll 6 | *.so 7 | *.dylib 8 | 9 | # Test binary, built with `go test -c` 10 | *.test 11 | 12 | # Output of the go coverage tool, specifically when used with LiteIDE 13 | *.out 14 | 15 | # Dependency directories (remove the comment below to include it) 16 | # vendor/ 17 | 18 | ### Go Patch ### 19 | /vendor/ 20 | /Godeps/ 21 | 22 | ### Dalfox 23 | dalfox 24 | 25 | ### Docs/Site 26 | /docs/_site 27 | -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | # Contributor Covenant Code of Conduct 2 | 3 | ## Our Pledge 4 | 5 | In the interest of fostering an open and welcoming environment, we as 6 | contributors and maintainers pledge to making participation in our project and 7 | our community a harassment-free experience for everyone, regardless of age, body 8 | size, disability, ethnicity, sex characteristics, gender identity and expression, 9 | level of experience, education, socio-economic status, nationality, personal 10 | appearance, race, religion, or sexual identity and orientation. 11 | 12 | ## Our Standards 13 | 14 | Examples of behavior that contributes to creating a positive environment 15 | include: 16 | 17 | * Using welcoming and inclusive language 18 | * Being respectful of differing viewpoints and experiences 19 | * Gracefully accepting constructive criticism 20 | * Focusing on what is best for the community 21 | * Showing empathy towards other community members 22 | 23 | Examples of unacceptable behavior by participants include: 24 | 25 | * The use of sexualized language or imagery and unwelcome sexual attention or 26 | advances 27 | * Trolling, insulting/derogatory comments, and personal or political attacks 28 | * Public or private harassment 29 | * Publishing others' private information, such as a physical or electronic 30 | address, without explicit permission 31 | * Other conduct which could reasonably be considered inappropriate in a 32 | professional setting 33 | 34 | ## Our Responsibilities 35 | 36 | Project maintainers are responsible for clarifying the standards of acceptable 37 | behavior and are expected to take appropriate and fair corrective action in 38 | response to any instances of unacceptable behavior. 39 | 40 | Project maintainers have the right and responsibility to remove, edit, or 41 | reject comments, commits, code, wiki edits, issues, and other contributions 42 | that are not aligned to this Code of Conduct, or to ban temporarily or 43 | permanently any contributor for other behaviors that they deem inappropriate, 44 | threatening, offensive, or harmful. 45 | 46 | ## Scope 47 | 48 | This Code of Conduct applies both within project spaces and in public spaces 49 | when an individual is representing the project or its community. Examples of 50 | representing a project or community include using an official project e-mail 51 | address, posting via an official social media account, or acting as an appointed 52 | representative at an online or offline event. Representation of a project may be 53 | further defined and clarified by project maintainers. 54 | 55 | ## Enforcement 56 | 57 | Instances of abusive, harassing, or otherwise unacceptable behavior may be 58 | reported by contacting the project team at hahwul@gmail.com. All 59 | complaints will be reviewed and investigated and will result in a response that 60 | is deemed necessary and appropriate to the circumstances. The project team is 61 | obligated to maintain confidentiality with regard to the reporter of an incident. 62 | Further details of specific enforcement policies may be posted separately. 63 | 64 | Project maintainers who do not follow or enforce the Code of Conduct in good 65 | faith may face temporary or permanent repercussions as determined by other 66 | members of the project's leadership. 67 | 68 | ## Attribution 69 | 70 | This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, 71 | available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html 72 | 73 | [homepage]: https://www.contributor-covenant.org 74 | 75 | For answers to common questions about this code of conduct, see 76 | https://www.contributor-covenant.org/faq 77 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | ## How to contribute 2 | - First, fork this repository into your Github account 3 | - Second, clone repository and change to main branch 4 | - Finaly, writing code push and PR to me 5 | 6 | ## Writing code 7 | I'm checking the quality of code through Codacy when PR/Merge/Push. If you want to consider code quality in advance, please check the link below (not perfect, but very helpful). 8 | 9 | https://goreportcard.com/report/github.com/hahwul/dalfox 10 | 11 | e.g: `https://goreportcard.com/report/github.com/{your github account}/dalfox` 12 | 13 | ## Build 14 | ``` 15 | $ go build 16 | ``` 17 | 18 | ## Case study 19 | ### How to add testing vector of XSS 20 | - Add new vector to https://github.com/hahwul/dalfox/blob/master/pkg/scanning/payload.go 21 | - Optimize but can affect performance, so please add a general and non-overlapping pattern. 22 | 23 | ### How to add new entity(e.g event handler) 24 | - Add new pattern to https://github.com/hahwul/dalfox/blob/master/pkg/scanning/entity.go 25 | 26 | ### How to add BAV(Basic Another Vulnerability) Patterns 27 | - Add new code to https://github.com/hahwul/dalfox/blob/master/pkg/scanning/bav.go 28 | - The payload above needs to be defined below. 29 | + https://github.com/hahwul/dalfox/blob/master/pkg/scanning/payload.go 30 | - Add Greeping pattern 31 | + https://github.com/hahwul/dalfox/blob/master/pkg/scanning/grep.go 32 | - e.g 33 | payload.go 34 | ```go 35 | func GetSQLIPayload() []string { 36 | payload := []string{ 37 | "'", 38 | "''", 39 | //... snip ... 40 | " AND 1=1#", 41 | " AND 1=0#", 42 | " ORDER BY 1", 43 | } 44 | return payload 45 | } 46 | ``` 47 | 48 | bav.go 49 | ```go 50 | //SqliAnalysis is basic check for SQL Injection 51 | func SqliAnalysis(target string, options model.Options) { 52 | // sqli payload 53 | bpu, _ := url.Parse(target) 54 | bpd := bpu.Query() 55 | var wg sync.WaitGroup 56 | concurrency := options.Concurrence 57 | reqs := make(chan *http.Request) 58 | 59 | for i := 0; i < concurrency; i++ { 60 | wg.Add(1) 61 | go func(){ 62 | for req := range reqs { 63 | SendReq(req, "toGrepping", options) 64 | } 65 | wg.Done() 66 | }() 67 | } 68 | 69 | for bpk := range bpd { 70 | // Load payload here! 71 | for _, sqlipayload := range GetSQLIPayload() { 72 | turl, _ := optimization.MakeRequestQuery(target, bpk, sqlipayload, "toGrepping", options) 73 | reqs <- turl 74 | } 75 | } 76 | close(reqs) 77 | wg.Wait() 78 | } 79 | ``` 80 | 81 | grep.go 82 | ```go 83 | //mysql 84 | "dalfox-error-mysql1": "SQL syntax.*?MySQL", 85 | "dalfox-error-mysql2": "Warning.*?mysqli?", 86 | "dalfox-error-mysql3": "MySQLSyntaxErrorException", 87 | "dalfox-error-mysql4": "valid MySQL result", 88 | "dalfox-error-mysql5": "check the manual that (corresponds to|fits) your MySQL server version", 89 | "dalfox-error-mysql6": "check the manual that (corresponds to|fits) your MariaDB server version", 90 | "dalfox-error-mysql7": "check the manual that (corresponds to|fits) your Drizzle server version", 91 | "dalfox-error-mysql8": "Unknown column '[^ ]+' in 'field list'", 92 | "dalfox-error-mysql9": "com\\.mysql\\.jdbc", 93 | "dalfox-error-mysql10": "Zend_Db_(Adapter|Statement)_Mysqli_Exception", 94 | "dalfox-error-mysql11": "MySqlException", 95 | "dalfox-error-mysql12": "Syntax error or access violation", 96 | ``` 97 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | # === BUILDER === 2 | FROM golang:latest AS builder 3 | WORKDIR /go/src/app 4 | 5 | # Install dependencies 6 | COPY go.mod go.sum ./ 7 | RUN go mod download 8 | 9 | # Copy the source code 10 | COPY . . 