XSSMaze Score

XSSMaze is an intentionally vulnerable lab for measuring XSS-detection tooling. This page tracks how much of the main image (ghcr.io/hahwul/xssmaze:main) Dalfox detects. The numbers below are auto-generated by just xssmaze-score, never hand-written.

Latest score

Detection score

97.9%

1014 / 1036 endpoints detected across 171 categories

dalfox v3.1.0xssmaze v0.2.0generated 2026-06-20

Endpoints

1036

catalogued

Coverage by category

162 of 171 categories detect every endpoint. The chart highlights the 9 with gaps (worst first); the full breakdown is in the table.

jf0/1 · 0.0%

xsleak0/5 · 0.0%

storedpat1/6 · 16.7%

json4/6 · 66.7%

edgefilter5/6 · 83.3%

encodingedge5/6 · 83.3%

modern27/32 · 84.4%

bugbounty9/10 · 90.0%

prototype9/10 · 90.0%

Category	Endpoints	Detected	Rate
`advanced`	6	6	100.0%
`api`	6	6	100.0%
`apidom`	6	6	100.0%
`ariaattr`	6	6	100.0%
`attr`	6	6	100.0%
`attrctx`	6	6	100.0%
`attrname`	4	4	100.0%
`basic`	7	7	100.0%
`booleanattr`	6	6	100.0%
`browser`	5	5	100.0%
`callback`	4	4	100.0%
`casemanip`	6	6	100.0%
`chain`	6	6	100.0%
`channel`	4	4	100.0%
`charlimit`	6	6	100.0%
`clientstate`	6	6	100.0%
`clipboard`	4	4	100.0%
`cmspattern`	6	6	100.0%
`codeexec`	6	6	100.0%
`commentinj`	6	6	100.0%
`complexpage`	6	6	100.0%
`condreflect`	6	6	100.0%
`csp`	5	5	100.0%
`cspbypass`	6	6	100.0%
`css`	6	6	100.0%
`csti`	5	5	100.0%
`ctxescape`	8	8	100.0%
`ctxv2`	6	6	100.0%
`ctype`	6	6	100.0%
`customtag`	6	6	100.0%
`dashboard`	6	6	100.0%
`dataattr`	6	6	100.0%
`dataurl`	4	4	100.0%
`dblenc`	4	4	100.0%
`decode`	4	4	100.0%
`dialog`	5	5	100.0%
`dom`	38	38	100.0%
`domctx`	6	6	100.0%
`doublereflect`	6	6	100.0%
`dragdrop`	4	4	100.0%
`ecommerce`	6	6	100.0%
`edge`	8	8	100.0%
`email`	6	6	100.0%
`embedctx`	6	6	100.0%
`encmix`	6	6	100.0%
`encoding`	8	8	100.0%
`errhandling`	6	6	100.0%
`errpage`	6	6	100.0%
`eventhandler`	5	5	100.0%
`filterchain`	8	8	100.0%
`formaction`	4	4	100.0%
`formelement`	6	6	100.0%
`fragment`	6	6	100.0%
`fwoutput`	6	6	100.0%
`globalattr`	6	6	100.0%
`header`	4	4	100.0%
`headerinj`	6	6	100.0%
`headless`	6	6	100.0%
`hidden`	9	9	100.0%
`history`	2	2	100.0%
`hpp`	4	4	100.0%
`html5`	8	8	100.0%
`htmlunsafe`	6	6	100.0%
`import`	6	6	100.0%
`inattr`	6	6	100.0%
`inframe`	4	4	100.0%
`injs`	6	6	100.0%
`inlinestyle`	6	6	100.0%
`inputtransform`	6	6	100.0%
`jquery`	6	6	100.0%
`jsctx`	6	6	100.0%
`jsescape`	6	6	100.0%
`jsonctx`	6	6	100.0%
`latereflect`	6	6	100.0%
`linkcontext`	6	6	100.0%
`listiteration`	6	6	100.0%
`manifest`	1	1	100.0%
`markdown`	6	6	100.0%
`mathml`	3	3	100.0%
`mediacontext`	6	6	100.0%
`metarefresh`	4	4	100.0%
`microdata`	6	6	100.0%
`misc`	6	6	100.0%
`mixedmethod`	6	6	100.0%
`mobserver`	4	4	100.0%
`multicontext`	6	6	100.0%
`multiline`	6	6	100.0%
`multiparam`	6	6	100.0%
`multipart`	4	4	100.0%
`multipleoutput`	6	6	100.0%
`multireflect`	8	8	100.0%
`multivector`	6	6	100.0%
`mutfilter`	6	6	100.0%
`mxss`	5	5	100.0%
`navsink`	6	6	100.0%
`nestedctx`	6	6	100.0%
`nestedfilter`	6	6	100.0%
`nonce`	4	4	100.0%
`noscript`	4	4	100.0%
`numericcontext`	6	6	100.0%
`obfuscation`	6	6	100.0%
`opener`	2	2	100.0%
`partialencode`	6	6	100.0%
`path`	4	4	100.0%
`pathxss`	6	6	100.0%
`payloadfilt`	6	6	100.0%
`pdiff`	6	6	100.0%
`polyctx`	6	6	100.0%
`polyglot`	3	3	100.0%
`popover`	3	3	100.0%
`post`	2	2	100.0%
`postmethod`	6	6	100.0%
`racecon`	4	4	100.0%
`realworld`	16	16	100.0%
`realworld_input`	8	8	100.0%
`recfilt`	6	6	100.0%
`redirect`	4	4	100.0%
`redirectxss`	6	6	100.0%
`referrer`	2	2	100.0%
`regexbypass`	8	8	100.0%
`regexfilt`	6	6	100.0%
`reparse`	5	5	100.0%
`replacementfilter`	6	6	100.0%
`respheader`	6	6	100.0%
`rsplit`	4	4	100.0%
`rwpattern`	6	6	100.0%
`sanitizer`	12	12	100.0%
`scanbounty`	8	8	100.0%
`scriptgadget`	6	6	100.0%
`semantictag`	6	6	100.0%
`seoctx`	6	6	100.0%
`service`	2	2	100.0%
`shadow`	5	5	100.0%
`sink`	8	8	100.0%
`slot`	4	4	100.0%
`social`	6	6	100.0%
`specialchar`	6	6	100.0%
`specialtag`	8	8	100.0%
`srcdoc`	5	5	100.0%
`srcset`	4	4	100.0%
`storage`	2	2	100.0%
`stored`	4	4	100.0%
`stream`	3	3	100.0%
`svg`	6	6	100.0%
`svgctx`	6	6	100.0%
`tablecontext`	6	6	100.0%
`tagattrmix`	6	6	100.0%
`template`	6	6	100.0%
`timing`	6	6	100.0%
`tplel`	4	4	100.0%
`tplinject`	6	6	100.0%
`truncation`	6	6	100.0%
`trustedtypes`	5	5	100.0%
`unicode`	6	6	100.0%
`url`	6	6	100.0%
`waf`	16	16	100.0%
`wafv2`	6	6	100.0%
`websocket`	7	7	100.0%
`whitespace`	6	6	100.0%
`worker`	4	4	100.0%
`wrappercontext`	6	6	100.0%
`xmlctx`	6	6	100.0%
`bugbounty`	10	9	90.0%
`prototype`	10	9	90.0%
`modern`	32	27	84.4%
`edgefilter`	6	5	83.3%
`encodingedge`	6	5	83.3%
`json`	6	4	66.7%
`storedpat`	6	1	16.7%
`jf`	1	0	0.0%
`xsleak`	5	0	0.0%
Total	1036	1014	97.9%

