XSSMaze Score

XSSMaze is an intentionally vulnerable lab for measuring XSS-detection tooling. This page tracks how much of the main image (ghcr.io/hahwul/xssmaze:main) Dalfox detects. The numbers below are auto-generated by just xssmaze-score, never hand-written.

Latest score

Detection score
98.2%
995 / 1013 endpoints detected across 169 categories
dalfox v3.0.0xssmaze v0.2.0generated 2026-06-01
Endpoints
1013
catalogued
Categories
169
test groups
Fully detected
162
categories at 100%
With gaps
7
below 100%

Coverage by category

162 of 169 categories detect every endpoint. The chart highlights the 7 with gaps (worst first); the full breakdown is in the table.

jf0/1 · 0.0%
xsleak0/5 · 0.0%
storedpat1/6 · 16.7%
edgefilter5/6 · 83.3%
encodingedge5/6 · 83.3%
modern28/32 · 87.5%
prototype9/10 · 90.0%
Category Endpoints Detected Verified Rate
advanced 6 6 0 100.0%
api 6 6 0 100.0%
apidom 6 6 0 100.0%
ariaattr 6 6 0 100.0%
attr 6 6 0 100.0%
attrctx 6 6 0 100.0%
attrname 4 4 0 100.0%
basic 7 7 0 100.0%
booleanattr 6 6 0 100.0%
browser 5 5 0 100.0%
bugbounty 10 10 0 100.0%
callback 4 4 0 100.0%
casemanip 6 6 0 100.0%
chain 6 6 0 100.0%
channel 4 4 0 100.0%
charlimit 6 6 0 100.0%
clientstate 6 6 0 100.0%
clipboard 4 4 0 100.0%
cmspattern 6 6 0 100.0%
codeexec 6 6 0 100.0%
commentinj 6 6 0 100.0%
complexpage 6 6 0 100.0%
condreflect 6 6 0 100.0%
csp 5 5 0 100.0%
cspbypass 6 6 0 100.0%
css 6 6 0 100.0%
csti 5 5 0 100.0%
ctxescape 8 8 0 100.0%
ctxv2 6 6 0 100.0%
ctype 6 6 0 100.0%
customtag 6 6 0 100.0%
dashboard 6 6 0 100.0%
dataattr 6 6 0 100.0%
dataurl 4 4 0 100.0%
dblenc 4 4 0 100.0%
decode 4 4 0 100.0%
dialog 5 5 0 100.0%
dom 35 35 0 100.0%
domctx 6 6 0 100.0%
doublereflect 6 6 0 100.0%
dragdrop 4 4 0 100.0%
ecommerce 6 6 0 100.0%
edge 8 8 0 100.0%
email 6 6 0 100.0%
embedctx 6 6 0 100.0%
encmix 6 6 0 100.0%
encoding 8 8 0 100.0%
errhandling 6 6 0 100.0%
errpage 6 6 0 100.0%
eventhandler 5 5 0 100.0%
filterchain 8 8 0 100.0%
formaction 4 4 0 100.0%
formelement 6 6 0 100.0%
fragment 6 6 0 100.0%
fwoutput 6 6 0 100.0%
globalattr 6 6 0 100.0%
header 4 4 0 100.0%
headerinj 6 6 0 100.0%
headless 6 6 0 100.0%
hidden 9 9 0 100.0%
history 2 2 0 100.0%
hpp 4 4 0 100.0%
html5 8 8 0 100.0%
import 6 6 0 100.0%
inattr 6 6 0 100.0%
inframe 4 4 0 100.0%
injs 6 6 0 100.0%
inlinestyle 6 6 0 100.0%
inputtransform 6 6 0 100.0%
jquery 6 6 0 100.0%
jsctx 6 6 0 100.0%
jsescape 6 6 0 100.0%
json 6 6 0 100.0%
jsonctx 6 6 0 100.0%
latereflect 6 6 0 100.0%
linkcontext 6 6 0 100.0%
listiteration 6 6 0 100.0%
manifest 1 1 0 100.0%
markdown 6 6 0 100.0%
mathml 3 3 0 100.0%
mediacontext 6 6 0 100.0%
metarefresh 4 4 0 100.0%
microdata 6 6 0 100.0%
misc 6 6 0 100.0%
mixedmethod 6 6 0 100.0%
mobserver 4 4 0 100.0%
multicontext 6 6 0 100.0%
multiline 6 6 0 100.0%
multiparam 6 6 0 100.0%
multipart 4 4 0 100.0%
multipleoutput 6 6 0 100.0%
multireflect 8 8 0 100.0%
multivector 6 6 0 100.0%
mutfilter 6 6 0 100.0%
mxss 5 5 0 100.0%
nestedctx 6 6 0 100.0%
nestedfilter 6 6 0 100.0%
nonce 4 4 0 100.0%
noscript 4 4 0 100.0%
numericcontext 6 6 0 100.0%
obfuscation 6 6 0 100.0%
opener 2 2 0 100.0%
partialencode 6 6 0 100.0%
path 4 4 0 100.0%
pathxss 6 6 0 100.0%
payloadfilt 6 6 0 100.0%
pdiff 6 6 0 100.0%
polyctx 6 6 0 100.0%
polyglot 3 3 0 100.0%
popover 3 3 0 100.0%
post 2 2 0 100.0%
postmethod 6 6 0 100.0%
racecon 4 4 0 100.0%
realworld 16 16 0 100.0%
realworld_input 8 8 0 100.0%
recfilt 6 6 0 100.0%
redirect 4 4 0 100.0%
redirectxss 6 6 0 100.0%
referrer 2 2 0 100.0%
regexbypass 8 8 0 100.0%
regexfilt 6 6 0 100.0%
reparse 5 5 0 100.0%
replacementfilter 6 6 0 100.0%
respheader 6 6 0 100.0%
rsplit 4 4 0 100.0%
rwpattern 6 6 0 100.0%
sanitizer 12 12 0 100.0%
scanbounty 8 8 0 100.0%
scriptgadget 6 6 0 100.0%
semantictag 6 6 0 100.0%
seoctx 6 6 0 100.0%
service 2 2 0 100.0%
shadow 5 5 0 100.0%
sink 8 8 0 100.0%
slot 4 4 0 100.0%
social 6 6 0 100.0%
specialchar 6 6 0 100.0%
specialtag 8 8 0 100.0%
srcdoc 5 5 0 100.0%
srcset 4 4 0 100.0%
storage 2 2 0 100.0%
stored 4 4 0 100.0%
stream 3 3 0 100.0%
svg 6 6 0 100.0%
svgctx 6 6 0 100.0%
tablecontext 6 6 0 100.0%
tagattrmix 6 6 0 100.0%
template 6 6 0 100.0%
timing 6 6 0 100.0%
tplel 4 4 0 100.0%
tplinject 6 6 0 100.0%
truncation 6 6 0 100.0%
trustedtypes 5 5 0 100.0%
unicode 6 6 0 100.0%
url 6 6 0 100.0%
waf 8 8 0 100.0%
wafv2 6 6 0 100.0%
websocket 7 7 0 100.0%
whitespace 6 6 0 100.0%
worker 4 4 0 100.0%
wrappercontext 6 6 0 100.0%
xmlctx 6 6 0 100.0%
prototype 10 9 0 90.0%
modern 32 28 0 87.5%
edgefilter 6 5 0 83.3%
encodingedge 6 5 0 83.3%
storedpat 6 1 0 16.7%
jf 1 0 0 0.0%
xsleak 5 0 0 0.0%
Total 1013 995 0 98.2%

