Skip to content

Commit

Permalink
Update docs
Browse files Browse the repository at this point in the history
  • Loading branch information
@hahwul
hahwul committed Mar 28, 2023
1 parent 6c24c65 commit 7d91b63
Show file tree
Hide file tree
Showing 3 changed files with 111 additions and 100 deletions.
71 changes: 34 additions & 37 deletions docs/_docs/json.md
View file
Expand Up @@ -8,29 +8,20 @@ permalink: /docs/json/
{
"logs": null,
"pocs": [
{
"type": "R",
"inject_type": "inHTML-none(1)-URL",
"poc_type": "plain",
"method": "GET",
"data": "https://xss-game.appspot.com/level1/frame?query=%3Cxmp%3E%3Cp+title%3D%22%3C%2Fxmp%3E%3Csvg%2Fonload%3Dprint%281%29%3E",
"param": "query",
"payload": "\u003cxmp\u003e\u003cp title=\"\u003c/xmp\u003e\u003csvg/onload=print(1)\u003e",
"evidence": "13 line: s were found for \u003cb\u003e\u003cxmp\u003e\u003cp title=\"\u003c/xmp\u003e\u003csvg/onload=print(1)\u003e\u003c/b\u003e. \u003ca href='?'\u003e",
"cwe": "CWE-79",
"severity": "Medium"
},
{
"type": "V",
"inject_type": "inHTML-none(1)-URL",
"poc_type": "plain",
"method": "GET",
"data": "https://xss-game.appspot.com/level1/frame?query=%3CdETAILS%250aopen%250aonToGgle%250a%3D%250aa%3Dprompt%2Ca%28%29+class%3Ddalfox%3E",
"data": "https://xss-game.appspot.com/level1/frame?query=%3Caudio+controls+ondurationchange%3Dalert%281%29+id%3Ddalfox%3E%3Csource+src%3D1.mp3+type%3Daudio%2Fmpeg%3E%3C%2Faudio%3E",
"param": "query",
"payload": "\u003cdETAILS%0aopen%0aonToGgle%0a=%0aa=prompt,a() class=dalfox\u003e",
"evidence": "13 line: s were found for \u003cb\u003e\u003cdETAILS%0aopen%0aonToGgle%0a=%0aa=prompt,a() class=dalfox\u003e\u003c",
"payload": "\u003caudio controls ondurationchange=alert(1) id=dalfox\u003e\u003csource src=1.mp3 type=audio/mpeg\u003e\u003c/audio\u003e",
"evidence": "13 line: s were found for \u003cb\u003e\u003caudio controls ondurationchange=alert(1) id=dalfox\u003e\u003csource ",
"cwe": "CWE-79",
"severity": "High"
"severity": "High",
"message_id": 223,
"message_str": "Triggered XSS Payload (found DOM Object): query=\u003caudio controls ondurationchange=alert(1) id=dalfox\u003e\u003csource src=1.mp3 type=audio/mpeg\u003e\u003c/audio\u003e",
"raw_request": "GET /level1/frame?query=%3Caudio+controls+ondurationchange%3Dalert%281%29+id%3Ddalfox%3E%3Csource+src%3D1.mp3+type%3Daudio%2Fmpeg%3E%3C%2Faudio%3E HTTP/1.1\r\nHost: xss-game.appspot.com\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:75.0) Gecko/20100101 Firefox/75.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\r\nAccept-Encoding: gzip\r\n\r\n"
}
],
"params": [
Expand All @@ -41,33 +32,33 @@ permalink: /docs/json/
"ReflectedPoint": "/inHTML-none(1)",
"ReflectedCode": "13 line: Sorry, no results were found for \u003cb\u003eDalFox\u003c/b\u003e. \u003ca href='?'\u003eTry again",
"Chars": [
"\u003e",
"-",
"\u003c",
"\"",
"[",
",",
"\\",
"]",
"(",
"$",
":",
";",
"{",
"`",
"'",
"}",
")",
"|",
"\"",
"'",
"-",
"`",
"\u003e",
"$",
"+",
"]",
"=",
"|",
"."
