Description
Dalfox is a powerful open-source XSS scanner and parameter analysis tool. It focuses on automation and has features like DOM XSS detection, blind XSS testing, and WAF detection.
Installation
BASH
go install github.com/hahwul/dalfox/v2@latestBasic Usage
BASH
# Single URL
dalfox url "https://target.com/?q=test"
# From file
dalfox file urls.txtAdvanced Usage
BASH
# Blind XSS
dalfox url "https://target.com/?q=test" --blind "https://your-xss-hunter.com"
# Remote payloads
dalfox url "https://target.com/?q=test" --remote-payloads portswigger
# Follow redirects
dalfox url "https://target.com/?q=test" --follow-redirects
# Custom payloads
dalfox url "https://target.com/?q=test" --custom-payload payloads.txt
# With proxy
dalfox url "https://target.com/?q=test" --proxy http://127.0.0.1:8080
# Pipeline mode
cat params.txt | dalfox pipe
# JSON output
dalfox url "https://target.com/?q=test" -o results.json --format jsonCommon Workflows
BASH
# Param discovery → XSS testing
paramspider -d target.com | dalfox pipe --blind "https://xss.hunter"
# Mass XSS scanning
cat urls-with-params.txt | dalfox pipe -o xss-results.txt