Dalfox 2.7 Released 🎉

hahwul

Dec 25, 2021

Hi hackers! Dalfox v2.7 has been released 🎉🎉🎉

There are not many added features this release. But it’s better than before, so I recommend an update! Then let’s start the review. and Have a great holiday 🧑🏼‍🎄

Thank you ❤️

First, Thank you so much all contributors !!

Thanks to our, this project is getting better and better. Thank you always!

Release note

Github | DockerHub

Add BAV Module
- ESI Injection
Support to windows/arm64
Upgrade go dependency (1.16 to 1.17)
Add Severity in PoC Object
Improve SXSS Mode
Improve Code Quality
Improve libraty interface
Fixed bugs
- Add gzip handling in all func (#315)
- Fized zero-line bug (#322)
Update dalfox web page and documentation

Detail Review

Upgrade go version

I judged that go1.17 was stabilized and raised Golang’s dependency from 1.16 to 1.17. Now, dalfox’s support to window/arm64 binary.

Add BAV Module - ESI Injection

[G] Found dalfox-esii via built-in grepping / payload: toGrepping
    <esii-dalfox>
[POC][G][GET][BUILTIN] https://******************.hahwul.com/esii\?q\=%3Cesi:assign%20name\=%22var1%22%20value\=%22dalfox%22/%3E%3Cesii-%3Cesi:vars%20name\=%22$\(var1\)%22%3E

Add Severity in PoC Object

Severity attribute has been added. It is marked Low, Medium, and High and is subject to both XSS and other vulnerabilities detected by BAV.

{
      "type":"Type of PoC (G/R/V)",
      "inject_type":"Injected Point",
      "poc_type":"plain/curl/httpie/etc...",
      "method":"HTTP Method",
      "data":"PoC URL",
      "param":"Parmeter",
      "payload":"Attack Value",
      "evidence":"Evidence with response body",
      "cwe":"CWE ID",
      "severity": "Severity (Low/Medium/High)"
   }

e.g

{
    "type": "V",
    "inject_type": "inHTML-URL",
    "poc_type": "plain",
    "method": "GET",
    "data": "http://testphp.vulnweb.com/listproducts.php?cat=%27%22%3E%3Cimg%2Fsrc%2Fonerror%3D.1%7Calert%60%60+class%3Ddalfox%3E",
    "param": "cat",
    "payload": "'\"><img/src/onerror=.1|alert`` class=dalfox>",
    "evidence": "48 line:  syntax to use near ''\"><img/src/onerror=.1|alert`` class=dalfox>' at line 1",
    "cwe": "CWE-79",
    "severity": "High"
}

Support to windows/arm64

Dalfox now releases a binary version of window arm64 as well.

Improve SXSS Mode

sxss checks two pages simultaneously through target URL and trigger URL. At this time, there was a problem that could not be properly identified when scanning at a high speed with many walkers. So default value and limit were added as below.

Option	Matched Flag	Default vaule	Limit
options.Concurrence	-w or –worker	1	1
options.Delay	–delay	1500 (1.5s)	>= 1500

Improve Code Quality

Dalfox is developed in consideration of code quality and test coverage. It didn’t get better, but it also maintained quality for new functions 😅

Code Coverage: 83.22%
- https://app.codecov.io/gh/hahwul/dalfox/
Goreportcard: A+ / Codacy: A
- https://goreportcard.com/report/github.com/hahwul/dalfox
- https://app.codacy.com/gh/hahwul/dalfox/dashboard

Update library interface

When using Dalfox in code, SXSS mode can now be fully used with options.Sequence using a dalfox interface, and users can control UseHeadless, UseDeepDXSS, and WAFEavision.

package main 

import (
	"fmt"

	dalfox "github.com/hahwul/dalfox/v2/lib"
)

func main() {
	opt := dalfox.Options{
		Cookie:      "ABCD=1234",
		PoCType:     "http-request",
    Sequence:    10,
    UseHeadless: true,
    UseDeepDXSS: true,
    WAFEavasion: false,
	}
	result, err := dalfox.NewScan(dalfox.Target{
		URL:     "https://xss-game.appspot.com/level1/frame",
		Method:  "GET",
		Options: opt,
	})
	if err != nil {
		fmt.Println(err)
	} else {
		fmt.Println(result)
	}
}

Fixed bugs

Add gzip handling in all func (#315)
Fized zero-line bug (#322)

Thank you

#security