Getting Started

Welcome Installation Update DalFox Usage and Modes Scanning Single URL Scanning Multiple URL

Advance Guides

Output Handling Use config file BAV Scanning From Raw Request Parameter Mining Custom payload and Custom alert Remote payloads In the Code In the Github Action

Modes

URL Mode Pipeline Mode File Mode Stored XSS Mode Server Mode (REST API) Payload Mode

Format and Spec

Format Of PoC Injectable point Result JSON Format Global Flags

Tips of Dalfox

OneLiner Integration with found-action For CI/CD Pipeline

Stored XSS Mode

sxss mode is a mode for easy identification of Stored XSS. The default behavior is the same as url mode, but you can specify a separate URL to validate, and you can generate a dynamic verification URL with the –sequence option in case the verification URL changes.

▶ dalfox sxss {TARGET-URL} --trigger {VERIFY_URL}

e.g

▶ dalfox sxss https://test.url.local/update_profile -d "nickname=abc" --trigger "https://test.url.local/my_profile"

send POST request to Store the XSS payload and verify it working of the payload with an GET request

▶ dalfox sxss -X POST https://test.url.local/update_profile -d "nickname=abc" --trigger "https://test.url.local/my_profile" --reqeust-method GET

Improve this page