11 | RUN go build -o dalfox 12 | 13 | # === RUNNER === 14 | FROM debian:bookworm 15 | RUN mkdir /app 16 | 17 | # Copy the binary from the builder stage 18 | COPY --from=builder /go/src/app/dalfox /app/dalfox 19 | COPY --from=builder /go/src/app/samples /app/samples 20 | 21 | WORKDIR /app/ 22 | CMD ["/app/dalfox"] 23 | -------------------------------------------------------------------------------- /Gemfile: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | source 'https://rubygems.org' 3 | 4 | gem 'aruba', '~> 2.3' 5 | gem 'rake', '~> 13.0' 6 | gem 'rspec', '~> 3.13' 7 | gem 'rspec-core', '~> 3.13' # Explicitly include rspec-core 8 | gem 'logger' -------------------------------------------------------------------------------- /Gemfile.lock: -------------------------------------------------------------------------------- 1 | GEM 2 | remote: https://rubygems.org/ 3 | specs: 4 | aruba (2.3.0) 5 | bundler (>= 1.17, < 3.0) 6 | contracts (>= 0.16.0, < 0.18.0) 7 | cucumber (>= 8.0, < 10.0) 8 | rspec-expectations (~> 3.4) 9 | thor (~> 1.0) 10 | bigdecimal (3.1.9) 11 | builder (3.3.0) 12 | contracts (0.17.2) 13 | cucumber (9.2.1) 14 | builder (~> 3.2) 15 | cucumber-ci-environment (> 9, < 11) 16 | cucumber-core (> 13, < 14) 17 | cucumber-cucumber-expressions (~> 17.0) 18 | cucumber-gherkin (> 24, < 28) 19 | cucumber-html-formatter (> 20.3, < 22) 20 | cucumber-messages (> 19, < 25) 21 | diff-lcs (~> 1.5) 22 | mini_mime (~> 1.1) 23 | multi_test (~> 1.1) 24 | sys-uname (~> 1.2) 25 | cucumber-ci-environment (10.0.1) 26 | cucumber-core (13.0.3) 27 | cucumber-gherkin (>= 27, < 28) 28 | cucumber-messages (>= 20, < 23) 29 | cucumber-tag-expressions (> 5, < 7) 30 | cucumber-cucumber-expressions (17.1.0) 31 | bigdecimal 32 | cucumber-gherkin (27.0.0) 33 | cucumber-messages (>= 19.1.4, < 23) 34 | cucumber-html-formatter (21.9.0) 35 | cucumber-messages (> 19, < 28) 36 | cucumber-messages (22.0.0) 37 | cucumber-tag-expressions (6.1.2) 38 | diff-lcs (1.5.1) 39 | ffi (1.17.1) 40 | ffi (1.17.1-aarch64-linux-gnu) 41 | ffi (1.17.1-aarch64-linux-musl) 42 | ffi (1.17.1-arm-linux-gnu) 43 | ffi (1.17.1-arm-linux-musl) 44 | ffi (1.17.1-arm64-darwin) 45 | ffi (1.17.1-x86-linux-gnu) 46 | ffi (1.17.1-x86-linux-musl) 47 | ffi (1.17.1-x86_64-darwin) 48 | ffi (1.17.1-x86_64-linux-gnu) 49 | ffi (1.17.1-x86_64-linux-musl) 50 | logger (1.6.5) 51 | mini_mime (1.1.5) 52 | multi_test (1.1.0) 53 | rake (13.2.1) 54 | rspec (3.13.0) 55 | rspec-core (~> 3.13.0) 56 | rspec-expectations (~> 3.13.0) 57 | rspec-mocks (~> 3.13.0) 58 | rspec-core (3.13.2) 59 | rspec-support (~> 3.13.0) 60 | rspec-expectations (3.13.3) 61 | diff-lcs (>= 1.2.0, < 2.0) 62 | rspec-support (~> 3.13.0) 63 | rspec-mocks (3.13.2) 64 | diff-lcs (>= 1.2.0, < 2.0) 65 | rspec-support (~> 3.13.0) 66 | rspec-support (3.13.2) 67 | sys-uname (1.3.1) 68 | ffi (~> 1.1) 69 | thor (1.3.2) 70 | 71 | PLATFORMS 72 | aarch64-linux-gnu 73 | aarch64-linux-musl 74 | arm-linux-gnu 75 | arm-linux-musl 76 | arm64-darwin 77 | ruby 78 | x86-linux-gnu 79 | x86-linux-musl 80 | x86_64-darwin 81 | x86_64-linux-gnu 82 | x86_64-linux-musl 83 | 84 | DEPENDENCIES 85 | aruba (~> 2.3) 86 | logger 87 | rake (~> 13.0) 88 | rspec (~> 3.13) 89 | rspec-core (~> 3.13) 90 | 91 | BUNDLED WITH 92 | 2.6.3 93 | -------------------------------------------------------------------------------- /LICENSE.txt: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2020 hahwul 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in 13 | all copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 21 | THE SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 |
2 |
3 | dalfox 4 |
5 |

6 | 7 | 8 | 9 | 10 |

11 | 12 | Dalfox is a powerful open-source tool that focuses on automation, making it ideal for quickly scanning for XSS flaws and analyzing parameters. Its advanced testing engine and niche features are designed to streamline the process of detecting and verifying vulnerabilities. 13 | 14 | ## Key features 15 | 16 | * Modes: `URL`, `SXSS`, `Pipe`, `File`, `Server`, `Payload` 17 | * Discovery: Parameter analysis, static analysis, BAV testing, parameter mining 18 | * XSS Scanning: Reflected, Stored, DOM-based, with optimization and DOM/headless verification 19 | * HTTP Options: Custom headers, cookies, methods, proxy, and more 20 | * Output: JSON/Plain formats, silence mode, detailed reports 21 | * Extensibility: REST API, custom payloads, remote wordlists 22 | 23 | And the various options required for the testing :D 24 | 25 | ## Installation 26 | ### Homebrew (macOS/Linux) 27 | ```bash 28 | brew install dalfox 29 | 30 | # https://formulae.brew.sh/formula/dalfox 31 | ``` 32 | 33 | ### Snapcraft (Ubuntu) 34 | ```bash 35 | sudo snap install dalfox 36 | ``` 37 | 38 | ### From Source 39 | 40 | ```bash 41 | go install github.com/hahwul/dalfox/v2@latest 42 | ``` 43 | 44 | See [Installation guide](https://dalfox.hahwul.com/docs/installation/) for details. 45 | 46 | ## Usage 47 | ```bash 48 | dalfox [mode] [target] [flags] 49 | ``` 50 | 51 | * Single URL: `dalfox url http://example.com -b https://callback` 52 | * File Mode: `dalfox file urls.txt --custom-payload mypayloads.txt` 53 | * Pipeline: `cat urls.txt | dalfox pipe -H "AuthToken: xxx"` 54 | 55 | Check the [Usage](https://dalfox.hahwul.com/page/usage/) and [Running](https://dalfox.hahwul.com/page/running/) documents for more examples. 56 | 57 | ## Contributing 58 | if you want to contribute to this project, please see [CONTRIBUTING.md](https://github.com/hahwul/dalfox/blob/main/CONTRIBUTING.md) and Pull-Request with cool your contents. 59 | 60 | [![](/CONTRIBUTORS.svg)](https://github.com/hahwul/dalfox/graphs/contributors) 61 | 62 | ## About the Name 63 | As for the name, Dal([달](https://en.wiktionary.org/wiki/달)) is the Korean word for "moon," while "Fox" stands for "Finder Of XSS" or 🦊 64 | 65 | ![](docs/images/illust.jpg) 66 | -------------------------------------------------------------------------------- /Rakefile: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | 3 | require 'rspec/core/rake_task' 4 | require 'net/http' 5 | require 'json' 6 | 7 | namespace :test do 8 | desc 'Set up the test environment for functional tests' 9 | task :functional_setup do 10 | sh 'go mod vendor' 11 | sh 'go build -o dalfox .' # Explicitly name the output binary 12 | end 13 | 14 | desc 'Run the functional tests' 15 | RSpec::Core::RakeTask.new(functional: :functional_setup) do |t| 16 | t.pattern = 'spec/functional_tests/**/*_spec.rb' 17 | t.verbose = true # More output for debugging 18 | end 19 | 20 | desc 'Run the unit tests' 21 | task :unit do 22 | sh 'go test ./...' 23 | end 24 | 25 | desc 'Run all tests' 26 | task :all do 27 | Rake::Task['test:functional'].invoke 28 | Rake::Task['test:unit'].invoke 29 | end 30 | end 31 | 32 | namespace :docs do 33 | desc 'Serve the documentation site' 34 | task :serve do 35 | within_docs_directory do 36 | unless system('bundle check') 37 | puts "Bundler is not installed or dependencies are not met. Please run 'rake docs:install'." 