dalfox

Scan a single URL for XSS vulnerabilities

$ dalfox url [https://example.com]

$ dalfox url [https://example.com] [[-H|--header]] '[X-My-Header: 123]'

$ dalfox file [path/to/file]

$ dalfox server --host [0.0.0.0] --port [8080]

dalfox [global options] <URL> [scan options]

-b, --blind <string>
    Set Blind XSS URL for detection (e.g., https://xss.ht)

-o, --output <file>
    Output file for results and POC requests

-r, --req <file>
    Load request from file for scanning

-p, --param <params>
    Specific parameters to test (e.g., "q,test")

--trigger <string>
    Custom trigger word for blind XSS (default: Dalfox-Triggered)

-s, --scan-mode <mode>
    Scan mode: s(ingle), p(arameter), g(reedy)

--header <header:value>
    Add custom header for requests

-d, --data <data>
    POST data for requests

--cookie <cookie>
    Set cookies for session

-t, --threads <int>
    Number of threads (default: 20)

--waf <bypass>
    WAF bypass mode (e.g., evasive, random-case)

--grep <string>
    Custom grep pattern for detection

-H, --har <file>
    Load HAR file for scanning

--js
    Enable JavaScript scanner for DOM XSS

--skip-dom
    Skip DOM-based XSS scanning

-u, --url-encoding <type>
    URL encoding type (double, slash, etc.)

--proxy <proxy>
    Set proxy (e.g., http://127.0.0.1:8080)

--timeout <int>
    Request timeout in seconds (default: 10)

--version, -v
    Print version

-h, --help
    Show help

Dalfox is an open-source, high-speed Cross-Site Scripting (XSS) scanning tool designed for penetration testers and bug bounty hunters. It leverages fuzzy matching, intelligent payload generation, and advanced techniques to detect reflected, DOM-based, and blind XSS vulnerabilities.

Key features include automatic parameter mining, trigger-based blind XSS detection, WAF bypassing payloads, and support for various injection points like query params, headers, POST data, and JSON bodies. It uses a genetic algorithm for payload evolution and supports chaining with other tools via request/response files. Dalfox is written in Go, making it portable and fast, capable of scanning thousands of payloads per second.

Ideal for web security audits, it outputs POC requests, confirmed payloads, and can integrate with CI/CD pipelines. Always use ethically on authorized targets to avoid legal issues.

Use only on targets with explicit permission; may generate false positives/negatives; resource-heavy on large scopes; WAFs may block aggressive scans; not for production without rate-limiting.

Via Go: go install github.com/hahwul/dalfox/v2@latest
Binaries: Download from GitHub releases for Linux/macOS/Windows.

dalfox -b https://your-blindxss.com -o poc.txt "https://target.com/search?q=1"
Scans for XSS, reports to blind URL, saves POC.

Source: https://github.com/hahwul/dalfox
Run dalfox -h for full options.

Developed by hahwul (Kim Seong-jun) starting in 2020 as an improved Burp/XSSer alternative. Reached v2 in 2022 with fuzzy logic enhancements. Widely adopted in bug bounty programs like HackerOne; over 10k GitHub stars; actively maintained with frequent payload updates.

curl(1), wget(1), nmap(1)