Dalfox 2.8 Release πŸš€

Hi hackers! Dalfox v2.8 has been released πŸš€

There are not many added features this release. But it’s better than before, so I recommend an update :D

Thank you ❀️

First, Thank you so much all contributors !!

Thanks to our, this project is getting better and better. Thank you always!

Release note

Github | DockerHub | GHCR

  • New
    • Add --report and --report-format flags
  • Improve
    • PA(Parameter Analyasis) Logic
    • inJS Scan
    • HAR format supported (FILE Mode)
    • Improve FILE/PIPE Banner
    • Improve JSON Printing
  • And Fixed Bugs

Report Flags

You can now view the pretty results through the --report flag.

dalfox url https://xss-game.appspot.com/level1/frame --report

And you can choice report style with --report-format flag.

dalfox url https://xss-game.appspot.com/level1/frame --report --report-format json

Result Object

ParamResult is now added to the Result. In addition to the actual XSS results, you can handle Parameter Analysis results.

type Result struct {
	Logs      []string      `json:"logs"`
	PoCs      []PoC         `json:"pocs"`
	Params    []ParamResult `json:"params"`
	Duration  time.Duration `json:"duration"`
	StartTime time.Time     `json:"start_time"`
	EndTime   time.Time     `json:"end_time"`

type ParamResult struct {
	Name           string
	Type           string
	Reflected      bool
	ReflectedPoint string
	ReflectedCode  string
	Chars          []string

Sample code

package main

import (

	dalfox "github.com/hahwul/dalfox/v2/lib"

func main() {
	opt := dalfox.Options{
		Cookie:     "ABCD=1234",
	result, err := dalfox.NewScan(dalfox.Target{
		URL:     "https://xss-game.appspot.com/level1/frame",
		Method:  "GET",
		Options: opt,
	if err != nil {
	} else {
		jstring, err := json.MarshalIndent(result, "", " ")
		if err == nil {

HAR for File Mode

You can now read and scan the HAR(HTTP Archive format) file.

dalfox file ~/target.har --har

Improve InJS

InJS type means that the inserted payload is located inside the Javascript area. Several forms of payloads may exist than HTML areas, and internal logic has been improved for better detection.