38 | exit 1 39 | end 40 | sh 'bundle exec jekyll s' 41 | end 42 | end 43 | 44 | desc 'Install dependencies for the documentation site' 45 | task :install do 46 | within_docs_directory do 47 | sh 'bundle install' 48 | end 49 | end 50 | 51 | def within_docs_directory(&block) 52 | Dir.chdir('docs', &block) 53 | rescue Errno::ENOENT => e 54 | puts "Directory 'docs' not found: #{e.message}" 55 | exit 1 56 | rescue StandardError => e 57 | puts "An error occurred: #{e.message}" 58 | exit 1 59 | end 60 | end 61 | 62 | namespace :assets do 63 | desc 'Check remote assets' 64 | task :check do 65 | 66 | def check(endpoint) 67 | url = URI("https://assets.hahwul.com/#{endpoint}.json") 68 | response = Net::HTTP.get(url) 69 | 70 | data = JSON.parse(response) 71 | puts data 72 | end 73 | 74 | endpoints = [ 75 | 'xss-portswigger', 76 | 'xss-payloadbox', 77 | 'wl-params', 78 | 'wl-assetnote-params' 79 | ] 80 | 81 | endpoints.each do |target| 82 | check target 83 | end 84 | end 85 | end 86 | -------------------------------------------------------------------------------- /SECURITY.md: -------------------------------------------------------------------------------- 1 | # Security Policy 2 | 3 | ## Reporting a Vulnerability 4 | 5 | Found a security issue? Let us know so we can fix it. 6 | 7 | ### How to Report 8 | 9 | * **For general security concerns**, please open a [GitHub issue](https://github.com/hahwul/dalfox/issues). Use the `security` label and describe the issue in as much detail as you can. This helps us to understand and address the problem more effectively. 10 | * **For sensitive matters**, we encourage you to directly email for [me](mailto:hahwul@gmail.com). Handling these issues discreetly is vital for everyone's safety. 11 | 12 | ## Conclusion 13 | Your vigilance and willingness to report security issues are what help keep our project robust and secure. We appreciate the time and effort you put into making our community a safer place. Remember, no concern is too small; we're here to listen and act. Together, we can ensure a secure environment for all our users and contributors. Thank you for being an essential part of our project's security. 14 | 15 | Thank you for your support in maintaining the security and integrity of our project! -------------------------------------------------------------------------------- /cmd/args.go: -------------------------------------------------------------------------------- 1 | package cmd 2 | 3 | type Args struct { 4 | Header []string 5 | P []string 6 | IgnoreParams []string 7 | Config string 8 | Cookie string 9 | Data string 10 | CustomPayload string 11 | CustomAlertValue string 12 | CustomAlertType string 13 | UserAgent string 14 | Blind string 15 | Output string 16 | Format string 17 | FoundAction string 18 | FoundActionShell string 19 | Proxy string 20 | Grep string 21 | IgnoreReturn string 22 | MiningWord string 23 | Method string 24 | CookieFromRaw string 25 | RemotePayloads string 26 | RemoteWordlists string 27 | OnlyPoC string 28 | PoCType string 29 | ReportFormat string 30 | HarFilePath string 31 | CustomBlindXSSPayloadFile string 32 | Timeout int 33 | Delay int 34 | Concurrence int 35 | MaxCPU int 36 | OnlyDiscovery bool 37 | Silence bool 38 | Mining bool 39 | FindingDOM bool 40 | FollowRedirect bool 41 | NoColor bool 42 | NoSpinner bool 43 | UseBAV bool 44 | SkipBAV bool 45 | SkipMiningDom bool 46 | SkipMiningDict bool 47 | SkipMiningAll bool 48 | SkipXSSScan bool 49 | OnlyCustomPayload bool 50 | SkipGrep bool 51 | Debug bool 52 | SkipHeadless bool 53 | UseDeepDXSS bool 54 | OutputAll bool 55 | WAFEvasion bool 56 | ReportBool bool 57 | OutputRequest bool 58 | OutputResponse bool 59 | SkipDiscovery bool 60 | ForceHeadlessVerification bool 61 | } 62 | -------------------------------------------------------------------------------- /cmd/payload.go: -------------------------------------------------------------------------------- 1 | package cmd 2 | 3 | import ( 4 | "strconv" 5 | 6 | "github.com/hahwul/dalfox/v2/internal/optimization" 7 | "github.com/hahwul/dalfox/v2/internal/payload" 8 | "github.com/hahwul/dalfox/v2/internal/printing" 9 | "github.com/spf13/cobra" 10 | ) 11 | 12 | var makeBulk bool 13 | var enumCommon, enumHTML, enumAttr, enumInJS bool 14 | var remotePayloadbox, remotePortswigger bool 15 | var entityGF, entityEventHandler, entityUsefulTags, entitySpecialChars bool 16 | var urlEncode bool 17 | 18 | // Object is Type of PayloadObject 19 | type Object struct { 20 | Use bool 21 | Name string 22 | Listener func() ([]string, int) 23 | } 24 | 25 | // payloadCmd represents the payload command 26 | var payloadCmd = &cobra.Command{ 27 | Use: "payload", 28 | Short: "Payload mode, make and enum payloads", 29 | Run: runPayloadCmd, 30 | } 31 | 32 | func runPayloadCmd(cmd *cobra.Command, args []string) { 33 | printing.Banner(options) 34 | objects := initializeObjects() 35 | for _, object := range objects { 36 | if object.Use { 37 | lst, s := object.Listener() 38 | printing.DalLog("INFO", "["+object.Name+"][Line: "+strconv.Itoa(s)+"]", options) 39 | plst := optimization.SetPayloadValue(lst, options) 40 | for _, v := range plst { 41 | if urlEncode { 42 | printing.DalLog("YELLOW", optimization.UrlEncode(v), options) 43 | } else { 44 | printing.DalLog("YELLOW", v, options) 45 | } 46 | } 47 | } 48 | } 49 | } 50 | 51 | func initializeObjects() []Object { 52 | return []Object{ 53 | {Use: makeBulk, Name: "Bulk-XSS", Listener: payload.GenerateBulkPayload}, 54 | {Use: enumCommon, Name: "Enum-Common-XSS", Listener: payload.GetCommonPayloadWithSize}, 55 | {Use: enumHTML, Name: "Enum-HTML-XSS", Listener: payload.GetHTMLPayloadWithSize}, 56 | {Use: enumAttr, Name: "Enum-Attribute-XSS", Listener: payload.GetAttrPayloadWithSize}, 57 | {Use: enumInJS, Name: "Enum-inJS-XSS", Listener: payload.GetInJsPayloadWithSize}, 58 | {Use: remotePayloadbox, Name: "Remote-Payloadbox-Payloads", Listener: payload.GetPayloadBoxPayloadWithSize}, 59 | {Use: remotePortswigger, Name: "Remote-Portswigger-Paylaods", Listener: payload.GetPortswiggerPayloadWithSize}, 60 | {Use: entityGF, Name: "Entity-GF-Patterns", Listener: payload.InterfaceGetGfXSS}, 61 | {Use: entityEventHandler, Name: "Entity-Event-Handlers", Listener: payload.InterfaceGetEventHandlers}, 62 | {Use: entityUsefulTags, Name: "Entity-Useful-Tags", Listener: payload.InterfaceGetTags}, 63 | {Use: entitySpecialChars, Name: "Entity-Special-Chars", Listener: payload.InterfaceGetSpecialChar}, 64 | } 65 | } 66 | 67 | func init() { 68 | rootCmd.AddCommand(payloadCmd) 69 | payloadCmd.Flags().BoolVar(&makeBulk, "make-bulk", false, "Generate bulk payloads for stored XSS. Example: --make-bulk") 70 | payloadCmd.Flags().BoolVar(&enumCommon, "enum-common", false, "Enumerate common XSS payloads. Example: --enum-common") 71 | payloadCmd.Flags().BoolVar(&enumHTML, "enum-html", false, "Enumerate in-HTML XSS payloads. Example: --enum-html") 72 | payloadCmd.Flags().BoolVar(&enumAttr, "enum-attr", false, "Enumerate in-attribute XSS payloads. Example: --enum-attr") 73 | payloadCmd.Flags().BoolVar(&enumInJS, "enum-injs", false, "Enumerate in-JavaScript XSS payloads. Example: --enum-injs") 74 | payloadCmd.Flags().BoolVar(&remotePayloadbox, "remote-payloadbox", false, "Enumerate payloads from Payloadbox's XSS payloads. Example: --remote-payloadbox") 75 | payloadCmd.Flags().BoolVar(&remotePortswigger, "remote-portswigger", false, "Enumerate payloads from PortSwigger's XSS cheatsheet. Example: --remote-portswigger") 76 | payloadCmd.Flags().BoolVar(&entityGF, "entity-gf", false, "Enumerate parameters from GF-Patterns for XSS. Example: --entity-gf") 77 | payloadCmd.Flags().BoolVar(&entityEventHandler, "entity-event-handler", false, "Enumerate event handlers for XSS. Example: --entity-event-handler") 78 | payloadCmd.Flags().BoolVar(&entityUsefulTags, "entity-useful-tags", false, "Enumerate useful tags for XSS. Example: --entity-useful-tags") 79 | payloadCmd.Flags().BoolVar(&entitySpecialChars, "entity-special-chars", false, "Enumerate special characters for XSS. Example: --entity-special-chars") 80 | payloadCmd.Flags().BoolVar(&urlEncode, "encoder-url", false, "Encode output as URL. Example: --encoder-url") 81 | } 82 | -------------------------------------------------------------------------------- /cmd/server.go: -------------------------------------------------------------------------------- 1 | package cmd 2 | 3 | import ( 4 | "github.com/hahwul/dalfox/v2/internal/printing" 5 | "github.com/hahwul/dalfox/v2/pkg/server" 6 | "github.com/spf13/cobra" 7 | ) 8 | 9 | var port int 10 | var host, server_type string 11 | 12 | // serverCmd represents the server command 13 | var serverCmd = &cobra.Command{ 14 | Use: "server", 15 | Short: "Start API Server", 16 | Run: runServerCmd, 17 | } 18 | 19 | func runServerCmd(cmd *cobra.Command, args []string) { 20 | printing.Banner(options) 21 | options.ServerHost = host 22 | options.ServerPort = port 23 | 24 | switch server_type { 25 | case "mcp": 26 | printing.DalLog("SYSTEM", "Starting MCP Server", options) 27 | printing.Summary(options, "MCP Server Mode") 28 | server.RunMCPServer(options) 29 | default: 30 | printing.DalLog("SYSTEM", "Starting REST API Server", options) 31 | printing.Summary(options, "REST API Mode") 32 | server.RunAPIServer(options) 33 | } 34 | } 35 | 36 | func init() { 37 | rootCmd.AddCommand(serverCmd) 38 | serverCmd.Flags().IntVar(&port, "port", 6664, "Specify the port to bind the server to. Example: --port 6664") 39 | serverCmd.Flags().StringVar(&host, "host", "0.0.0.0", "Specify the address to bind the server to. Example: --host '0.0.0.0'") 40 | serverCmd.Flags().StringVar(&server_type, "type", "rest", "Specify the server type. Example: --type 'rest' or --type 'mcp'") 41 | } 42 | -------------------------------------------------------------------------------- /cmd/sxss.go: -------------------------------------------------------------------------------- 1 | package cmd 2 | 3 | import ( 4 | "github.com/hahwul/dalfox/v2/internal/printing" 5 | "github.com/hahwul/dalfox/v2/pkg/scanning" 6 | "github.com/spf13/cobra" 7 | ) 8 | 9 | var trigger, requestMethod string 10 | var sequence int 11 | 12 | // sxssCmd represents the sxss command 13 | var sxssCmd = &cobra.Command{ 14 | Use: "sxss [target] [flags]", 15 | Short: "Use Stored XSS mode", 16 | Run: runSxssCmd, 17 | } 18 | 19 | func runSxssCmd(cmd *cobra.Command, args []string) { 20 | printing.Banner(options) 21 | if len(args) == 0 { 22 | printSXSSErrorAndUsage() 23 | return 24 | } 25 | 26 | printing.Summary(options, args[0]) 27 | options.Trigger = trigger 28 | options.Sequence = sequence 29 | options.TriggerMethod = requestMethod 30 | options.Concurrence = 1 31 | if options.Delay <= 1500 { 32 | options.Delay = 1500 33 | } 34 | 35 | if options.Trigger != "" { 36 | printing.DalLog("SYSTEM", "Using Stored XSS mode", options) 37 | if options.Format == "json" { 38 | printing.DalLog("PRINT", "[", options) 39 | } 40 | _, _ = scanning.Scan(args[0], options, "Single") 41 | if options.Format == "json" { 42 | printing.DalLog("PRINT", "{}]", options) 43 | } 44 | } else { 45 | printing.DalLog("ERROR", "Please input trigger url with --trigger option", options) 46 | } 47 | } 48 | 49 | func printSXSSErrorAndUsage() { 50 | printing.DalLog("ERROR", "Input target url", options) 51 | printing.DalLog("ERROR", "e.g dalfox sxss https://google.com/?q=1 --trigger https://target/profile", options) 52 | } 53 | 54 | func init() { 55 | rootCmd.AddCommand(sxssCmd) 56 | sxssCmd.PersistentFlags().StringVar(&requestMethod, "request-method", "GET", "Specify the HTTP request method to send to the server. Example: --request-method 'POST'") 57 | sxssCmd.PersistentFlags().StringVar(&trigger, "trigger", "", "Specify the URL to check after injecting SXSS code. Example: --trigger 'https://example.com/profile'") 58 | sxssCmd.PersistentFlags().IntVar(&sequence, "sequence", -1, "Set the initial sequence number for the trigger URL. Example: --trigger 'https://example.com/view?no=SEQNC' --sequence 3") 59 | } 60 | -------------------------------------------------------------------------------- /cmd/url.go: -------------------------------------------------------------------------------- 1 | package cmd 2 | 3 | import ( 4 | "github.com/hahwul/dalfox/v2/internal/printing" 5 | "github.com/hahwul/dalfox/v2/pkg/scanning" 6 | "github.com/spf13/cobra" 7 | ) 8 | 9 | // urlCmd represents the url command 10 | var urlCmd = &cobra.Command{ 11 | Use: "url [target] [flags]", 12 | Short: "Use single target mode", 13 | Run: runURLCmd, 14 | } 15 | 16 | func runURLCmd(cmd *cobra.Command, args []string) { 17 | printing.Banner(options) 18 | if len(args) == 0 { 19 | printUrlErrorAndUsage() 20 | return 21 | } 22 | 23 | printing.Summary(options, args[0]) 24 | printing.DalLog("SYSTEM", "Using single target mode", options) 25 | if options.Format == "json" { 26 | printing.DalLog("PRINT", "[", options) 27 | } 28 | _, _ = scanning.Scan(args[0], options, "Single") 29 | if options.Format == "json" { 30 | printing.DalLog("PRINT", "{}]", options) 31 | } 32 | } 33 | 34 | func printUrlErrorAndUsage() { 35 | printing.DalLog("ERROR", "Input target url", options) 36 | printing.DalLog("ERROR", "e.g dalfox url https://google.com/?q=1", options) 37 | } 38 | 39 | func init() { 40 | rootCmd.AddCommand(urlCmd) 41 | } 42 | -------------------------------------------------------------------------------- /cmd/version.go: -------------------------------------------------------------------------------- 1 | package cmd 2 | 3 | import ( 4 | "github.com/hahwul/dalfox/v2/internal/printing" 5 | "github.com/spf13/cobra" 6 | ) 7 | 8 | // versionCmd represents the version command 9 | var versionCmd = &cobra.Command{ 10 | Use: "version", 11 | Short: "Show version", 12 | Run: func(cmd *cobra.Command, args []string) { 13 | printing.Banner(options) 14 | printing.DalLog("YELLOW", printing.VERSION, options) 15 | }, 16 | } 17 | 18 | func init() { 19 | rootCmd.AddCommand(versionCmd) 20 | } 21 | -------------------------------------------------------------------------------- /codecov.yml: -------------------------------------------------------------------------------- 1 | ignore: 2 | - cmd 3 | - pkg/server/docs/docs.go -------------------------------------------------------------------------------- /dalfox.go: -------------------------------------------------------------------------------- 1 | /* 2 | Code by @hahwul 3 | Happy hacking :D 4 | */ 5 | package main 6 | 7 | import ( 8 | "runtime" 9 | 10 | "github.com/hahwul/dalfox/v2/cmd" 11 | ) 12 | 13 | func main() { 14 | // Default setting 15 | runtime.GOMAXPROCS(1) 16 | cmd.Execute() 17 | } 18 | -------------------------------------------------------------------------------- /dalfox_test.go: -------------------------------------------------------------------------------- 1 | /* 2 | Code by @hahwul 3 | Happy hacking :D 4 | */ 5 | package main 6 | 7 | import ( 8 | "bytes" 9 | "os" 10 | "testing" 11 | ) 12 | 13 | func Test_main(t *testing.T) { 14 | tests := []struct { 15 | name string 16 | }{ 17 | {name: "Test case 1"}, 18 | } 19 | for _, tt := range tests { 20 | t.Run(tt.name, func(t *testing.T) { 21 | // Redirect stdout to capture output 22 | old := os.Stdout 23 | r, w, _ := os.Pipe() 24 | os.Stdout = w 25 | 26 | // Call the main function 27 | main() 28 | 29 | // Capture the output 30 | w.Close() 31 | var buf bytes.Buffer 32 | buf.ReadFrom(r) 33 | os.Stdout = old 34 | 35 | // Check the output 36 | got := buf.String() 37 | if len(got) > 0 { 38 | t.Errorf("main() = %v, want %v", got, nil) 39 | } 40 | }) 41 | } 42 | } 43 | -------------------------------------------------------------------------------- /docs/.ruby-version: -------------------------------------------------------------------------------- 1 | 3.4.1 -------------------------------------------------------------------------------- /docs/CNAME: -------------------------------------------------------------------------------- 1 | dalfox.hahwul.com -------------------------------------------------------------------------------- /docs/Gemfile: -------------------------------------------------------------------------------- 1 | source 