• Stars
    star
    3,504
  • Rank 12,693 (Top 0.3 %)
  • Language
    Go
  • License
    MIT License
  • Created over 4 years ago
  • Updated 4 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

🌙🦊 Dalfox is a powerful open-source XSS scanner and utility focused on automation.



🌙🦊=XSS

DalFox is a powerful open-source tool that focuses on automation, making it ideal for quickly scanning for XSS flaws and analyzing parameters. Its advanced testing engine and niche features are designed to streamline the process of detecting and verifying vulnerabilities.

As for the name, Dal() is the Korean word for "moon," while "Fox" stands for "Finder Of XSS" or 🦊

TOC

Key features

Mode: url sxss pipe file server payload

Class Key Feature Description
Discovery Parameter analysis - Find reflected param
- Find alive/bad special chars, event handler and attack code
- Identification of injection points(HTML/JS/Attribute)
inHTML-none inJS-none inJS-double inJS-single inJS-backtick inATTR-none inATTR-double inATTR-single
Static analysis - Check bad-header like CSP, XFO, etc.. with req/res base
BAV analysis - Testing BAV(Basic Another Vulnerability) , e.g sqli ssti open-redirects, crlf, esii
Parameter Mining - Find new param with Dictionary attack (default is GF-Patterns)
- Support custom dictionary file (--mining-dict-word)
- Find new param with DOM
- Use remote wordlist to mining (--remote-wordlists)
Built-in Grepping - It Identify the basic info leak of SSTi, Credential, SQL Error, and so on
WAF Detection and Evasion - Detect to WAF(Web Application Firewall).
- if found waf and using special flag, evasion using slow request
- --waf-evasion
Scanning XSS Scanning - Reflected XSS / Stored XSS / DOM XSS
- DOM base verifying
- Headless base verifying
- Blind XSS testing with param, header(-b , --blind options)
- Only testing selected parameters (-p, --param)
- Only testing parameter analysis (--only-discovery)
Friendly Pipeline - Single url mode (dalfox url)
- From file mode (dalfox file urls.txt)
- From IO(pipeline) mode (dalfox pipe)
- From raw http request file mode (dalfox file raw.txt --rawdata)
Optimization query of payloads - Check the injection point through abstraction and generated the fit payload.
- Eliminate unnecessary payloads based on badchar
Encoder - All test payloads(build-in, your custom/blind) are tested in parallel with the encoder.
- To Double URL Encoder
- To HTML Hex Encoder
Sequence - Auto-check the special page for stored xss (--trigger)
- Support (--sequence) options for Stored XSS , only sxss mode
HTTP HTTP Options - Overwrite HTTP Method (-X, --method)
- Follow redirects (--follow-redirects)
- Add header (-H, --header)
- Add cookie (-C, --cookie)
- Add User-Agent (--user-agent)
- Set timeout (--timeout)
- Set Delay (--delay)
- Set Proxy (--proxy)
- Set ignore return codes (--ignore-return)
- Load cookie from raw request (--cookie-from-raw)
Concurrency Worker - Set worker's number(-w, --worker)
N * hosts - Use multicast mode (--multicast) , only file / pipe mode
Output Output - Only the PoC code and useful information is write as Stdout
- Save output (-o, --output)
Format - JSON / Plain (--format)
Printing - Silence mode (--silence)
- You may choose not to print the color (--no-color)
- You may choose not to print the spinner (--no-spinner)
- You may choose show only special poc code (--only-poc)
Report - Show detail report (--report and --report-format=<plain/json>)
Extensibility REST API - API Server and Swagger (dalfox server)
Payload Mode - Generate and Enumerate Payloads for XSS Testing (dalfox payload)
Found Action - Lets you specify the actions to take when detected.
- Notify, for example (--found-action)
Custom Grepping - Can grep with custom regular expressions on response
- If duplicate detection, it performs deduplication (--grep)
Custom Payloads - Use custom payloads list file (--custom-payload)
- Custom alert value (--custom-alert-value)
- Custom alert type (--custom-alert-type)
Remote Payloads - Use remote payloads from portswigger, payloadbox, etc.. (--remote-payloads)
Package Package manager - pkg.go.dev
- homebrew with tap
- snapcraft
Docker ENV - docker hub
- github package of docker
Other - github action

