Dalfox – Hacker Tools: XSS Scanning Made Easy 👩💻
By Anna Hammond
September 14, 2021
Finding XSS can sometimes be a repetitive and laborious task. Many attempts at automating the process have been made, yet very little actually come close to getting it right. Today, we’re covering Dalfox, a tool that did get it right. Let’s find some cross-site scripting vulnerabilities!
🙋♂️ What is Dalfox?
DalFox is a fast, powerful parameter analysis and XSS scanner, based on a golang/DOM parser. supports friendly Pipeline, CI/CD and testing of different types of XSS. I talk about naming. Dal(달) is the Korean pronunciation of moon and fox was made into Fox(Find Of XSS).
Dalfox README.MD
This tool can be used to find reflected parameters, identify injection points, check for bad headers and even check for basic other vulnerabilities such as SQLI, SSTI, open redirects and CRLF.
Additionally the tool can mine parameters by brute forcing them, but also through the DOM. It will look through the output to grep for SSTI, credential leaks, SQL errors and such.
It doesn’t only scan for reflected XSS though! The tool can also find stored or DOM based XSS vulnerabilities. Once it has identified an injection point, it has the ability to find a fitting payload to give you that sweet, sweet alert popup. It does this by analyzing disallowed characters, encodings and such.
How well is it fit for bug bounty hunters? Well, Dalfox has a bunch of options that you may want to use, such as setting a specific user-agent or delaying requests. This way, you can adhere to the rules of the program you’re hunting on!
There’s way more to discover, but that’s the joy of playing around with a new tool! Use it, tune it and enjoy!
👷♀️ Setting up DalFox
Installing this Go tool is very easy. Firstly, we clone the repository. After that, we can use go install and go build to get our very own Dalfox binary!
git clone https://github.com/hahwul/dalfox
cd dalfox
go install
go build🐱🏍 Our first scan
Check out the video below for an example of a scan!
🚧 Conclusion
Dalfox is a powerful tool to help you get more efficient at finding XSS vulnerabilities. It won’t do wonders, but it’s a great way to start and limit the places you need to manually look through.
If you would like to recommend a tool for us to cover next week, then be sure to let us know down below. Also be sure to check out all the previous Hacker Tools articles, such as the last one on KiteRunner.
Did you know that there is a video accompanying this article? Check out the playlist!
You may also like
At Intigriti, we host monthly web-based Capture The Flag (CTF) challenges as a way to engage with the security research community. This month, we've decided to take on a challenge ourselves as a way to give back to the community. In response to one of our recent articles, we decided to focus on JSON
November 11, 2025
Hunting for DOM-based XSS vulnerabilities: A complete guide
Traditional cross-site scripting (XSS) vulnerabilities were prevalent when server-side rendering (with languages like PHP, JSP, and ASP) was the norm. However, as applications become more complex and developers continue to shift application logic to the client-side, more complex client-side vulnerab
November 7, 2025
Exploiting JWT vulnerabilities: A complete guide
Before JSON Web Tokens (JWTs) became popular in today's app development landscape, web applications predominantly used server-side sessions, which presented horizontal scalability issues. JWTs solved this by moving authentication data from the server to the token itself. They are self-contained, sta