'https://rubygems.org' 2 | 3 | gem "jekyll", "~> 4.3.3" # installed by `gem jekyll` 4 | # gem "webrick" # required when using Ruby >= 3 and Jekyll <= 4.2.2 5 | 6 | # Theme 7 | gem "just-the-docs", "~> 0.10.0" 8 | 9 | gem "csv" 10 | gem "base64" 11 | gem "logger" 12 | 13 | # Plugins 14 | group :jekyll_plugins do 15 | gem "jekyll-securitytxt" 16 | gem "jekyll-sitemap" 17 | gem "jekyll-redirect-from" 18 | end 19 | -------------------------------------------------------------------------------- /docs/Gemfile.lock: -------------------------------------------------------------------------------- 1 | GEM 2 | remote: https://rubygems.org/ 3 | specs: 4 | addressable (2.8.7) 5 | public_suffix (>= 2.0.2, < 7.0) 6 | base64 (0.2.0) 7 | bigdecimal (3.1.8) 8 | colorator (1.1.0) 9 | concurrent-ruby (1.3.4) 10 | csv (3.3.2) 11 | em-websocket (0.5.3) 12 | eventmachine (>= 0.12.9) 13 | http_parser.rb (~> 0) 14 | eventmachine (1.2.7) 15 | ffi (1.17.1-arm64-darwin) 16 | ffi (1.17.1-x86_64-linux-gnu) 17 | forwardable-extended (2.6.0) 18 | google-protobuf (4.29.3-arm64-darwin) 19 | bigdecimal 20 | rake (>= 13) 21 | google-protobuf (4.29.3-x86_64-linux) 22 | bigdecimal 23 | rake (>= 13) 24 | http_parser.rb (0.8.0) 25 | i18n (1.14.6) 26 | concurrent-ruby (~> 1.0) 27 | jekyll (4.3.4) 28 | addressable (~> 2.4) 29 | colorator (~> 1.0) 30 | em-websocket (~> 0.5) 31 | i18n (~> 1.0) 32 | jekyll-sass-converter (>= 2.0, < 4.0) 33 | jekyll-watch (~> 2.0) 34 | kramdown (~> 2.3, >= 2.3.1) 35 | kramdown-parser-gfm (~> 1.0) 36 | liquid (~> 4.0) 37 | mercenary (>= 0.3.6, < 0.5) 38 | pathutil (~> 0.9) 39 | rouge (>= 3.0, < 5.0) 40 | safe_yaml (~> 1.0) 41 | terminal-table (>= 1.8, < 4.0) 42 | webrick (~> 1.7) 43 | jekyll-include-cache (0.2.1) 44 | jekyll (>= 3.7, < 5.0) 45 | jekyll-redirect-from (0.16.0) 46 | jekyll (>= 3.3, < 5.0) 47 | jekyll-sass-converter (3.0.0) 48 | sass-embedded (~> 1.54) 49 | jekyll-securitytxt (1.0.3) 50 | jekyll (~> 4.0) 51 | jekyll-seo-tag (2.8.0) 52 | jekyll (>= 3.8, < 5.0) 53 | jekyll-sitemap (1.4.0) 54 | jekyll (>= 3.7, < 5.0) 55 | jekyll-watch (2.2.1) 56 | listen (~> 3.0) 57 | just-the-docs (0.10.0) 58 | jekyll (>= 3.8.5) 59 | jekyll-include-cache 60 | jekyll-seo-tag (>= 2.0) 61 | rake (>= 12.3.1) 62 | kramdown (2.5.1) 63 | rexml (>= 3.3.9) 64 | kramdown-parser-gfm (1.1.0) 65 | kramdown (~> 2.0) 66 | liquid (4.0.4) 67 | listen (3.9.0) 68 | rb-fsevent (~> 0.10, >= 0.10.3) 69 | rb-inotify (~> 0.9, >= 0.9.10) 70 | logger (1.6.6) 71 | mercenary (0.4.0) 72 | pathutil (0.16.2) 73 | forwardable-extended (~> 2.6) 74 | public_suffix (6.0.1) 75 | rake (13.2.1) 76 | rb-fsevent (0.11.2) 77 | rb-inotify (0.11.1) 78 | ffi (~> 1.0) 79 | rexml (3.3.9) 80 | rouge (4.5.1) 81 | safe_yaml (1.0.5) 82 | sass-embedded (1.81.0-arm64-darwin) 83 | google-protobuf (~> 4.28) 84 | sass-embedded (1.81.0-x86_64-linux-gnu) 85 | google-protobuf (~> 4.28) 86 | terminal-table (3.0.2) 87 | unicode-display_width (>= 1.1.1, < 3) 88 | unicode-display_width (2.6.0) 89 | webrick (1.9.0) 90 | 91 | PLATFORMS 92 | arm64-darwin 93 | x86_64-linux 94 | 95 | DEPENDENCIES 96 | base64 97 | csv 98 | jekyll (~> 4.3.3) 99 | jekyll-redirect-from 100 | jekyll-securitytxt 101 | jekyll-sitemap 102 | just-the-docs (~> 0.10.0) 103 | logger 104 | 105 | BUNDLED WITH 106 | 2.5.23 107 | -------------------------------------------------------------------------------- /docs/README.md: -------------------------------------------------------------------------------- 1 | Dalfox WIKI 2 | -------------------------------------------------------------------------------- /docs/_advanced/features.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Features 3 | has_children: true 4 | nav_order: 5 5 | toc: true 6 | layout: page 7 | --- 8 | 9 | # Features -------------------------------------------------------------------------------- /docs/_advanced/features/found-action.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Found Action 3 | redirect_from: /docs/tips/found-action/ 4 | nav_order: 1 5 | parent: Features 6 | toc: true 7 | layout: page 8 | --- 9 | 10 | # Integration with found-action 11 | 12 | The `--found-action` option in Dalfox allows you to specify actions to take when a vulnerability is detected. This can be useful for automating responses to findings, such as logging, alerting, or further processing. 13 | 14 | ## Using found-action 15 | 16 | The `--found-action` option lets you define a command to execute when a vulnerability is found. The following placeholders can be used within the command: 17 | 18 | | Placeholder | Description | 19 | | ------------ | ------------------------------------------------------------ | 20 | | `@@query@@` | The attack query (e.g., `https://www.hahwul.com?q="> data" 28 | ``` 29 | 30 | ### Example Output 31 | 32 | ```bash 33 | cat data 34 | http://testphp.vulnweb.com/listproducts.php?artist=123&asdf=ff&cat=123%27%3E%3Csvg%2Fclass%3D%27dalfox%27onLoad%3Dalert%2845%29%3E 35 | ``` 36 | 37 | ## Modifying the Shell Application for found-action 38 | 39 | The `--found-action-shell` flag allows you to change the shell application used for executing the found action. The default value is `bash`. 40 | 41 | ### Example Command with zsh 42 | 43 | ```bash 44 | dalfox url http://testphp.vulnweb.com/listproducts.php?cat=123&artist=123&asdf=ff --found-action "echo '@@query@@' > data" --found-action-shell=zsh 45 | ``` 46 | 47 | ### Example Command with sh (for Alpine Linux) 48 | 49 | ```bash 50 | dalfox url http://testphp.vulnweb.com/listproducts.php?cat=123&artist=123&asdf=ff --found-action "echo '@@query@@' > data" --found-action-shell=sh 51 | ``` 52 | 53 | ## Additional Resources 54 | 55 | For more information and advanced usage, please refer to the [blog post on Dalfox's fun options](https://www.hahwul.com/2020/05/04/how-to-use-dalfoxs-fun-options/). -------------------------------------------------------------------------------- /docs/_advanced/resources.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Resources 3 | has_children: true 4 | nav_order: 5 5 | toc: true 6 | layout: page 7 | --- 8 | 9 | # Resources -------------------------------------------------------------------------------- /docs/_advanced/resources/format-of-poc.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Format Of PoC 3 | redirect_from: /docs/format-of-poc/ 4 | nav_order: 5 5 | parent: Resources 6 | toc: true 7 | layout: page 8 | --- 9 | 10 | # Format Of PoC 11 | 12 | This guide provides a detailed explanation of the format of Proof of Concept (PoC) logs generated by Dalfox. The PoC log contains various information along with the PoC code. The distinction character between information data and PoC code is a blank space. 13 | 14 | ## Sample PoC Log 15 | 16 | Here is a sample PoC log: 17 | 18 | ``` 19 | [POC][G][BUILT-IN/dalfox-error-mysql/GET] http://testphp.vulnweb.com/listproducts.php?artist=123&asdf=ff&cat=123Dalfox 20 | [POC][V][GET] http://testphp.vulnweb.com/listproducts.php?artist=123&asdf=ff&cat=123%22%3E%3Csvg%2Fclass%3D%22dalfox%22onLoad%3Dalert%2845%29%3E 21 | ``` 22 | 23 | ## PoC Log Format 24 | 25 | | Identity | Type | Information | BLANK | PoC Code | 26 | | -------- | ---- | ------------------------------- | ----- | ------------------------------------------------------------ | 27 | | POC | G | BUILT-IN/dalfox-error-mysql/GET | | http://testphp.vulnweb.com/listproducts.php?artist=123&asdf=ff&cat=123Dalfox | 28 | | POC | V | GET | | http://testphp.vulnweb.com/listproducts.php?artist=123&asdf=ff&cat=123%22%3E%3Csvg%2Fclass%3D%22dalfox%22onLoad%3Dalert%2845%29%3E | 29 | 30 | ### Explanation of Fields 31 | 32 | - **Identity**: Always `POC` to indicate a Proof of Concept log entry. 