Generated 2026-06-20T12:16:01Z · image ghcr.io/hahwul/xssmaze:main (ghcr.io/hahwul/xssmaze@sha256:9311b1693a75b72310a53852f72616e2bf11282a4b53cd2fe5fdf114aba0fb30) · run just xssmaze-score to refresh.

Methodology

Targets: every endpoint returned by XSSMaze's /map/json, grouped by its catalog type (category).
Per-endpoint scan: Dalfox is pointed at the exact injection point the catalog declares (query, body, header, or path), with parameter mining disabled (--skip-mining); discovery and reflection checks stay on so header/path cases still resolve.
Detected: an endpoint counts as detected when Dalfox returns at least one finding (verified, reflected, or AST-DOM).
Verified: the subset where Dalfox confirmed execution in the parsed DOM (finding type V).
Rate: detected / endpoints, per category and overall.

Each snapshot is pinned to the Dalfox version that produced it and the exact XSSMaze image digest, both shown beneath the table. The raw data lives in docs/data/xssmaze-score.json.

Reading the numbers

A high rate in a category means Dalfox reliably reaches and confirms those sinks; a low rate flags contexts worth investing in next. Because the scan targets the known injection point and skips mining, this measures Dalfox's detection and verification capability rather than its parameter-discovery breadth; discovery is exercised separately by the functional test suite. Scores move as both Dalfox and XSSMaze evolve, so always read them alongside the versions stamped under the table.