Server Mode
server
mode is a REST API mode that takes into account scalability. Using this mode, dalfox acts as a REST API server and can perform scanning using a web request.
dalfox server
e.g
dalfox server --host 0.0.0.0 --port 8090
_..._
.' .::::. __ _ _ ___ _ __ __
: :::::::: | \ / \ | | | __/ \\ V /
: :::::::: | o ) o || |_ | _( o )) (
'. '::::::' |__/|_n_||___||_| \_//_n_\
'-.::''
Parameter Analysis and XSS Scanning tool based on golang
Finder Of XSS and Dal is the Korean pronunciation of moon. @hahwul
🎯 Target REST API Mode
🧲 Listen Address 0.0.0.0:8090
🏁 Method GET
🖥 Worker 100
🔦 BAV true
⛏ Mining true (Gf-Patterns)
🔬 Mining-DOM true (mining from DOM)
⏱ Timeout 10
📤 FollowRedirect false
🕰 Started at 2021-07-08 18:10:15.214339875 +0900 KST m=+0.027712246
and supported swagger-ui
Basic scanning
req
curl -X POST "http://localhost:6664/scan" -H "accept: application/json" -H "Content-Type: application/json" -d "{\"url\": \"https://www.hahwul.com\"}"
res
{"code":200,"msg":"28846e5b355577ecd60766f45735c4c687e8c1c200db65700e3f458b73234984","data":null}
Scanning with options
req
curl -X POST "http://localhost:6664/scan" \
-H "accept: application/json" \
-H "Content-Type: application/json" \
-d "{\"url\": \"https://www.hahwul.com\", \"options\":{\"cookie\":\"testz=11\",\"worker\":1}}"
res
{"code":200,"msg":"0462c53f75a528d263787af314f90e58016d693554216b9a4e34b50ad92da9ba","data":null}
Options lists
The options values are approximately the same as the cli option by default.
- https://github.com/hahwul/dalfox/blob/master/pkg/model/options.go
{
"url":"target",
"options": {
"param":"only testing this parameter",
"cookie": "auth=1234",
"header": "API-Key: abcd",
"config": "",
"blind": "your.xss.ht",
"data": "param=1234",
"user-agent": "ChromeTestUA",
"output": "output file",
"format": "json",
"found-action": "echo 1",
"proxy": "http://127.0.0.1:8080",
"grep": "TESTTOKEN",
"ignore-return": "500",
"trigger": "/trigger_url_using_sxss_mode",
"timeout": 5,
"worker": 30,
"delay": 1,
"sequence": 1,
"only-discovery": false,
"only-custom-payload": false,
"silence": false,
"mass": false,
"follow-redirects": false,
"mining-dict": true,
"mining-dom": false,
"mining-dict-word": "file_name",
"no-color": false,
"method": "GET",
"no-spinner": false,
"no-bav": false,
"skip-grepping": false,
"debug": false,
}
}
Swagger-ui
Swagger ui is available in the dalfox.
http://your-host:your-port/swagger/index.html
e.g http://localhost:6664/swagger/index.html