Getting Started
Welcome! This section gets you from zero to a verified XSS finding in about ten minutes.
What is Dalfox?
Dalfox is a powerful open-source XSS scanner and automation utility. Give it a URL, a file of URLs, or a piped crawl — it will:
- Discover parameters across the query string, body, headers, cookies, and DOM.
- Probe contexts to learn where each parameter lands (HTML, JavaScript, attribute, CSS).
- Inject payloads tuned to each context, with optional WAF-evasion encoders.
- Verify findings at the DOM level using an AST-backed parser — not just a text match.
- Report results in the format your workflow speaks (plain, JSON, JSONL, Markdown, SARIF, TOML).
Who is Dalfox for?
- Pentesters & bug hunters — fast CLI reconnaissance that fits any recon stack.
- Security teams — SARIF output drops into GitHub Advanced Security or any SAST dashboard.
- Developers — a REST API and MCP server let CI/CD pipelines and AI agents drive scans without leaving their tools.
Ready to go?
Start with Installation, then take the Quick Start tour. Once you're comfortable, hop into the Guide for deeper topics like WAF bypass and Stored XSS.