";",
":",
"[",
"}",
"{",
",",
"(",
".",
"\u003c"
]
}
],
"duration": 6254560167,
"start_time": "2022-09-16T13:24:02.693407+09:00",
"end_time": "2022-09-16T13:24:08.947901+09:00"
"duration": 4841809667,
"start_time": "2023-03-28T11:07:15.574531+09:00",
"end_time": "2023-03-28T11:07:20.416285+09:00"
}
```

Expand All @@ -83,7 +74,11 @@ permalink: /docs/json/
"payload":"Attack Value",
"evidence":"Evidence with response body",
"cwe":"CWE ID",
"severity": "Severity (Low/Medium/High)"
"severity": "Severity (Low/Medium/High)",
"message_id": "Message ID",
"message_str": "Message String (POC)",
"raw_request": "Raw HTTP Request (require --output-request flag)",
"raw_response": "Raw HTTP Response (require --output-response flag)"
}
```

Expand All @@ -99,6 +94,8 @@ permalink: /docs/json/
| evidence | Evidence with response body | - Simple codeview of where it's injected in response body. |
| cwe | CWE ID | - Mapping CWE ID |
| severity | Severity | - Severity (Low/Medium/High) |
| raw_request | Raw HTTP Request | - Raw HTTP Request |
| raw_response| Raw HTTP Response | - Raw HTTP Response |

```json
{
Expand Down
5 changes: 5 additions & 0 deletions docs/_docs/output-handling.md
View file
Expand Up @@ -77,3 +77,8 @@ Command (only grep and verified poc)
```
▶ dalfox url http://testphp.vulnweb.com/listproducts.php --only-poc=g,v
```

## Save Traffic in HAR File
```
▶ dalfox url http://testphp.vulnweb.com/listproducts.php --har-file-path=log.har
```
135 changes: 72 additions & 63 deletions docs/_docs/usage.md
View file
Expand Up @@ -19,69 +19,78 @@ Modes:
version Show version
Global Flags:
-b, --blind string Add your blind xss
* Example: -b your-callback-url
--config string Using config from file
-C, --cookie string Add custom cookie
--cookie-from-raw string Load cookie from burp raw http request
* Example: --cookie-from-raw request.txt
--custom-alert-type string Change alert value type
* Example: --custom-alert-type=none / --custom-alert-type=str,none (default "none")
--custom-alert-value string Change alert value
* Example: --custom-alert-value=document.cookie (default "1")
--custom-payload string Add custom payloads from file
-d, --data string Using POST Method and add Body data
--debug debug mode, save all log using -o option
--deep-domxss DOM XSS Testing with more payloads on headless [so slow]
--delay int Milliseconds between send to same host (1000==1s)
-F, --follow-redirects Following redirection
--format string Stdout output format
* Supported: plain / json (default "plain")
--found-action string If found weak/vuln, action(cmd) to next
* Example: --found-action='./notify.sh'
--found-action-shell string Select shell application for --found-action (default "bash")
--grep string Using custom grepping file
* Example: --grep ./samples/sample_grep.json
-H, --header string Add custom headers
-h, --help help for dalfox
--ignore-return string Ignore scanning from return code
* Example: --ignore-return 302,403,404
-X, --method string Force overriding HTTP Method
* Example: -X PUT (default "GET")
--request-method Use custom method for --trigger url ( default "GET" )
--mining-dict Find new parameter with dictionary attack, default is Gf-Patterns=>XSS (default true)
-W, --mining-dict-word string Custom wordlist file for param mining
* Example: --mining-dict-word word.txt
--mining-dom Find new parameter in DOM (attribute/js value) (default true)
--no-color Not use colorize
--no-spinner Not use spinner
--only-custom-payload Only testing custom payload (required --custom-payload)
--only-discovery Only testing parameter analysis (same '--skip-xss-scanning' option)
--only-poc string Shows only the PoC code for the specified pattern (g: grep / r: reflected / v: verified)
-o, --output string Write to output file (By default, only the PoC code is saved)
--output-all All log write mode (-o or stdout)
-p, --param string Only testing selected parameters
--proxy string Send all request to proxy server
* Example: --proxy http://127.0.0.1:8080
--remote-payloads string Using remote payload for XSS testing
* Supported: portswigger/payloadbox
* Example: --remote-payloads=portswigger,payloadbox
--remote-wordlists string Using remote wordlists for param mining
* Supported: burp/assetnote
* Example: --remote-wordlists=burp
--report Show detail report
--report-format string Format of --report flag [plain/json] (default "plain")
-S, --silence Not printing all logs
--skip-bav Skipping BAV(Basic Another Vulnerability) analysis