33 | - **Type**: Indicates the type of PoC. Possible values are: 34 | - `G` (Grep) 35 | - `R` (Reflected) 36 | - `V` (Verify) 37 | - **Information**: Contains additional information such as the HTTP method and grepping name. 38 | - **BLANK**: A blank space used as a delimiter. 39 | - **PoC Code**: The actual PoC URL or payload. 40 | 41 | ## Why is there a gap? 42 | 43 | The gap (blank space) is used to make it easier to parse only the PoC code using tools like `cut`. For example, you can extract the PoC code as follows: 44 | 45 | ```shell 46 | dalfox url http://testphp.vulnweb.com/listproducts.php?cat=123&artist=123&asdf=ff | cut -d " " -f 2 > output 47 | cat output 48 | http://testphp.vulnweb.com/listproducts.php?artist=123&asdf=ff&cat=123Dalfox 49 | http://testphp.vulnweb.com/listproducts.php?artist=123&asdf=ff&cat=123%22%3E%3Csvg%2FOnLoad%3D%22%60%24%7Bprompt%60%60%7D%60%22+class%3Ddalfox%3E 50 | ``` 51 | -------------------------------------------------------------------------------- /docs/_advanced/resources/ipoint.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Injectable Points 3 | redirect_from: /docs/ipoint/ 4 | nav_order: 5 5 | parent: Resources 6 | toc: true 7 | layout: page 8 | --- 9 | 10 | # Injectable Points 11 | 12 | This guide provides detailed information on the various injectable points that Dalfox can identify during scans. Understanding these points can help you better interpret the results and understand where and how payloads are being injected. 13 | 14 | ## Injected Points 15 | 16 | Dalfox identifies several types of injectable points in the response. Here are the main categories: 17 | 18 | - **inHTML-none**: Injection point within HTML content without any surrounding quotes. 19 | - **inJS-none**: Injection point within JavaScript content without any surrounding quotes. 20 | - **inJS-double**: Injection point within JavaScript content surrounded by double quotes. 21 | - **inJS-single**: Injection point within JavaScript content surrounded by single quotes. 22 | - **inJS-backtick**: Injection point within JavaScript content surrounded by backticks. 23 | - **inATTR-none**: Injection point within an HTML attribute without any surrounding quotes. 24 | - **inATTR-double**: Injection point within an HTML attribute surrounded by double quotes. 25 | - **inATTR-single**: Injection point within an HTML attribute surrounded by single quotes. 26 | 27 | ## Parameter Types 28 | 29 | Dalfox can identify injectable points in different types of parameters: 30 | 31 | - **URL**: Parameters passed in the URL query string. 32 | - **FORM**: Parameters passed in the body of a form submission. 33 | 34 | ## Example 35 | 36 | To illustrate how these injectable points work, consider the following example: 37 | 38 | ### inJS-double-URL 39 | 40 | This indicates that a value entered into the URL query is reflected in a JavaScript context within double quotes in the response. 41 | 42 | **Request** 43 | 44 | ``` 45 | /q=testabcd 46 | ``` 47 | 48 | **Response** 49 | 50 | ```html 51 | 54 | ``` 55 | 56 | In this example, the value `testabcd` is injected into the JavaScript context within double quotes. 57 | -------------------------------------------------------------------------------- /docs/_community/oneliner.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: One-Liner 3 | redirect_from: /docs/tips/oneliner/ 4 | nav_order: 2 5 | toc: true 6 | layout: page 7 | --- 8 | 9 | # Community One-Liners 10 | 11 | * Scanning XSS from host / from [@cihanmehmet in awesome-oneliner-bugbounty](https://github.com/dwisiswant0/awesome-oneliner-bugbounty) 12 | ```bash 13 | gospider -S targets_urls.txt -c 10 -d 5 --blacklist ".(jpg|jpeg|gif|css|tif|tiff|png|ttf|woff|woff2|ico|pdf|svg|txt)" --other-source | grep -e "code-200" | awk '{print $5}'| grep "=" | qsreplace -a | dalfox pipe | tee result.txt 14 | ``` 15 | * [Automating XSS using Dalfox, GF and Waybackurls](https://medium.com/bugbountywriteup/automating-xss-using-dalfox-gf-and-waybackurls-bc6de16a5c75) 16 | ```bash 17 | cat test.txt | gf xss | sed ‘s/=.*/=/’ | sed ‘s/URL: //’ | tee testxss.txt ; dalfox file testxss.txt -b yours-xss-hunter-domain(e.g yours.xss.ht) 18 | ``` 19 | * [Find XSS and Blind XSS, and send every request to burpsuite for more manual testing 20 | ](https://twitter.com/Alra3ees/status/1407058456323014659) 21 | ```bash 22 | dalfox file hosts --mining-dom --deep-domxss --ignore-return -b 'YOURS.xss.ht' --follow-redirects --proxy http://127.0.0.1:8080 23 | ``` 24 | * [dalfox scan to bugbounty targets / from KingOfBugBountyTips](https://github.com/KingOfBugbounty/KingOfBugBountyTips#dalfox-scan-to-bugbounty-targets-1) 25 | ```bash 26 | wget https://raw.githubusercontent.com/arkadiyt/bounty-targets-data/master/data/domains.txt -nv ; cat domains.txt | anew | httpx -silent -threads 500 | xargs -I@ dalfox url @ 27 | ``` 28 | * [Recon subdomains and gau to search vuls Dalfox / from KingOfBugBountyTips](https://github.com/KingOfBugbounty/KingOfBugBountyTips#recon-subdomains-and-gau-to-search-vuls-dalfox) 29 | ```bash 30 | assetfinder testphp.vulnweb.com | gau | dalfox pipe 31 | ``` 32 | -------------------------------------------------------------------------------- /docs/_community/resources.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Resources 3 | nav_order: 1 4 | toc: true 5 | layout: page 6 | --- 7 | 8 | # Community Resources 9 | 10 | This page gathers various resources related to Dalfox, including articles, videos, and tutorials. 11 | 12 | ## Articles 13 | 14 | - [Dalfox: My New Weapon for XSS](https://www.hahwul.com/2020/04/22/my-new-xss-tool-dalfox/) 15 | 16 | ## Videos 17 | 18 | - [Find XSS the easy way! Dalfox - Hacker Tools @Intigriti](https://www.youtube.com/watch?v=m64aviF1Two&pp=ugMICgJrbxABGAHKBQZkYWxmb3g%3D) 19 | - [Dalfox XSS Automation Scanner for Bug Bounty @Meta4sec](https://www.youtube.com/watch?v=EJzf_g0Vw38&pp=ygUGZGFsZm94) 20 | - [Testing XSS Tools On Target Protected By WAF @BePractical](https://www.youtube.com/watch?v=_oLyUxRMnJk) 21 | - [More](https://www.youtube.com/results?search_query=dalfox) 22 | 23 | ## Tutorials 24 | 25 | - [Dalfox – Hacker Tools: XSS Scanning Made Easy 👩‍💻](https://blog.intigriti.com/hacking-tools/hacker-tools-dalfox) 26 | -------------------------------------------------------------------------------- /docs/_config.yml: -------------------------------------------------------------------------------- 1 | title: Dalfox 2 | description: Dalfox is a powerful open-source XSS scanner and utility focused on automation. 3 | theme: just-the-docs 4 | logo: "/images/logo-wide.png" 5 | favicon_ico: "favicon.ico" 6 | url: https://dalfox.hahwul.com 7 | 8 | 9 | color_scheme: dalfox 10 | 11 | aux_links: 12 | Github: https://github.com/hahwul/dalfox 13 | Go: https://pkg.go.dev/github.com/hahwul/dalfox/v2 14 | v2.11.0: https://github.com/hahwul/dalfox/releases/tag/v2.11.0 15 | 16 | plugins: 17 | - jekyll-sitemap 18 | 19 | # Footer "Edit this page on GitHub" link text 20 | gh_edit_link: true # show or hide edit this page link 21 | gh_edit_link_text: "Edit this page on GitHub." 22 | gh_edit_repository: "https://github.com/hahwul/dalfox" # the github URL for your repo 23 | gh_edit_branch: "main" # the branch that your docs is served from 24 | gh_edit_source: docs # the source that your files originate from 25 | gh_edit_view_mode: "tree" # "tree" or "edit" if you want the user to jump into the editor immediately 26 | 27 | permalink: pretty 28 | 29 | # Collection settings 30 | collections: 31 | advanced: 32 | permalink: "/:collection/:path/" 33 | output: true 34 | community: 35 | permalink: "/:collection/:path/" 36 | output: true 37 | 38 | just_the_docs: 39 | collections: 40 | advanced: 41 | name: Advanced 42 | community: 43 | name: Community 44 | 45 | mermaid: 46 | version: "10.9.1" 47 | 48 | # Security.txt 49 | security_txt: 50 | comment: If you find any security issues on this site, please contact me! 51 | contact: https://github.com/hahwul/dalfox/security 52 | canonical: https://owasp-noir.github.io/.well-known/security.txt 53 | preferred_languages: "en, ko" -------------------------------------------------------------------------------- /docs/_includes/head_custom.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | -------------------------------------------------------------------------------- /docs/_includes/mermaid_config.js: -------------------------------------------------------------------------------- 1 | {} -------------------------------------------------------------------------------- /docs/_includes/nav_footer_custom.html: -------------------------------------------------------------------------------- 1 |
