Dalfox β Hacker Tools: XSS Scanning Made Easy π©βπ»
By Anna Hammond
September 14, 2021
Last updated on March 6, 2025
Finding XSS can sometimes be a repetitive and laborious task. Many attempts at automating the process have been made, yet very little actually come close to getting it right. Today, weβre covering Dalfox, a tool that did get it right. Letβs find some cross-site scripting vulnerabilities!
πββοΈ What is Dalfox?
DalFox is a fast, powerful parameter analysis and XSS scanner, based on a golang/DOM parser. supports friendly Pipeline, CI/CD and testing of different types of XSS. I talk about naming. Dal(λ¬) is the Korean pronunciation of moon and fox was made into Fox(Find Of XSS).
Dalfox README.MD
This tool can be used to find reflected parameters, identify injection points, check for bad headers and even check for basic other vulnerabilities such as SQLI, SSTI, open redirects and CRLF.
Additionally the tool can mine parameters by brute forcing them, but also through the DOM. It will look through the output to grep for SSTI, credential leaks, SQL errors and such.
It doesnβt only scan for reflected XSS though! The tool can also find stored or DOM based XSS vulnerabilities. Once it has identified an injection point, it has the ability to find a fitting payload to give you that sweet, sweet alert popup. It does this by analyzing disallowed characters, encodings and such.
How well is it fit for bug bounty hunters? Well, Dalfox has a bunch of options that you may want to use, such as setting a specific user-agent or delaying requests. This way, you can adhere to the rules of the program youβre hunting on!
Thereβs way more to discover, but thatβs the joy of playing around with a new tool! Use it, tune it and enjoy!
π·ββοΈ Setting up DalFox
Installing this Go tool is very easy. Firstly, we clone the repository. After that, we can use go install and go build to get our very own Dalfox binary!
git clone https://github.com/hahwul/dalfox
cd dalfox
go install
go buildπ±βπ Our first scan
Check out the video below for an example of a scan!
π§ Conclusion
Dalfox is a powerful tool to help you get more efficient at finding XSS vulnerabilities. It wonβt do wonders, but itβs a great way to start and limit the places you need to manually look through.
If you would like to recommend a tool for us to cover next week, then be sure to let us know down below. Also be sure to check outΒ all the previous Hacker Tools articles, such asΒ the last one on KiteRunner.
Did you know that there is a video accompanying this article? Check outΒ the playlist!
You may also like
April 30, 2026
Exploiting SQL injection vulnerabilities
Most assume that SQL injection is a solved problem in today's application landscape, especially with increased awareness of secure coding practices (such as resorting to prepared statements or parameterized queries) and the widespread adoption of NoSQL databases. However, in practice, SQLi vulnerabi
April 1, 2026
BugQuest 2026: 31 Days of Broken Access Control
In March 2026, we ran BugQuest, a 31-day campaign covering everything you need to know about finding and exploiting broken access control vulnerabilities. From understanding the basics of authentication and authorization to spotting subtle authorization bypasses in real code, we broke down one of th
At Intigriti, we host monthly web-based Capture The Flag (CTF) challenges as a way to engage with the security researcher community. This month's challenge, brought forward by Kulindu, presented us with a Secure Search Portal that, on the surface, appeared to be well protected. A strict Content Secu