--skip-grepping Skipping built-in grepping
--skip-headless Skipping headless browser base scanning[DOM XSS and inJS verify]
--skip-mining-all Skipping ALL parameter mining
--skip-mining-dict Skipping Dict base parameter mining
--skip-mining-dom Skipping DOM base parameter mining
--skip-xss-scanning Skipping XSS Scanning (same '--only-discovery' option)
--timeout int Second of timeout (default 10)
--user-agent string Add custom UserAgent
-w, --worker int Number of worker (default 100)
-b, --blind string Add your blind xss
* Example: -b your-callback-url
--config string Using config from file
-C, --cookie string Add custom cookie
--cookie-from-raw string Load cookie from burp raw http request
* Example: --cookie-from-raw request.txt
--custom-alert-type string Change alert value type
* Example: --custom-alert-type=none / --custom-alert-type=str,none (default "none")
--custom-alert-value string Change alert value
* Example: --custom-alert-value=document.cookie (default "1")
--custom-payload string Add custom payloads from file
-d, --data string Using POST Method and add Body data
--debug debug mode, save all log using -o option
--deep-domxss DOM XSS Testing with more payloads on headless [so slow]
--delay int Milliseconds between send to same host (1000==1s)
-F, --follow-redirects Following redirection
--format string Stdout output format
* Supported: plain / json (default "plain")
--found-action string If found weak/vuln, action(cmd) to next
* Example: --found-action='./notify.sh'
--found-action-shell string Select shell application for --found-action (default "bash")
--grep string Using custom grepping file
* Example: --grep ./samples/sample_grep.json
--har-file-path string Path to save HAR of scan requests to
-H, --header strings Add custom headers
-h, --help help for dalfox
--ignore-param strings Ignores this parameter when scanning.
* Example: --ignore-param api_token --ignore-param csrf_token
--ignore-return string Ignores scanning from return code
* Example: --ignore-return 302,403,404
-X, --method string Force overriding HTTP Method
* Example: -X PUT (default "GET")
--mining-dict Find new parameter with dictionary attack, default is Gf-Patterns=>XSS (default true)
-W, --mining-dict-word string Custom wordlist file for param mining
* Example: --mining-dict-word word.txt
--mining-dom Find new parameter in DOM (attribute/js value) (default true)
--no-color Not use colorize
--no-spinner Not use spinner
--only-custom-payload Only testing custom payload (required --custom-payload)
--only-discovery Only testing parameter analysis (same '--skip-xss-scanning' option)
--only-poc string Shows only the PoC code for the specified pattern (g: grep / r: reflected / v: verified)
* Example: --only-poc='g,v'
-o, --output string Write to output file (By default, only the PoC code is saved)
--output-all All log write mode (-o or stdout)
--output-request Include raw HTTP requests in the results.
--output-response Include raw HTTP response in the results.
-p, --param strings Only testing selected parameters
--poc-type string Select PoC type
* Supported: plain/curl/httpie/http-request
* Example: --poc-type='curl' (default "plain")
--proxy string Send all request to proxy server
* Example: --proxy http://127.0.0.1:8080
--remote-payloads string Using remote payload for XSS testing
* Supported: portswigger/payloadbox
* Example: --remote-payloads=portswigger,payloadbox
--remote-wordlists string Using remote wordlists for param mining
* Supported: burp/assetnote
* Example: --remote-wordlists=burp
--report Show detail report
--report-format string Format of --report flag [plain/json] (default "plain")
-S, --silence Only print PoC Code and Progress(for pipe/file mode)
--skip-bav Skipping BAV(Basic Another Vulnerability) analysis
--skip-grepping Skipping built-in grepping
--skip-headless Skipping headless browser base scanning[DOM XSS and inJS verify]
--skip-mining-all Skipping ALL parameter mining
--skip-mining-dict Skipping Dict base parameter mining
--skip-mining-dom Skipping DOM base parameter mining
--skip-xss-scanning Skipping XSS Scanning (same '--only-discovery' option)
--timeout int Second of timeout (default 10)
--user-agent string Add custom UserAgent
--waf-evasion Avoid blocking by adjusting the speed when detecting WAF (worker=1 delay=3s)
-w, --worker int Number of worker (default 100)
Server Flags:
-h, --help help for server
Expand Down

0 comments on commit 7d91b63

Please sign in to comment.