2 | Dalfox is open-source project and made it with ❤️ 3 |
-------------------------------------------------------------------------------- /docs/_includes/toc.md: -------------------------------------------------------------------------------- 1 |
2 | 3 | Table of contents 4 | 5 | {: .text-delta } 6 | 1. TOC 7 | {:toc} 8 |
-------------------------------------------------------------------------------- /docs/_plugins/generate_llms_full.rb: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | 3 | # This Jekyll plugin generates a combined document with all content 4 | module Jekyll 5 | # This generator creates a full documentation file for LLMs 6 | class GenerateLLMsFullFile < Jekyll::Generator 7 | safe true 8 | priority :high 9 | 10 | def generate(site) 11 | # Target file path 12 | output_path = File.join(site.dest, 'llms-full.txt') 13 | 14 | # Prepare content 15 | content = "# Dalfox Full Documentation\n\n" 16 | content += "> This file contains the combined content of all Dalfox documentation pages for LLM context\n\n" 17 | 18 | # Add content from regular pages 19 | site.pages.each do |page| 20 | # Skip non-markdown files, index pages, and the llms.txt itself 21 | next if page.path.match?(/\.(xml|json|html|txt|js|css|scss|yaml|yml)$/) 22 | next if page.name == 'index.html' 23 | next if page.name == 'llms.txt' 24 | next if page.name == 'llms-full.txt' 25 | 26 | # Extract content (skip front matter) 27 | next unless page.content && !page.content.empty? 28 | 29 | # Add page title as heading 30 | content += "\n## #{page.data['title'] || File.basename(page.path, '.*').capitalize}\n\n" 31 | # Add page content 32 | content += page.content.strip 33 | content += "\n\n---\n\n" 34 | end 35 | 36 | # Add content from collections 37 | site.collections.each do |collection_name, collection| 38 | # Skip certain collections if needed 39 | next if ['posts'].include?(collection_name) 40 | 41 | collection.docs.each do |doc| 42 | # Skip certain files 43 | next if doc.path.match?(/\.(xml|json|html|txt|js|css|scss|yaml|yml)$/) 44 | 45 | next unless doc.content && !doc.content.empty? 46 | 47 | # Add document title as heading 48 | content += "\n## #{doc.data['title'] || File.basename(doc.path, '.*').capitalize} (#{collection_name})\n\n" 49 | # Add document content 50 | content += doc.content.strip 51 | content += "\n\n---\n\n" 52 | end 53 | end 54 | 55 | # Create the directory if it doesn't exist 56 | FileUtils.mkdir_p(File.dirname(output_path)) 57 | 58 | # Write the content to the file in source directory so it gets committed 59 | source_path = File.join(site.source, 'llms-full.txt') 60 | File.write(source_path, content) 61 | 62 | # Ensure the file is in the destination directory 63 | begin 64 | FileUtils.cp(source_path, output_path) 65 | rescue StandardError => e 66 | Jekyll.logger.error "Error copying llms-full.txt: #{e.message}" 67 | end 68 | 69 | Jekyll.logger.info 'Generated:', 'llms-full.txt' 70 | end 71 | end 72 | 73 | # Also add a post-write hook to ensure the file exists in the _site directory 74 | class LLMsFullHook 75 | def self.register 76 | Jekyll::Hooks.register :site, :post_write do |site| 77 | source_path = File.join(site.source, 'llms-full.txt') 78 | output_path = File.join(site.dest, 'llms-full.txt') 79 | 80 | if File.exist?(source_path) 81 | FileUtils.mv(source_path, output_path) 82 | Jekyll.logger.info 'Moved to _site directory:', 'llms-full.txt' 83 | else 84 | Jekyll.logger.warn 'Cannot find source file:', 'llms-full.txt' 85 | end 86 | end 87 | end 88 | end 89 | 90 | LLMsFullHook.register 91 | end 92 | -------------------------------------------------------------------------------- /docs/_sass/color_schemes/dalfox.scss: -------------------------------------------------------------------------------- 1 | $color-scheme: dark; 2 | $body-background-color: darken($grey-dk-300, 10%); 3 | $body-heading-color: darken($grey-lt-000, 10%); 4 | $body-text-color: darken($grey-lt-300, 10%); 5 | $link-color: darken(#c0c5e0, 10%); 6 | $nav-child-link-color: darken($grey-dk-000, 10%); 7 | $sidebar-color: darken($grey-dk-300, 10%); 8 | $base-button-color: darken($grey-dk-250, 10%); 9 | $btn-primary-color: darken($blue-200, 10%); 10 | $code-background-color: darken(#31343f, 10%); // OneDarkJekyll default for syntax-one-dark-vivid 11 | $code-linenumber-color: darken(#dee2f7, 10%); // OneDarkJekyll .nf for syntax-one-dark-vivid 12 | $feedback-color: darken($sidebar-color, 13%); 13 | $table-background-color: darken($grey-dk-250, 10%); 14 | $search-background-color: darken($grey-dk-250, 10%); 15 | $search-result-preview-color: darken($grey-dk-000, 10%); 16 | $border-color: darken($grey-dk-200, 10%); 17 | 18 | @import "./vendor/OneDarkJekyll/syntax"; // this is the one-dark-vivid atom syntax theme -------------------------------------------------------------------------------- /docs/favicon.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hahwul/dalfox/27811a4886ac6d8ba1087be1572c9070abcb3210/docs/favicon.ico -------------------------------------------------------------------------------- /docs/images/bg-2.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hahwul/dalfox/27811a4886ac6d8ba1087be1572c9070abcb3210/docs/images/bg-2.jpg -------------------------------------------------------------------------------- /docs/images/bg.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hahwul/dalfox/27811a4886ac6d8ba1087be1572c9070abcb3210/docs/images/bg.jpg -------------------------------------------------------------------------------- /docs/images/favicon/apple-touch-icon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hahwul/dalfox/27811a4886ac6d8ba1087be1572c9070abcb3210/docs/images/favicon/apple-touch-icon.png -------------------------------------------------------------------------------- /docs/images/favicon/favicon-96x96.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hahwul/dalfox/27811a4886ac6d8ba1087be1572c9070abcb3210/docs/images/favicon/favicon-96x96.png -------------------------------------------------------------------------------- /docs/images/favicon/favicon.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hahwul/dalfox/27811a4886ac6d8ba1087be1572c9070abcb3210/docs/images/favicon/favicon.ico -------------------------------------------------------------------------------- /docs/images/favicon/site.webmanifest: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Dalfox", 3 | "short_name": "Dalfox", 4 | "icons": [ 5 | { 6 | "src": "/images/favicon/web-app-manifest-192x192.png", 7 | "sizes": "192x192", 8 | "type": "image/png", 9 | "purpose": "maskable" 10 | }, 11 | { 12 | "src": "/images/favicon/web-app-manifest-512x512.png", 13 | "sizes": "512x512", 14 | "type": "image/png", 15 | "purpose": "maskable" 16 | } 17 | ], 18 | "theme_color": "#ffffff", 19 | "background_color": "#ffffff", 20 | "display": "standalone" 21 | } -------------------------------------------------------------------------------- /docs/images/favicon/web-app-manifest-192x192.