Hi hackers! Dalfox v2.8 has been released π
There are not many added features this release. But itβs better than before, so I recommend an update :D
Thank you β€οΈ
First, Thank you so much all contributors !!
Release note
- New
- Add
--reportand--report-formatflags
- Add
- Improve
- PA(Parameter Analyasis) Logic
- inJS Scan
- HAR format supported (FILE Mode)
- Improve FILE/PIPE Banner
- Improve JSON Printing
- And Fixed Bugs
Report Flags
You can now view the pretty results through the --report flag.
dalfox url https://xss-game.appspot.com/level1/frame --report
And you can choice report style with --report-format flag.
dalfox url https://xss-game.appspot.com/level1/frame --report --report-format json
Result Object
ParamResult is now added to the Result. In addition to the actual XSS results, you can handle Parameter Analysis results.
type Result struct {
Logs []string `json:"logs"`
PoCs []PoC `json:"pocs"`
Params []ParamResult `json:"params"`
Duration time.Duration `json:"duration"`
StartTime time.Time `json:"start_time"`
EndTime time.Time `json:"end_time"`
}
type ParamResult struct {
Name string
Type string
Reflected bool
ReflectedPoint string
ReflectedCode string
Chars []string
}
Sample code
package main
import (
"fmt"
"encoding/json"
dalfox "github.com/hahwul/dalfox/v2/lib"
)
func main() {
opt := dalfox.Options{
Cookie: "ABCD=1234",
}
result, err := dalfox.NewScan(dalfox.Target{
URL: "https://xss-game.appspot.com/level1/frame",
Method: "GET",
Options: opt,
})
if err != nil {
fmt.Println(err)
} else {
jstring, err := json.MarshalIndent(result, "", " ")
if err == nil {
fmt.Println(string(jstring))
}
}
}
HAR for File Mode
You can now read and scan the HAR(HTTP Archive format) file.
dalfox file ~/target.har --har
Improve InJS
InJS type means that the inserted payload is located inside the Javascript area. Several forms of payloads may exist than HTML areas, and internal logic has been improved for better detection.