This article will talk about the automatic XSS vulnerability scanner called Dalfox. Readers will learn about the possibilities of the program to identify deficiencies in the protection of web systems.
IntroductionDalfox is a fast and powerful XSS vulnerability scanner ("cross-type scripting") created on the basis of the DOM parser. In addition to finding problems associated with XSS attacks, it also has additional features for testing a web system for SQLI, SSTI and Open Redirect. The scanner can detect various types of XSS vulnerabilities: "Reflected", "Stored" and "Blind".
Installing the Dalfox scannerThere are many options for installing the program. One of the most popular ways is to install using HomeBrew.
Installation using SnapcraftThis installation method requires Snapcraft. Readers can find out if Snap is installed in their system by entering a special command ("SNAP"). If the program has not been established earlier, it is necessary to switch the link below to make it install.
Sudo Snap Install Dalfox
To implement DALFOX installation using the following two methods, the user needs to be used by the latest version of the popular GO programming language. A person can check the version of the installed language using the GO Version command. If GO was not previously installed, then follow the link below to make it install.
Installing GO from the original sourceGo111module = on go get -v github.com/hahwul/dalfox/v2
Installing GO with GitHubGit Clone https://github.com/hahwul/dalfox CD DALFOX GO BUILD
Installation with DockerDocker Pull Hahwul / Dalfox: Latest
Readers should enter this command:
Docker Run -it Hahwul / Dalfox: Latest / App / Dalfox URL https://www.hahwul.com
The method below works only on MacOS.
Installation with HomeBrewBrew Tap Hahwul / Dalfox Brew Install Dalfox
Principles of work DalfoxScanning a specific URL
Dalfox URL http://testphp.vulnweb.com/listProducts.php.
Scanning a set of URL
Dalfox can also scan multiple URLs simultaneously.
Cat Samples / sample_target.txt | Dalfox Pipe.
or
Dalfox File ./samples/sample_target.txt
The user can use the Paramspider command to search for a specific parameter, and then insert multiple URLs in DALFOX to obtain more accurate scan results.
Summing up, it is worth saying that this is a quick tool for searching for XSS and other popular web systems vulnerabilities. The tool gives little false positives and has additional features to search for various types of safety problems.
Important! Information solely for academic purposes. Please comply with legislation and do not apply this information for illegal purposes.
More interesting material on cisoclub.ru. Subscribe to us: Facebook | Vk | Twitter | Instagram | Telegram | Zen | Messenger | Icq new | YouTube | Pulse.