dalfox

Scan a single URL for XSS vulnerabilities

$ dalfox url [http://example.com]

$ dalfox url [http://example.com] [[-H|--header]] ['X-My-Header: 123']

$ dalfox file [path/to/file]

dalfox [options] [target(s)]
target(s) can be a URL, a file containing URLs, or input from stdin.

--url, -u
    Specify target URL(s) to scan.

--file, -f
    Path to a file containing URLs to scan (one per line).

--data
    HTTP POST data string (e.g., 'param1=value1¶m2=value2').

--param, -p
    Specify a particular parameter to test for XSS.

--header, -H
    Add custom HTTP headers (e.g., 'Cookie: sessionid=xyz'). Can be used multiple times.

--cookie
    Set HTTP cookies for the request.

--blind, -b
    Enable blind XSS detection via a callback URL.

--json
    Output scan results in JSON format.

--output
    Save scan results to a specified file.

--proxy
    Use an HTTP/SOCKS proxy (e.g., 'http://127.0.0.1:8080').

--crawl
    Enable crawling functionality to discover more attack surfaces.

--timeout
    Set HTTP request timeout in seconds.

--version, -v
    Display the Dalfox version.

--help, -h
    Show the help message and exit.

Dalfox is an open-source command-line tool designed for quickly and efficiently scanning web applications for Cross-Site Scripting (XSS) vulnerabilities. Written in Go, it prioritizes speed and concurrency, making it a popular choice for pentesters and bug bounty hunters. It supports various XSS types, including reflected, stored, and DOM-based XSS.

Key features include its ability to analyze parameters, handle different HTTP methods (GET/POST), and integrate with a headless browser (like Chrome/Chromium) for more accurate detection of client-side XSS. Dalfox can process single URLs, lists of URLs from a file, or even piped input from other tools, making it highly flexible in reconnaissance workflows. It also offers options for custom headers, proxies, cookie handling, and outputting results in JSON format, facilitating automation and integration into larger security pipelines.

Potential for false positives exists, as with many automated vulnerability scanners.
Dalfox may be detected by Web Application Firewalls (WAFs) or Intrusion Detection/Prevention Systems (IDS/IPS) due to its aggressive scanning patterns.
Accurate DOM-based XSS detection often requires a local headless browser (like Chrome/Chromium) to be installed.

Dalfox supports taking URLs from standard input (stdin), making it highly pipe-friendly. This allows seamless integration with other command-line tools like cat, subfinder, or httpx for automated reconnaissance workflows. For example: cat urls.txt | dalfox or subfinder -d example.com | httpx -silent | dalfox.

For advanced DOM-based XSS detection, Dalfox can leverage a headless browser. This feature allows it to accurately analyze JavaScript execution and client-side manipulations, providing more reliable results for complex XSS scenarios. Ensure a compatible browser (e.g., Chrome/Chromium) is installed on your system for this feature to work effectively.

Dalfox was developed by hahwul (Jaewon Kim), a prominent security researcher. Written in Go, it emerged as a robust tool designed for speed and efficiency in XSS detection, quickly gaining traction within the cybersecurity community for its dedicated focus and performance.

xsstrike, sqlmap, nikto, httpx