And the various options required for the testing :D

How to Install

From source

go1.17

go install github.com/hahwul/dalfox/v2@latest

go1.16

GO111MODULE=on go get github.com/hahwul/dalfox/v2

Using homebrew (macos)

brew tap hahwul/dalfox
brew install dalfox

Using snapcraft (ubuntu)

sudo snap install dalfox

More information? please read Installation guide

Usage

dalfox [mode] [target] [flags] 

Single target mode

dalfox url http://testphp.vulnweb.com/listproducts.php\?cat\=123\&artist\=123\&asdf\=ff \
	-b https://your-callback-url

Multiple target mode from file

dalfox file urls_file --custom-payload ./mypayloads.txt

Pipeline mode

cat urls_file | dalfox pipe -H "AuthToken: bbadsfkasdfadsf87"

Other tips, See wiki for detailed instructions!

POC format

Sample poc log

[POC][G][BUILT-IN/dalfox-error-mysql/GET] http://testphp.vulnweb.com/listproducts.php?artist=123&asdf=ff&cat=123DalFox
[POC][V][GET] http://testphp.vulnweb.com/listproducts.php?artist=123&asdf=ff&cat=123%22%3E%3Csvg%2Fclass%3D%22dalfox%22onLoad%3Dalert%2845%29%3E

Format

Identity Type Information BLANK PoC Code
POC G BUILT-IN/dalfox-error-mysql/GET http://testphp.vulnweb.com/listproducts.php?artist=123&asdf=ff&cat=123DalFox
POC R GET http://testphp.vulnweb.com/listproducts.php?artist=123&asdf=ff&cat=123%22%3E%3Csvg%2Fclass%3D%22dalfox%22onLoad%3Dalert%2845%29%3E
POC V GET http://testphp.vulnweb.com/listproducts.php?artist=123&asdf=ff&cat=123%22%3E%3Csvg%2Fclass%3D%22dalfox%22onLoad%3Dalert%2845%29%3E
  • Type: G(Grep) , R(Reflected) , V(Verify)
  • Information: Method, grepping name, etc..

Why is there a gap? It is a method to make it easier to parse only the poc code through cut etc. For example, you can do this.

dalfox url http://testphp.vulnweb.com/listproducts.php\?cat\=123\&artist\=123\&asdf\=ff \
	| cut -d " " -f 2 > output
cat output
# http://testphp.vulnweb.com/listproducts.php?artist=123&asdf=ff&cat=123DalFox
# http://testphp.vulnweb.com/listproducts.php?artist=123&asdf=ff&cat=123%22%3E%3Csvg%2FOnLoad%3D%22%60%24%7Bprompt%60%60%7D%60%22+class%3Ddalfox%3E

In the code

package main

import (
	"fmt"

	dalfox "github.com/hahwul/dalfox/v2/lib"
)

func main() {
	opt := dalfox.Options{
		Cookie:     "ABCD=1234",
	}
	result, err := dalfox.NewScan(dalfox.Target{
		URL:     "https://xss-game.appspot.com/level1/frame",
		Method:  "GET",
		Options: opt,
	})
	if err != nil {
		fmt.Println(err)
	} else {
		fmt.Println(result)
	}
}
go build -o xssapp ; ./xssapp
# [] [{V GET https://xss-game.appspot.com/level1/frame?query=%3Ciframe+srcdoc%3D%22%3Cinput+onauxclick%3Dprint%281%29%3E%22+class%3Ddalfox%3E%3C%2Fiframe%3E}] 2.618998247s 2021-07-11 10:59:26.508483153 +0900 KST m=+0.000794230 2021-07-11 10:59:29.127481217 +0900 KST m=+2.619792477}

Screenshots

1414 1415
Single URL Scanning Massive(Multicast/Mass) Scanning
1416 1417
REST API Server Mode Output and Customizing (found-action / grepping)

Wiki

Wiki

Question

Please use discussions actively!

