Dalfox

Dalfox

Finder Of XSS, and Dal is the Korean pronunciation of moon.

Introduction

DalFox is a fast, powerful parameter analysis and XSS scanner, based on a golang/DOM parser. supports friendly Pipeline, CI/CD and testing of different types of XSS. I talk about naming. Dal(달) is the Korean pronunciation of moon and fox was made into Fox(Find Of XSS).

Installation and Update

Using Homebrew

Homebrew is the package manager for MacOS(or linux). On devices using homebrew, you can easily install/update using the brew command.

Install homebrew

$ /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)"

Install dalfox

$ brew tap hahwul/dalfox
$ brew install dalfox

Update dalfox

$ brew update dalfox

Using Snapcraft

Snapcraft is one of the packaging managers for Linux. Unlike app and yum, it can be used independently of the deployment OS version.

Install Snapcraft

Please check this documents https://snapcraft.io/docs/installing-snapd

Install dalfox

$ sudo snap install dalfox

Update dalfox

$ sudo snap refresh dalfox

From the source (developement version)

Use to go get

$ go get -u github.com/hahwul/dalfox

The update is the same as the installation method.

Use to git clone, go build and go isntall

// clone repo (for first-time installations)
$ git clone https://github.com/hahwul/dalfox

// if you update dalfox,
// git pull -v

// if you install GOPATH
$ go install

// build binary
$ go build

Using Docker

Dalfox provides docker images by version. It can be used lightly with less capacity.

$ docker pull hahwul/dalfox:latest

if you installed it, using like this command

docker run -it hahwul/dalfox:latest /app/dalfox url https://www.hahwul.com

or live in docker

$ docker run -it hahwul/dalfox:latest /bin/bash
$ ./dalfox
run dalfox on docker

Format of PoC

This is sample of PoC log. The PoC log contains various information along with the PoC code. The distinction char between information data and PoC code is blank.

[POC][G][BUILT-IN/dalfox-error-mysql/GET] http://testphp.vulnweb.com/listproducts.php?artist=123&asdf=ff&cat=123DalFox
[POC][V][GET] http://testphp.vulnweb.com/listproducts.php?artist=123&asdf=ff&cat=123%22%3E%3Csvg%2Fclass%3D%22dalfox%22onLoad%3Dalert%2845%29%3E
Identity Type Information BLANK PoC Code
POC G BUILT-IN/dalfox-error-mysql/GET   http://testphp.vulnweb.com/listproducts.php?artist=123&asdf=ff&cat=123DalFox
POC R GET   http://testphp.vulnweb.com/listproducts.php?artist=123&asdf=ff&cat=123%22%3E%3Csvg%2Fclass%3D%22dalfox%22onLoad%3Dalert%2845%29%3E
POC V GET   http://testphp.vulnweb.com/listproducts.php?artist=123&asdf=ff&cat=123%22%3E%3Csvg%2Fclass%3D%22dalfox%22onLoad%3Dalert%2845%29%3E
  • Type: G(Grep) , R(Reflected) , V(Verify)
  • Informatin: Method, grepping name, etc..

Why is there a gap? It is a method to make it easier to parse only the poc code through cut etc. For example, you can do this.

$ dalfox url http://testphp.vulnweb.com/listproducts.php\?cat\=123\&artist\=123\&asdf\=ff | cut -d " " -f 2 > output
$ cat output
http://testphp.vulnweb.com/listproducts.php?artist=123&asdf=ff&cat=123DalFox
http://testphp.vulnweb.com/listproducts.php?artist=123&asdf=ff&cat=123%22%3E%3Csvg%2FOnLoad%3D%22%60%24%7Bprompt%60%60%7D%60%22+class%3Ddalfox%3E

Usage

The options for the Dalfox are largely configured with commands and flags.

