DalFox – Powerful Automated XSS Scanning Tool And Parameter Analyzer

DalFox Logo - Powerful XSS Scanning Tool And Parameter Analyzer for Bug Bounty Hunting

Dalfox XSS Tool

DalFox is an powerful automated XSS scanning tool and parameter analyzer and utility that fast the process of detecting and verify XSS flaws. It comes with a powerful testing engine, many niche features that can help you while perfoming bug bounty hunt.

This tool can automated analyze single or multiple websites to find XSS vulnerabilities such as Reflected XSS, Stored XSS or even DOM XSS.

I talk about naming. Dal() is the Korean pronunciation of moon, and Fox are made to mean “Finder Of XSS”.

Key features


  • url : Use single target URL mode
  • file : Use file mode(targets list or rawdata)
  • payload : Payload mode, make and enum payloads
  • pipe : Use pipeline mode
  • server : Start API Server
  • sxss : Use Stored XSS mode
ClassKey FeatureDescription
DiscoveryParameter analysis– Find reflected param
– Find alive/bad special chars, event handler and attack code
– Identification of injection points(HTML/JS/Attribute)
inHTML-none inJS-none inJS-double inJS-single inJS-backtick inATTR-none inATTR-double inATTR-single
Static analysis– Check bad-header like CSP, XFO, etc.. with req/res base
BAV analysis– Testing BAV(Basic Another Vulnerability) , e.g sqli ssti open-redirectscrlfesii
Parameter Mining– Find new param with Dictonary attack (default is GF-Patterns)
– Support custom dictonary file (--mining-dict-word)
– Find new param with DOM
– Use remote wordlist to mining (--remote-wordlists)
Built-in Grepping– It Identify the basic info leak of SSTi, Credential, SQL Error, and so on
WAF Detection and Evasion– Detect to WAF(Web Application Firewall).
– if found waf and using special flag, evasion using slow request
– --waf-evasion
ScanningXSS Scanning– Reflected XSS / Stored XSS / DOM XSS
– DOM base verifying
– Headless base verifying
– Blind XSS testing with param, header(-b , --blind options)
– Only testing selected parameters (-p--param)
– Only testing parameter analysis (--only-discovery)
Friendly Pipeline– Single url mode (dalfox url)
– From file mode (dalfox file urls.txt)
– From IO(pipeline) mode (dalfox pipe)
– From raw http request file mode (dalfox file raw.txt --rawdata)
Optimizaion query of payloads– Check the injection point through abstraction and generated the fit payload.
– Eliminate unnecessary payloads based on badchar
Encoder– All test payloads(build-in, your custom/blind) are tested in parallel with the encoder.
– To Double URL Encoder
– To HTML Hex Encoder
Sequence– Auto-check the special page for stored xss (--trigger)
– Support (--sequence) options for Stored XSS , only sxss mode
HTTPHTTP Options– Overwrite HTTP Method (-X--method)
– Follow redirects (--follow-redirects)
– Add header (-H--header)
– Add cookie (-C--cookie)
– Add User-Agent (--user-agent)
– Set timeout (--timeout)
– Set Delay (--delay)
– Set Proxy (--proxy)
– Set ignore return codes (--ignore-return)
– Load cookie from raw request (--cookie-from-raw)
ConcurrencyWorker– Set worker’s number(-w--worker)
N * hosts– Use multicast mode (--multicast) , only file / pipe mode
OutputOutput– Only the PoC code and useful information is write as Stdout
– Save output (-o--output)
Format– JSON / Plain (--format)
Printing– Silence mode (--silence)
– You may choose not to print the color (--no-color)
– You may choose not to print the spinner (--no-spinner)
– You may choose show only special poc code (--only-poc)
ExtensibilityREST API– API Server and Swagger (dalfox server)
Payload Mode– Generate and Enumerate Payloads for XSS Testing (dalfox payload)
Found Action– Lets you specify the actions to take when detected.
– Notify, for example (--found-action)
Custom Grepping– Can grep with custom regular expressions on response
– If duplicate detection, it performs deduplication (--grep)
Custom Payloads– Use custom payloads list file (--custom-payload)
– Custom alert value (--custom-alert-value)
– Custom alert type (--custom-alert-type)
Remote Payloads– Use remote payloads from portswigger, payloadbox, etc.. (--remote-payloads)
PackagePackage manager– pkg.go.dev
– homebrew with tap
– snapcraft
Docker ENV– docker hub
– gitub package of docker
Other– github action

And the various options required for the XSS testing.

How to Install

From source


go install github.com/hahwul/dalfox/[email protected]

Using homebrew (macos)

brew tap hahwul/dalfox brew install dalfox

Using snapcraft (ubuntu)

sudo snap install dalfox


dalfox [mode] [target] [flags]

Single target mode

dalfox url http://testphp.vulnweb.com/listproducts.php\?cat\=123\&artist\=123\&asdf\=ff -b https://hahwul.xss.ht

Multiple target mode from file

dalfox file url.txt –custom-payload ./mypayloads.txt

Pipeline mode

cat url.txt | dalfox pipe


You May Also Like

Leave a Reply

Your email address will not be published. Required fields are marked *

8 + 11 =