Dalfox is a powerful open-source XSS scanner and automation utility. Reflected, Stored, DOM-based — discovered, verified, and reported with AST-level precision across every parameter in your app.
brew install dalfox
// Capabilities
From a single URL to full pipelines, Dalfox adapts to how you work — CLI, file batch, pipe, server mode, or MCP. Every finding is parsed, verified, and reported with context you can act on.
Reflected, Stored, and DOM-based XSS with payload optimization. AST-backed DOM verification means no more false positives from blind reflections.
Mining, static analysis, BAV testing, and context-aware charset probing — every parameter gets a full attack profile.
Fingerprints popular WAFs and mutates payloads with encoding, casing, and polyglot tactics to slip through.
Pipe, file-batch, and server modes drop into CI/CD. Pair with your proxy, crawler, or recon stack without friction.
Run Dalfox as a long-lived server with REST control, or expose it as an MCP tool to agents and IDEs.
Export to the format your workflow speaks — from terse CLI output to SARIF for GitHub code scanning.
// Modes
Pick the shape that fits your target. Every mode shares the same discovery and verification engine.
// Workflow
Dalfox is designed to drop into whatever you already have — no fancy setup, no heavy orchestration.
Grab Dalfox through Homebrew, Snap, Nix, cargo, or a prebuilt binary. One command, no runtime to manage.
brew install dalfox
Give it a URL, a file, or pipe in a crawl. Dalfox mines parameters, probes contexts, and adapts.
dalfox scan https://target.app
Export to SARIF, JSON, or Markdown, or proxy results to your pipeline. Findings come verified, not guessed.
dalfox scan urls.txt -o report.sarif
Thousands of scans, zero fuss. Star the repo, read the docs, or drop Dalfox in your next recon loop.
Thanks to our contributors
