Dalfox
Advanced XSS vulnerability scanner and parameter analysis tool
Web Vulnerabilities12 commands
#xss#scanner#automation#fuzzing#parameter
Installation
1Install using Go
2Download from GitHub releases
3Verify installation
# Using Go
go install github.com/hahwul/dalfox/v2@latest
# Or download from releases
wget https://github.com/hahwul/dalfox/releases/latest/download/dalfox_linux_amd64.tar.gz
# Verify
dalfox versionBasic Usage
Scan URLs for XSS vulnerabilities with automatic parameter detection
# Single URL scan
dalfox url https://example.com/page.php?name=test
# Scan from file
dalfox file urls.txt
# Passive mode with pipeline
cat urls.txt | dalfox pipe
# Blind XSS with callback
dalfox url https://example.com/page?q=1 --blind https://your.xss.ht
# Report output
dalfox url https://example.com/page?p=1 -o report.htmlCommand Reference
12 commands
1Scan a single URL
url2Scan URLs from a file
file3Scan URLs from stdin
pipe4Set blind XSS callback URL
--blind5Action when XSS is found
--found-action6Save results to file
--output7Output format (json/html)
--format8Use dictionary for param mining
--mining-dict9Set cookie for authenticated scans
--cookie10Add custom headers
--header11Delay between requests
--delay12Request timeout in seconds
--timeoutWhen to Use
1
Scanning large lists of URLs for XSS2
Automated XSS detection in CI/CD pipelines3
Blind XSS testing with callback servers4
Post-recon XSS analysis of collected URLs5
Validating XSS findings with proof-of-conceptNotes & Tips
1
Written in Go — very fast compared to traditional XSS scanners2
Supports WAF detection and bypass techniques3
Can mine parameters from responses automatically4
Integrates with Slack and Discord for notificationsCommon Errors & Solutions
No XSS found
Try --mining-dict to discover more parameters, or use --deep for thorough scanning
Rate limited
Increase delay with --delay flag, rotate user-agents with --header