Skip to content

Latest commit

 

History

History
185 lines (160 loc) · 12.5 KB

README.md

File metadata and controls

185 lines (160 loc) · 12.5 KB



DalFox(Finder Of XSS)
dalfox

Finder Of XSS, and Dal is the Korean pronunciation of moon.

What is DalFox 🌘🦊

DalFox is a fast, powerful parameter analysis and XSS scanner, based on a golang/DOM parser. supports friendly Pipeline, CI/CD and testing of different types of XSS. I talk about naming. Dal(달) is the Korean pronunciation of moon and fox was made into Fox(Find Of XSS).

TOC

Key features

Mode: url sxss pipe file server

Class Key Feature Description
Discovery Parameter analysis - Find reflected param
- Find alive/bad special chars, event handler and attack code
- Identification of injection points(HTML/JS/Attribute)
inHTML-none inJS-none inJS-double inJS-single inJS-backtick inATTR-none inATTR-double inATTR-single
Static analysis - Check bad-header like CSP, XFO, etc.. with req/res base
BAV analysis - Testing BAV(Basic Another Vulnerability) , e.g sqli ssti open-redirects
Parameter Mining - Find new param with Dictonary attack (default is GF-Patterns)
- Support custom dictonary file (--mining-dict-word)
- FInd new param with DOM
Built-in Grepping - It Identify the basic info leak of SSTi, Credential, SQL Error, and so on
Scanning XSS Scanning - Reflected xss / stored xss
- DOM base verifying
- Blind XSS testing with param, header(-b , --blind options)
- Only testing selected parameters (-p, --param)
- Only testing parameter analysis (--only-discovery)
Friendly Pipeline - Single url mode (dalfox url)
- From file mode (dalfox file urls.txt)
- From IO(pipeline) mode (dalfox pipe)
- From raw http request file mode (dalfox file raw.txt --rawdata)
Optimizaion query of payloads - Check the injection point through abstraction and generated the fit payload.
- Eliminate unnecessary payloads based on badchar
Encoder - All test payloads(build-in, your custom/blind) are tested in parallel with the encoder.
- To Double URL Encoder
- To HTML Hex Encoder
Sequence - Auto-check the special page for stored xss (--trigger)
- Support (--sequence) options for Stored XSS , only sxss mode
HTTP HTTP Options - Overwrite HTTP Method (-X, --method)
- Follow redirects (--follow-redirects)
- Add header (-H, --header)
- Add cookie (-C, --cookie)
- Add User-Agent (--user-agent)
- Set timeout (--timeout)
- Set Delay (--delay)
- Set Proxy (--proxy)
- Set ignore return codes (--ignore-return)
Concurrency Worker - Set worker's number(-w, --worker)
N * hosts - Use multicast mode (--multicast) , only file / pipe mode
Output Output - Only the PoC code and useful information is write as Stdout
- Save output (-o, --output)
Format - JSON / Plain (--format)
Printing - Silence mode (--silence)
- You may choose not to print the color (--no-color)
- You may choose not to print the spinner (--no-spinner)
Extensibility REST API - API Server and Swagger (dalfox server)
Found Action - Lets you specify the actions to take when detected.
- Notify, for example (--found-action)
Custom Grepping - Can grep with custom regular expressions on response
- If duplicate detection, it performs deduplication (--grep)
Custom Payloads - Use custom payloads list file (--custom-payload)
Package Package manager - homebrew with tap
- snapcraft
Docker ENV - docker hub
- gitub package of docker

And the various options required for the testing :D

How to Install

You can find some additional installation variations in the Installation Guide.

Usage

Modes: 
  file        Use file mode(targets list or rawdata)
  help        Help about any command
  pipe        Use pipeline mode
  server      Start API Server
  sxss        Use Stored XSS mode
  url         Use single target mode
  version     Show version