$ dalfox [command] [flags]
Available Commands:
  file        Use file mode(targets list or rawdata)
  help        Help about any command
  pipe        Use pipeline mode
  server      Start API Server
  sxss        Use Stored XSS mode
  url         Use single target mode
  version     Show version

Flags:
  -b, --blind string              Add your blind xss (e.g -b hahwul.xss.ht)
      --config string             Using config from file
  -C, --cookie string             Add custom cookie
      --custom-payload string     Add custom payloads from file
  -d, --data string               Using POST Method and add Body data
      --delay int                 Milliseconds between send to same host (1000==1s)
      --follow-redirects          Following redirection
      --format string             Stdout output format(plain/json) (default "plain")
      --found-action string       If found weak/vuln, action(cmd) to next
      --grep string               Using custom grepping file (e.g --grep ./samples/sample_grep.json)
  -H, --header string             Add custom headers
  -h, --help                      help for dalfox
      --ignore-return string      Ignore scanning from return code (e.g --ignore-return 302,403,404)
  -X, --method string             Force overriding HTTP Method (e.g -X PUT)
      --mining-dict               Find new parameter with dictionary attack, default is Gf-Patterns=>XSS (default true)
      --mining-dict-word string   Custom wordlist file for param mining (e.g --mining-dict-word word.txt)
      --mining-dom                Find new parameter in DOM (attribute/js value) (default true)
      --no-color                  Not use colorize
      --no-spinner                Not use spinner
      --only-discovery            Only testing parameter analysis (same '--skip-xss-scanning' option)
  -o, --output string             Write to output file
  -p, --param string              Only testing selected parameters
      --proxy string              Send all request to proxy server (e.g --proxy http://127.0.0.1:8080)
      --silence                   Not printing all logs
      --skip-bav                  Skipping BAV(Basic Another Vulnerability) analysis
      --skip-mining-all           Skipping ALL parameter mining
      --skip-mining-dict          Skipping Dict base parameter mining
      --skip-mining-dom           Skipping DOM base parameter mining
      --skip-xss-scanning         Skipping XSS Scanning (same '--only-discovery' option)
      --timeout int               Second of timeout (default 10)
      --user-agent string         Add custom UserAgent
  -w, --worker int                Number of worker (default 100)

Modes(commands)

The dalfox supports a total of five modes. (url / pipe / file / sxss / server)

Each mode has the following purposes.

url mode

url mode is the mode for detecting XSS for a single URL.

$ dalfox url {TARGET-URL}

e.g

$ dalfox url http://testphp.vulnweb.com/listproducts.php\?cat\=123\&artist\=123\&asdf\=ff

pipe mode

pipe mode is the mode for scanning multiple URLs. I receive input as system I/O, so you can connect with other tools through pipeline.

$ dalfox pipe

e.g

$ echo urls.txt | dalfox pipe

file mode

file mode is a mode for scanning multiple URLs or for scanning based on a raw request file in Burp Suite/ZAP. Input is filename.

$ dalfox file {filename}

If the file is a list of URLs, proceed to scan multiple URLs just like the Pipe, and if it is with the --rawdata option, recognize it as a raw request, analyze the file, and test it.

  • scanning urls from file
    $ dalfox file urls.txt
    
  • scanning from burp/zap raw request file
    $ dalfox file req.raw --rawdata
    

sxss mode

sxss mode is a mode for easy identification of Stored XSS. The default behavior is the same as url mode, but you can specify a separate URL to validate, and you can generate a dynamic verification URL with the –sequence option in case the verification URL changes.

$ dalfox sxss {TARGET-URL} --trigger {VERIFY_URL}

e.g

$ dalfox sxss https://test.url.local/update_profile -d "nickname=abc" --trigger "https://test.url.local/my_profile"

server mode

server mode is a REST API mode that takes into account scalability. Using this mode, dalfox acts as a REST API server and can perform scanning using a web request.

$ dalfox server

e.g

$ dalfox server --host 0.0.0.0 --port 8090

and supported swagger-ui

Tips of dalfox

Articles

Oneliner

  • Scanning XSS from host / from @cihanmehmet in awesome-oneliner-bugbounty
    $ gospider -S targets_urls.txt -c 10 -d 5 --blacklist ".(jpg|jpeg|gif|css|tif|tiff|png|ttf|woff|woff2|ico|pdf|svg|txt)" --other-source | grep -e "code-200" | awk '{print $5}'| grep "=" | qsreplace -a | dalfox pipe | tee result.txt