Generated 2026-06-01T00:49:45Z · image ghcr.io/hahwul/xssmaze:main (ghcr.io/hahwul/xssmaze@sha256:0e1ae9af7cfff1dfabdc20b11761dbcddcc023b60aa7f2314953ea5368db6193) · run just xssmaze-score to refresh.

Methodology

  • Targets: every endpoint returned by XSSMaze's /map/json, grouped by its catalog type (category).
  • Per-endpoint scan: Dalfox is pointed at the exact injection point the catalog declares (query, body, header, or path), with parameter mining disabled (--skip-mining); discovery and reflection checks stay on so header/path cases still resolve.
  • Detected: an endpoint counts as detected when Dalfox returns at least one finding (verified, reflected, or AST-DOM).
  • Verified: the subset where Dalfox confirmed execution in the parsed DOM (finding type V).
  • Rate: detected / endpoints, per category and overall.

Each snapshot is pinned to the Dalfox version that produced it and the exact XSSMaze image digest, both shown beneath the table. The raw data lives in docs/data/xssmaze-score.json.

Reading the numbers

A high rate in a category means Dalfox reliably reaches and confirms those sinks; a low rate flags contexts worth investing in next. Because the scan targets the known injection point and skips mining, this measures Dalfox's detection and verification capability rather than its parameter-discovery breadth; discovery is exercised separately by the functional test suite. Scores move as both Dalfox and XSSMaze evolve, so always read them alongside the versions stamped under the table.

ESC