dalfox v1.1.3 releases: Parameter Analysis and XSS Scanning tool
What is DalFox
Just, XSS Scanning and Parameter Analysis tool. I previously developed XSpear, a ruby-based XSS tool, and this time, a full change occurred during the process of porting with golang!!! and created it as a new project. The basic concept is to analyze parameters, find XSS, and examine them based on Selenium.
I talk about naming. Dal(달) is the Korean pronunciation of moon and fox was made into Fox(Find Of XSS).
- Parameter Analysis (find reflected parameter, find free/bad characters, Identification of injection point)
- Static Analysis (Check Bad-header like CSP, X-Frame-optiopns, etc.. with base request/response base)
- Optimization query of payloads
- Check the injection point through abstraction and generated the fit payload.
- Eliminate unnecessary payloads based on badchar
- XSS Scanning and DOM Base Verifying
- All test payloads(build-in, your custom/blind) are tested in parallel with the encoder.
- Support to Double URL Encoder
- Support to HTML Hex Encoder
- Friendly Pipeline (single url, from a file, from IO)
- And the various options required for the testing 😀
- built-in/custom grepping to find other vulnerability
- if you found, after action
- Add defense code in blind xss(branch logic.)
- Fixed bugs
go get -u github.com/hahwul/dalfox
Running from single url
$ dalfox -url http://testphp.vulnweb.com/listproducts.php\?cat\=123\&artist\=123\&asdf\=ff
Running from file
$ dalfox -iL urls_file
Running from io(pipeline)$ cat urls_file | dalfox -pipe
Other tips, See the wiki for detailed instructions!
Copyright (c) 2020 hahwul