Command Line Flags
This page provides a comprehensive overview of Dalfox’s command line flags, organized by functionality.
Request Configuration Flags
These flags allow you to customize the HTTP requests sent by Dalfox:
| Flag | Description |
|---|---|
-b, --blind string | Specify a blind XSS callback URL. Example: -b 'https://your-callback-url.com' |
-C, --cookie string | Add custom cookies to the request. Example: -C 'sessionid=abc123' |
--cookie-from-raw string | Load cookies from a raw HTTP request file. Example: --cookie-from-raw 'request.txt' |
-d, --data string | Use POST method and add body data. Example: -d 'username=admin&password=admin' |
-F, --follow-redirects | Follow HTTP redirects. Example: -F |
-H, --header strings | Add custom headers to the request. Example: -H 'Authorization: Bearer <token>' |
-X, --method string | Override the HTTP method (default: GET). Example: -X 'PUT' |
--proxy string | Send all requests through a proxy server. Example: --proxy 'http://127.0.0.1:8080' |
--timeout int | Set the request timeout in seconds (default: 10). Example: --timeout 10 |
--user-agent string | Set a custom User-Agent header. Example: --user-agent 'Mozilla/5.0' |
Scanning Configuration Flags
These flags control the behavior of the scanning process:
| Flag | Description |
|---|---|
--config string | Load configuration from a file. Example: --config 'config.json' |
--custom-alert-type string | Set a custom alert type (default: “none”). Example: --custom-alert-type 'str,none' |
--custom-alert-value string | Set a custom alert value (default: “1”). Example: --custom-alert-value 'document.cookie' |
--custom-payload string | Load custom payloads from a file. Example: --custom-payload 'payloads.txt' |
--deep-domxss | Enable deep DOM XSS testing with more payloads (slow). Example: --deep-domxss |
--delay int | Set the delay between requests to the same host in milliseconds. Example: --delay 1000 |
--force-headless-verification | Force headless browser-based verification, useful when automatic detection fails. Example: --force-headless-verification |
--ignore-param strings | Ignore specific parameters during scanning. Example: --ignore-param 'api_token' --ignore-param 'csrf_token' |
--ignore-return string | Ignore specific HTTP return codes. Example: --ignore-return '302,403,404' |
-p, --param strings | Specify parameters to test. Example: -p 'username' -p 'password' |
--remote-payloads string | Use remote payloads for XSS testing. Supported: portswigger, payloadbox. Example: --remote-payloads 'portswigger,payloadbox' |
--waf-evasion | Enable WAF evasion by adjusting speed when detecting WAF (worker=1, delay=3s). Example: --waf-evasion |
Performance Flags
These flags allow you to fine-tune the performance of Dalfox:
| Flag | Description |
|---|---|
--max-cpu int | Set the maximum number of CPUs to use (default: 1). Example: --max-cpu 1 |
-w, --worker int | Set the number of concurrent workers (default: 100). Example: -w 100 |
Parameter Mining Flags
These flags control how Dalfox discovers and tests parameters:
| Flag | Description |
|---|---|
--mining-dict | Enable dictionary-based parameter mining (default: true). Example: --mining-dict |
-W, --mining-dict-word string | Specify a custom wordlist file for parameter mining. Example: -W 'wordlist.txt' |
--mining-dom | Enable DOM-based parameter mining (default: true). Example: --mining-dom |
--remote-wordlists string | Use remote wordlists for parameter mining. Supported: burp, assetnote. Example: --remote-wordlists 'burp' |
--skip-mining-all | Skip all parameter mining. Example: --skip-mining-all |
--skip-mining-dict | Skip dictionary-based parameter mining. Example: --skip-mining-dict |
--skip-mining-dom | Skip DOM-based parameter mining. Example: --skip-mining-dom |
Control Flow Flags
These flags allow you to control the scanning flow:
| Flag | Description |
|---|---|
--only-custom-payload | Only test custom payloads. Example: --only-custom-payload |
--only-discovery | Only perform parameter analysis, skip XSS scanning. Example: --only-discovery |
--skip-bav | Skip Basic Another Vulnerability (BAV) analysis. Example: --skip-bav |
--skip-discovery | Skip the entire discovery phase, proceeding directly to XSS scanning. Requires -p flag. Example: --skip-discovery -p 'username' |
--skip-grepping | Skip built-in grepping. Example: --skip-grepping |
--skip-headless | Skip headless browser-based scanning (DOM XSS and inJS verification). Example: --skip-headless |
--skip-xss-scanning | Skip XSS scanning. Example: --skip-xss-scanning |
--use-bav | Enable Basic Another Vulnerability (BAV) analysis. Example: --use-bav |
Output and Reporting Flags
These flags control how Dalfox presents its findings:
| Flag | Description |
|---|---|
--debug | Enable debug mode and save all logs. Example: --debug |
--format string | Set the output format. Supported: plain, json (default: plain). Example: --format 'json' |
--found-action string | Execute a command when a vulnerability is found. Example: --found-action './notify.sh' |
--found-action-shell string | Specify the shell to use for the found action (default: bash). Example: --found-action-shell 'bash' |
--grep string | Use a custom grepping file. Example: --grep './samples/sample_grep.json' |
--har-file-path string | Specify the path to save HAR files of scan requests. Example: --har-file-path 'scan.har' |
--no-color | Disable colorized output. Example: --no-color |
--no-spinner | Disable spinner animation. Example: --no-spinner |
--only-poc string | Show only the PoC code for the specified pattern. Supported: g (grep), r (reflected), v (verified). Example: --only-poc 'g,v' |
-o, --output string | Write output to a file. Example: -o 'output.txt' |
--output-all | Enable all log write mode (output to file or stdout). Example: --output-all |
--output-request | Include raw HTTP requests in the results. Example: --output-request |
--output-response | Include raw HTTP responses in the results. Example: --output-response |
--poc-type string | Select the PoC type. Supported: plain, curl, httpie, http-request (default: plain). Example: --poc-type 'curl' |
--report | Show detailed report. Example: --report |
--report-format string | Set the format of the report. Supported: plain, json (default: plain). Example: --report-format 'json' |
-S, --silence | Only print PoC code and progress. Example: -S |
Usage Examples
Basic scanning with custom headers and cookies:
dalfox url https://example.com -H 'Authorization: Bearer token' -C 'session=abc123'
Using POST method with data:
dalfox url https://example.com/login -d 'username=admin&password=admin'
Output results to a JSON file with detailed reporting:
dalfox url https://example.com --format json -o results.json --report --report-format json
Parameter mining with custom wordlist and increased workers:
dalfox url https://example.com -W wordlist.txt -w 200
Using blind XSS detection with a callback URL:
dalfox url https://example.com -b https://your-xss-catcher.com/hook
WAF evasion with custom payloads:
dalfox url https://example.com --waf-evasion --custom-payload payloads.txt
Using a proxy and following redirects:
dalfox url https://example.com --proxy http://127.0.0.1:8080 -F
Executing a notification script when vulnerabilities are found:
dalfox url https://example.com --found-action './notify.sh'
Saving HAR files for further analysis:
dalfox url https://example.com --har-file-path scan.har