Hunt every XSS
before it hunts you.
Reflected, Stored, and DOM-based flaws, discovered and verified with AST-level precision across every parameter.
One command, a verified finding
Point Dalfox at a target and it discovers parameters, probes contexts, injects, and confirms the hit at the DOM level before it ever reaches your report.
brew install dalfox
// Capabilities
One scanner, the whole XSS workflow
Run it against one URL or a full pipeline: CLI, file batch, pipe, server, or MCP. The same engine sits underneath each one, and every finding comes back parsed, DOM-verified, and reported in a format you can act on.
Deep XSS discovery
Reflected, Stored, and DOM-based XSS with payload optimization. AST-backed DOM verification means no more false positives from blind reflections.
Parameter intelligence
Mining, static analysis, BAV testing, and context-aware charset probing give every parameter a full attack profile.
WAF aware
Fingerprints popular WAFs and mutates payloads with encoding, casing, and polyglot tactics to slip through.
Built for pipelines
Pipe, file-batch, and server modes fit into CI/CD. Chain Dalfox behind your proxy, crawler, or recon stack.
REST API & MCP
Run Dalfox as a long-lived server with REST control, or expose it as an MCP tool to agents and IDEs.
Reports you can ship
Export to the format your workflow speaks, from terse CLI output to SARIF for GitHub code scanning.
// Modes
Six ways to run Dalfox
Pick the shape that fits your target. Every mode shares the same discovery and verification engine.
dalfox scan https://target.appPoint Dalfox at a single URL. It mines parameters, probes each context, and verifies every hit at the DOM level.
dalfox scan urls.txtSweep a whole list of targets from a file, one URL per line, with the same engine and one report.
cat urls.txt | dalfox scanRead targets from stdin so Dalfox drops straight into your crawler or recon pipeline.
dalfox scan https://app/post --sxss-url https://app/feedInject on one endpoint, then confirm the payload fires on another. Stored XSS, verified end to end.
dalfox serverRun Dalfox as a long-lived REST API for async scan jobs, integrations, and dashboards.
dalfox mcpExpose Dalfox as an MCP tool so agents and IDEs can scan on your behalf.
From install to verified finding in three steps
Dalfox drops into whatever you already run. No setup ritual, no orchestration layer to stand up first.
Install
Grab Dalfox through Homebrew, Snap, Nix, cargo, or a prebuilt binary. One command, no runtime to manage.
brew install dalfox
Point at a target
Give it a URL, a file, or pipe in a crawl. Dalfox mines parameters, probes contexts, and adapts.
dalfox scan https://target.app
Ship the findings
Export to SARIF, JSON, or Markdown, or proxy results to your pipeline. Findings come verified, not guessed.
dalfox scan urls.txt -o report.sarif
Built in the open, by hunters everywhere
Dalfox is shaped by the people who run it. Open an issue, send a pull request, or trade payloads with the community. Every contribution makes the next scan sharper.
Thanks to our contributors
Ready to hunt?
Read the docs, star the repo, or drop Dalfox into your next recon loop.