Global Flags:
  -b, --blind string              Add your blind xss (e.g -b hahwul.xss.ht)
      --config string             Using config from file
  -C, --cookie string             Add custom cookie
      --custom-payload string     Add custom payloads from file
  -d, --data string               Using POST Method and add Body data
      --delay int                 Milliseconds between send to same host (1000==1s)
      --follow-redirects          Following redirection
      --format string             Stdout output format(plain/json) (default "plain")
      --found-action string       If found weak/vuln, action(cmd) to next
      --grep string               Using custom grepping file (e.g --grep ./samples/sample_grep.json)
  -H, --header string             Add custom headers
  -h, --help                      help for dalfox
      --ignore-return string      Ignore scanning from return code (e.g --ignore-return 302,403,404)
  -X, --method string             Force overriding HTTP Method (e.g -X PUT)
      --mining-dict               Find new parameter with dictionary attack, default is Gf-Patterns=>XSS (default true)
      --mining-dict-word string   Custom wordlist file for param mining (e.g --mining-dict-word word.txt)
      --mining-dom                Find new parameter in DOM (attribute/js value) (default true)
      --no-color                  Not use colorize
      --no-spinner                Not use spinner
      --only-discovery            Only testing parameter analysis (same '--skip-xss-scanning' option)
  -o, --output string             Write to output file
  -p, --param string              Only testing selected parameters
      --proxy string              Send all request to proxy server (e.g --proxy http://127.0.0.1:8080)
      --silence                   Not printing all logs
      --skip-bav                  Skipping BAV(Basic Another Vulnerability) analysis
      --skip-mining-all           Skipping ALL parameter mining
      --skip-mining-dict          Skipping Dict base parameter mining
      --skip-mining-dom           Skipping DOM base parameter mining
      --skip-xss-scanning         Skipping XSS Scanning (same '--only-discovery' option)
      --timeout int               Second of timeout (default 10)
      --user-agent string         Add custom UserAgent
  -w, --worker int                Number of worker (default 100)

Server Flags:
  -h, --help          help for server
      --host string   Bind address (default "0.0.0.0")
      --port int      Bind Port (default 6664)
      
Pipe Flags:
  -h, --help        help for pipe
      --multicast   Scanning N*Host mode
      
File Flags:
  -h, --help        help for file
      --http        Using force http on rawdata mode
      --multicast   Scanning N*Host mode
      --rawdata     Using req rawdata from Burp/ZAP
      
SXSS Flags:
  -h, --help             help for sxss
      --mass             Testing mass vector (comming soon)
      --sequence int     Set sequence to first number (e.g --trigger https://~/view?no=SEQNC --sequence 3) (default -1)
      --trigger string   Checking this url after inject sxss code (e.g --trigger https://~~/profile)
$ dalfox [mode] [flags]

Single target mode

$ dalfox url http://testphp.vulnweb.com/listproducts.php\?cat\=123\&artist\=123\&asdf\=ff -b https://hahwul.xss.ht

Multiple target mode from file

$ dalfox file urls_file --custom-payload ./mypayloads.txt

Pipeline mode

$ cat urls_file | dalfox pipe -H "AuthToken: bbadsfkasdfadsf87"

Other tips, See wiki for detailed instructions!

POC format

Sample poc log

[POC][G][BUILT-IN/dalfox-error-mysql/GET] http://testphp.vulnweb.com/listproducts.php?artist=123&asdf=ff&cat=123DalFox
[POC][V][GET] http://testphp.vulnweb.com/listproducts.php?artist=123&asdf=ff&cat=123%22%3E%3Csvg%2Fclass%3D%22dalfox%22onLoad%3Dalert%2845%29%3E

Format

Identity Type Information BLANK PoC Code
POC G BUILT-IN/dalfox-error-mysql/GET http://testphp.vulnweb.com/listproducts.php?artist=123&asdf=ff&cat=123DalFox
POC R GET http://testphp.vulnweb.com/listproducts.php?artist=123&asdf=ff&cat=123%22%3E%3Csvg%2Fclass%3D%22dalfox%22onLoad%3Dalert%2845%29%3E
POC V GET http://testphp.vulnweb.com/listproducts.php?artist=123&asdf=ff&cat=123%22%3E%3Csvg%2Fclass%3D%22dalfox%22onLoad%3Dalert%2845%29%3E
  • Type: G(Grep) , R(Reflected) , V(Verify)
  • Informatin: Method, grepping name, etc..

Why is there a gap? It is a method to make it easier to parse only the poc code through cut etc. For example, you can do this.

$ dalfox url http://testphp.vulnweb.com/listproducts.php\?cat\=123\&artist\=123\&asdf\=ff | cut -d " " -f 2 > output
$ cat output
http://testphp.vulnweb.com/listproducts.php?artist=123&asdf=ff&cat=123DalFox
http://testphp.vulnweb.com/listproducts.php?artist=123&asdf=ff&cat=123%22%3E%3Csvg%2FOnLoad%3D%22%60%24%7Bprompt%60%60%7D%60%22+class%3Ddalfox%3E

Screenshots

1414 1415
Single URL Scanning API Server and Swagger
1416 1419
Built-in and Custom Grepping Pipeline Scanning

Contribute

Contribute

Wiki

Wiki