Dalfox is a DOM (Document Object Model) parser-based parameter analysis and Cross-site Scripting (XSS) scanner. SQL injection (SQLi), Server-Side Template Injection (SSTI), and open-redirects are all tested with the XSS Dalfox. Dalfox is a language-based tool written in the Golang programming language. On the target web application, Dalfox can detect reflected, saved, and blind XSS. The main idea is to look at arguments, look for XSS, and validate them using the DOM Parser.
- To detect reflected parameters, Dalfox uses Parameter Analysis.
- Dalfox locates free/evil characters and determines the injection point.
- Dalfox does static analysis and looks for problematic headers such as CSP, X-Frame Options, and so forth.
- Dalfox performs payload optimization queries, checks the injection point via abstraction, and creates a suited payload.
- Dalfox filters out unneeded payloads depending on the incorrect char.
Disclaimer: The intended use for the tool is strictly educational and should not be used for any other purpose.
Download Link: https://github.com/hahwul/dalfox