dalfox 命令

常用示例

说明

dalfox is a powerful open-source XSS (Cross-Site Scripting) vulnerability scanner and parameter analyzer. It specializes in finding reflected XSS, stored XSS, and DOM-based XSS vulnerabilities through automated testing. The tool performs parameter analysis to identify injection points, then tests with a comprehensive payload database. It supports blind XSS detection using external callback servers and can integrate with other security tools through piped input. dalfox includes features like DOM rendering analysis, WAF detection and evasion, and intelligent payload mutation. It's designed for penetration testers and security researchers conducting authorized security assessments.

参数

--custom-payload _FILE_

Use custom payload file.

--blind _URL_

Blind XSS callback URL.

-o, --output _FILE_

Output file path.

--format _FORMAT_

Output format: plain, json, xml.

--cookie _STRING_

Set cookies for requests.

-H, --header _STRING_

Add custom header.

--proxy _URL_

HTTP proxy to use.

-w, --worker _N_

Number of concurrent workers.

--silence

Suppress all output except results.

--mining-dict

Enable dictionary-based parameter mining.

--mining-dom

Enable DOM-based parameter mining.

--only-custom-payload

Only test custom payloads, skip built-in payloads.

--remote-payloads _SOURCE_

Use remote payloads (portswigger, payloadbox).

--skip-xss-scanning

Skip XSS scanning, only perform parameter analysis.

--poc-type _TYPE_

PoC output format (plain, curl, httpie, http-request).

--help

Display help information.