Changelog

Detailed changes for each release are documented in the release notes.

Contributing

DalFox's open-source project and made it with ❤️ if you want contribute this project, please see CONTRIBUTING.md and Pull-Request with cool your contents.

More Repositories

1

WebHackersWeapons

⚔️ Web Hacker's Weapons / A collection of cool tools used by Web hackers. Happy hacking , Happy bug-hunting
Ruby
3,764
star
2

DevSecOps

♾️ Collection and Roadmap for everyone who wants DevSecOps. Hope your DevOps are more safe 😎
Go
1,716
star
3

XSpear

🔱 Powerfull XSS Scanning and Parameter analysis tool&gem
Ruby
1,157
star
4

jwt-hack

🔩 jwt-hack is tool for hacking / security testing to JWT. Supported for En/decoding JWT, Generate payload for JWT attack and very fast cracking(dict/brutefoce)
Go
748
star
5

MobileHackersWeapons

Mobile Hacker's Weapons / A collection of cool tools used by Mobile hackers. Happy hacking , Happy bug-hunting
Go
682
star
6

a2sv

Auto Scanning to SSL Vulnerability
Python
617
star
7

authz0

🔑 Authz0 is an automated authorization test tool. Unauthorized access can be identified based on URLs and Roles & Credentials.
Go
386
star
8

mad-metasploit

Metasploit custom modules, plugins, resource script and.. awesome metasploit collection
Ruby
382
star
9

droid-hunter

(deprecated) Android application vulnerability analysis and Android pentest tool
Ruby
288
star
10

metasploit-autopwn

db_autopwn plugin of metasploit
Ruby
199
star
11

deadfinder

🏴‍☠️ Find dead-links (broken links)
Ruby
127
star
12

RegexPassive

🔭 Collection of regexp pattern for security passive scanning
112
star
13

mzap

⚡️ Multiple target ZAP Scanning
Go
101
star
14

XSS-Payload-without-Anything

XSS Payload without Anything.
100
star
15

hack-pet

🐰 Managing command snippets for hackers/bug bounty hunters. with pet.
Go
99
star
16

s3reverse

The format of various s3 buckets is convert in one format. for bugbounty and security testing.
Go
80
star
17

gee

🏵 Gee is tool of stdin to each files and stdout. It is similar to the tee command, but there are more functions for convenience. In addition, it was written as go
Go
80
star
18

websocket-connection-smuggler

websocket-connection-smuggler
Go
67
star
19

gitls

🖇 Enumerate git repository URL from list of URL / User / Org. Friendly to pipeline
Go
58
star
20

ws-smuggler

WebSocket Connection Smuggler
Go
47
star
21

ras-fuzzer

RAS(RAndom Subdomain) Fuzzer
Go
43
star
22

MemBi

All the members of bugbounty and infosec. If you don't know who to follow, see!
Go
35
star
23

backbomb

💣 Dockerized penetration-testing/bugbounty/app-sec testing environment
Go
33
star
24

hbxss

Security test tool for Blind XSS
Ruby
27
star
25

fuzzstone

My fuzz repo!
JavaScript
23
star
26

action-dalfox

XSS scanning with Dalfox on Github-action
Dockerfile
23
star
27

recon-raven

Reconnaissance tool of Penetration test & Bug Bounty
Ruby
23
star
28

xssmaze

XSSMaze is a web service designed to test and improve the performance of security testing tools by providing various cases of XSS vulnerabilities.
Crystal
21
star
29