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hahwul/dalfox/27811a4886ac6d8ba1087be1572c9070abcb3210/docs/images/favicon/web-app-manifest-192x192.png -------------------------------------------------------------------------------- /docs/images/favicon/web-app-manifest-512x512.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hahwul/dalfox/27811a4886ac6d8ba1087be1572c9070abcb3210/docs/images/favicon/web-app-manifest-512x512.png -------------------------------------------------------------------------------- /docs/images/illust.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hahwul/dalfox/27811a4886ac6d8ba1087be1572c9070abcb3210/docs/images/illust.jpg -------------------------------------------------------------------------------- /docs/images/logo-wide.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hahwul/dalfox/27811a4886ac6d8ba1087be1572c9070abcb3210/docs/images/logo-wide.png -------------------------------------------------------------------------------- /docs/images/logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hahwul/dalfox/27811a4886ac6d8ba1087be1572c9070abcb3210/docs/images/logo.png -------------------------------------------------------------------------------- /docs/images/logonav.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hahwul/dalfox/27811a4886ac6d8ba1087be1572c9070abcb3210/docs/images/logonav.png -------------------------------------------------------------------------------- /docs/images/page/running/mcp-claude.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hahwul/dalfox/27811a4886ac6d8ba1087be1572c9070abcb3210/docs/images/page/running/mcp-claude.jpg -------------------------------------------------------------------------------- /docs/images/page/running/mcp-vscode.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hahwul/dalfox/27811a4886ac6d8ba1087be1572c9070abcb3210/docs/images/page/running/mcp-vscode.jpg -------------------------------------------------------------------------------- /docs/images/screen.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hahwul/dalfox/27811a4886ac6d8ba1087be1572c9070abcb3210/docs/images/screen.jpeg -------------------------------------------------------------------------------- /docs/llms.txt: -------------------------------------------------------------------------------- 1 | # Dalfox 2 | 3 | > Dalfox is a fast, powerful open-source XSS scanning tool written in Go. It focuses on automation to streamline the process of detecting and verifying cross-site scripting vulnerabilities. 4 | 5 | Dalfox (where "Dal" is the Korean word for "moon" and "Fox" stands for "Finder Of XSS") is a comprehensive command-line tool designed for security professionals. It excels at finding XSS vulnerabilities through various modes including URL scanning, file-based inputs, pipeline processing, and REST API server capabilities. The tool offers advanced parameter analysis, DOM mining, and headless browser verification for thorough security testing. 6 | 7 | ## Basic Usage 8 | 9 | ```bash 10 | # Basic command structure 11 | dalfox [mode] [target] [flags] # e.g., dalfox url https://example.com --worker=50 12 | 13 | # Scan a single URL 14 | dalfox url https://example.com 15 | 16 | # Use blind XSS with callback URL 17 | dalfox url https://example.com -b https://your-callback-url.com 18 | 19 | # Scan multiple URLs from a file 20 | dalfox file urls.txt 21 | 22 | # Process URLs from pipe 23 | cat urls.txt | dalfox pipe 24 | 25 | # Start as a REST API server 26 | dalfox server --host 0.0.0.0 --port 8080 27 | 28 | # Start as a MCP server 29 | dalfox server --type=mcp 30 | 31 | # Use with custom payloads 32 | dalfox url https://example.com --custom-payload payloads.txt 33 | 34 | # Output in JSON format 35 | dalfox url https://example.com --format json -o results.json 36 | ``` 37 | 38 | ## Docs 39 | 40 | - [Installation Guide](https://dalfox.hahwul.com/page/installation/) - Complete instructions for installing Dalfox on various platforms including Homebrew, Snapcraft, Go, and Docker. 41 | - [Quick Start](https://dalfox.hahwul.com/page/overview/) - Introduction to Dalfox with key features and basic usage examples. 42 | - [Usage Guide](https://dalfox.hahwul.com/page/usage/) - Detailed documentation on all available modes, options, and flags for customizing scans. 43 | - [Running Dalfox](https://dalfox.hahwul.com/page/running/) - Specific guides for different scanning scenarios (single URL, multiple URLs, raw requests). 44 | - [Advanced Features](https://dalfox.hahwul.com/advanced/features/) - Documentation on specialized features like remote payloads, custom payloads, and BAV analysis. 45 | - [Configuration](https://dalfox.hahwul.com/advanced/config/) - Information on using configuration files for consistent scanning settings. 46 | 47 | ## Optional 48 | 49 | - [GitHub Repository](https://github.com/hahwul/dalfox) - Source code and issue tracking for the Dalfox project. 50 | - [Community Resources](https://dalfox.hahwul.com/community/resources/) - Articles, videos, and tutorials from the Dalfox community. 51 | - [API Documentation](https://dalfox.hahwul.com/page/modes/server-mode/#api-documentation) - Details on using Dalfox's REST API server mode. 52 | - [MCP Integration](https://dalfox.hahwul.com/page/running/mcp/) - Guide to using Dalfox with AI assistants through Model Context Protocol. 53 | - [GitHub Actions](https://dalfox.hahwul.com/page/running/github-action/) - Instructions for integrating Dalfox into CI/CD workflows. 54 | - [Library Usage](https://dalfox.hahwul.com/page/running/code/) - Documentation on using Dalfox as a Go library in your own projects. 55 | -------------------------------------------------------------------------------- /docs/page/modes/file-mode.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: File Mode 3 | redirect_from: /docs/modes/file-mode/ 4 | has_children: false 5 | parent: Usage 6 | nav_order: 3 7 | toc: true 8 | layout: page 9 | --- 10 | 11 | # File mode 12 | 13 | `file` mode is a mode for scanning multiple URLs or for scanning based on a raw request file in Burp Suite/ZAP. Input is filename. 14 | 15 | ```shell 16 | dalfox file {filename} 17 | ``` 18 | 19 | If the file is a list of URLs, proceed to scan multiple URLs just like the Pipe, and if it is with the `--rawdata` option, recognize it as a raw request, analyze the file, and test it. 20 | 21 | ## scanning urls from file 22 | ```shell 23 | dalfox file urls.txt 24 | ``` 25 | 26 | ## scanning from burp/zap raw request file 27 | ```shell 28 | dalfox file req.raw --rawdata 29 | ``` 30 | -------------------------------------------------------------------------------- /docs/page/modes/payload-mode.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Payload Mode 3 | redirect_from: /docs/modes/payload-mode/ 4 | has_children: false 5 | parent: Usage 6 | nav_order: 5 7 | toc: true 8 | layout: page 9 | --- 10 | 11 | # Payload Mode 12 | 13 | `payload` mode is a mode for easy testing of XSS. Generate and Enumerate XSS Payloads and wordlists 14 | 15 | ```bash 16 | dalfox payload {flags} 17 | ``` 18 | 19 | e.g 20 | ```bash 21 | dalfox payload --enum-injs --entity-event-handler" 22 | ``` 23 | 24 | ## Make-Bulk 25 | Make-bulk generates many xss payloads. At this point, the parameters of the alert are configured as sequence and it is easy to find which payload was triggered during the XSS test. 26 | 27 | ```bash 28 | dalfox payload --make-bulk 29 | ``` 30 | 31 | output 32 | 33 | ```html 34 | ...snip... 35 | test<\/track> 36 | test<\/tt> 37 | test<\/u> 38 |
    test<\/ul> 39 | test<\/var> 40 |