Dalfox is a powerful open-source tool that focuses on automation, making it ideal for quickly scanning for XSS flaws and analyzing parameters. Its advanced testing engine and niche features are designed to streamline the process of detecting and verifying vulnerabilities.

• Modes: URL, SXSS, Pipe, File, Server, Payload
• Discovery: Parameter analysis, static analysis, BAV testing, parameter mining
• XSS Scanning: Reflected, Stored, DOM-based, with optimization and DOM/headless verification
• HTTP Options: Custom headers, cookies, methods, proxy, and more
• Output: JSON/Plain formats, silence mode, detailed reports
• Extensibility: REST API, custom payloads, remote wordlists

And the various options required for the testing :D

brew install dalfox

# https://formulae.brew.sh/formula/dalfox

sudo snap install dalfox

A package is available for Nix or NixOS users. Keep in mind that the latest releases might only be present in the unstable channel.

nix-shell -p dalfox

go install github.com/hahwul/dalfox/v2@latest

See Installation guide for details.

dalfox [mode] [target] [flags] 

• Single URL: dalfox url http://example.com -b https://callback
• File Mode: dalfox file urls.txt --custom-payload mypayloads.txt
• Pipeline: cat urls.txt | dalfox pipe -H "AuthToken: xxx"

Check the Usage and Running documents for more examples.

if you want to contribute to this project, please see CONTRIBUTING.md and Pull-Request with cool your contents.

As for the name, Dal(달) is the Korean word for "moon," while "Fox" stands for "Finder Of XSS" or 🦊