noir

♠️ Noir is an attack surface detector form source code.
Crystal
20
star
30

assets.hahwul.com

assets for www.hahwul.com
Shell
20
star
31

vais

SWF Vulnerability & Information Scanner
HTML
20
star
32

can-i-protect-xss

Everything about xss protection technology
15
star
33

volt

⚡ Golang library for quick make pentest tools
Go
15
star
34

raven

Automation Hacking & Penetration Testing Suite
Ruby
13
star
35

vunlink

Auto Web Vulnerability Scanning Framework
Ruby
11
star
36

hahwul

about me!
10
star
37

websocket-connection-smuggling-go

websocket-connection-smuggling write in go
Go
10
star
38

zest-env

🐋 Zest CLI Environment
Shell
10
star
39

github-aciton-injection-test

This repo is a sample repo for Github Action Injection.
9
star
40

awesome-zap-extensions

A curated list of amazingly awesome ZAP Extensions
8
star
41

VAHA

Web for security engineer & hacker
7
star
42

jqueen

Go
6
star
43

buildpack-nmap

install nmap and set alias buildpack of heroku
Shell
6
star
44

m2h.js

remote markdown document to html on DOM
JavaScript
6
star
45

homebrew-dalfox

Ruby
5
star
46

zap-cloud-scan

5
star
47

hahwul-testzz

tool, page code for https://www.hahwul.com
HTML
5
star
48

qs-openvpn

quick setup openvpn
Shell
5
star
49

eoyc

Encoding Only Your Choices
Crystal
5
star
50

zaproxy-ruby

A Ruby Implementation and Library for Easy Utilization of ZAP API
Ruby
5
star
51

cyan-snake

Live OS for Physical hacking
Ruby
5
star
52

podopunch

Easy testing from multiple android devices
Python
5
star
53

openvas_install_script

OpenVAS Scanner Install Script on Debian
Shell
5
star
54

rings

Ruby
4
star
55

homebrew-jwt-hack

Ruby
4
star
56

buildpack-zap-daemon

zap(zed attack proxy) daemon mode buildpack of heroku
Shell
4
star
57

CaidoTweaks

4
star
58

restime

Web page response time checker
Python
4
star
59

exploit-db_to_dokuwiki

exploit-db(edb) convert to dokuwiki template
Python
4
star
60

homebrew-backbomb

backbomb homebrew repository
Ruby
4
star
61

booungJS

Vulnerability analysis to javascript using javascript and web debugger
JavaScript
4
star
62

homebrew-authz0

Ruby
3
star
63

licaner

Go
3
star
64

ftc

simple copy to file to clipboard
Ruby
3
star
65

struts2-rce-cve-2017-9805-ruby

cve -2017-9805
Ruby
3
star
66

homebrew-mzap

Ruby
3
star
67

go-github-selfupdate-patched

go get error patched version
Go
3
star
68

crystal-smuggle

Toy :D
Crystal
3
star
69

jekyll-securitytxt

Jekyll plugin for security.txt
Ruby
3
star
70

shooting-scheme

custom scheme testing tool with checklist
3
star
71

action-authz0-test

3
star
72

mycert

Ruby
2
star
73

lab

lab.hahwul.com
2
star
74

homebrew-gee

Ruby
2
star
75

homebrew-s3reverse

Ruby
2
star
76

caido-crystal

Caido implementation for crystal
Crystal
2
star
77

heroku-buildpack-geckodriver

2
star
78

dawn-of-seoul

It is a Caido theme made to feel blue, the representative dawn color of Seoul.
2
star
79

vuln_test

<video><embed><object><meta><body><script><frame><frameset>
2
star
80

projectsend_r582_webshell

ProjectSend_r582_webshell exploit
Ruby
1
star
81

homebrew-eoyc

Ruby
1
star
82

bad-usb-scripts

1
star
83

purl.cr

Crystal
1
star
84

hlogger

golang logger for hahwul z
Go
1
star