🌘🦊 DalFox(Finder Of XSS) / Parameter Analysis and XSS Scanning tool based on golang

Overview


Finder Of XSS, and Dal(달) is the Korean pronunciation of moon.

What is DalFox 🌘 🦊

DalFox is a fast, powerful parameter analysis and XSS scanner, based on a golang/DOM parser. supports friendly Pipeline, CI/CD and testing of different types of XSS. I talk about naming. Dal(달) is the Korean pronunciation of moon and fox was made into Fox(Find Of XSS).

TOC

Key features

Mode: url sxss pipe file server

Class Key Feature Description
Discovery Parameter analysis - Find reflected param
- Find alive/bad special chars, event handler and attack code
- Identification of injection points(HTML/JS/Attribute)
inHTML-none inJS-none inJS-double inJS-single inJS-backtick inATTR-none inATTR-double inATTR-single
Static analysis - Check bad-header like CSP, XFO, etc.. with req/res base
BAV analysis - Testing BAV(Basic Another Vulnerability) , e.g sqli ssti open-redirects
Parameter Mining - Find new param with Dictonary attack (default is GF-Patterns)
- Support custom dictonary file (--mining-dict-word)
- FInd new param with DOM
Built-in Grepping - It Identify the basic info leak of SSTi, Credential, SQL Error, and so on
Scanning XSS Scanning - Reflected xss / stored xss
- DOM base verifying
- Blind XSS testing with param, header(-b , --blind options)
- Only testing selected parameters (-p, --param)
- Only testing parameter analysis (--only-discovery)
Friendly Pipeline - Single url mode (dalfox url)
- From file mode (dalfox file urls.txt)
- From IO(pipeline) mode (dalfox pipe)
- From raw http request file mode (dalfox file raw.txt --rawdata)
Optimizaion query of payloads - Check the injection point through abstraction and generated the fit payload.
- Eliminate unnecessary payloads based on badchar
Encoder - All test payloads(build-in, your custom/blind) are tested in parallel with the encoder.
- To Double URL Encoder
- To HTML Hex Encoder
Sequence - Auto-check the special page for stored xss (--trigger)
- Support (--sequence) options for Stored XSS , only sxss mode
HTTP HTTP Options - Overwrite HTTP Method (-X, --method)
- Follow redirects (--follow-redirects)
- Add header (-H, --header)
- Add cookie (-C, --cookie)
- Add User-Agent (--user-agent)
- Set timeout (--timeout)
- Set Delay (--delay)
- Set Proxy (--proxy)
- Set ignore return codes (--ignore-return)
- Load cookie from raw request (--cookie-from-raw)
Concurrency Worker - Set worker's number(-w, --worker)
N * hosts - Use multicast mode (--multicast) , only file / pipe mode
Output Output - Only the PoC code and useful information is write as Stdout
- Save output (-o, --output)
Format - JSON / Plain (--format)
Printing - Silence mode (--silence)
- You may choose not to print the color (--no-color)
- You may choose not to print the spinner (--no-spinner)
Extensibility REST API - API Server and Swagger (dalfox server)
Found Action - Lets you specify the actions to take when detected.
- Notify, for example (--found-action)
Custom Grepping - Can grep with custom regular expressions on response
- If duplicate detection, it performs deduplication (--grep)
Custom Payloads - Use custom payloads list file (--custom-payload)
- Custom alert value (--custom-alert-value)
- Custom alert type (--custom-alert-type)
Package Package manager - pkg.go.dev
- homebrew with tap
- snapcraft
Docker ENV - docker hub
- gitub package of docker

And the various options required for the testing :D

How to Install

From source

▶ GO111MODULE=on go get -v github.com/hahwul/dalfox/v2

Using homebrew (macos)

▶ brew tap hahwul/dalfox
▶ brew install dalfox

Using snapcraft (ubuntu)

▶ sudo snap install dalfox

More information? please read Installation guide

Usage

Modes: 
  file        Use file mode(targets list or rawdata)
  help        Help about any command
  pipe        Use pipeline mode
  server      Start API Server
  sxss        Use Stored XSS mode
  url         Use single target mode
  version     Show version

Global Flags:
Flags:
  -b, --blind string                Add your blind xss (e.g -b hahwul.xss.ht)
      --config string               Using config from file
  -C, --cookie string               Add custom cookie
      --cookie-from-raw string      Load cookie from burp raw http request (e.g --cookie-from-raw request.txt)
      --custom-alert-type string    Change alert value type (e.g =none / =str,none) (default "none")
      --custom-alert-value string   Change alert value (e.g custom-alert-value=document.cookie (default "1")
      --custom-payload string       Add custom payloads from file
  -d, --data string                 Using POST Method and add Body data
      --debug                       debug mode, save all log using -o option
      --delay int                   Milliseconds between send to same host (1000==1s)
      --follow-redirects            Following redirection
      --format string               Stdout output format(plain/json) (default "plain")
      --found-action string         If found weak/vuln, action(cmd) to next
      --grep string                 Using custom grepping file (e.g --grep ./samples/sample_grep.json)
  -H, --header string               Add custom headers
  -h, --help                        help for dalfox
      --ignore-return string        Ignore scanning from return code (e.g --ignore-return 302,403,404)
  -X, --method string               Force overriding HTTP Method (e.g -X PUT)
      --mining-dict                 Find new parameter with dictionary attack, default is Gf-Patterns=>XSS (default true)
      --mining-dict-word string     Custom wordlist file for param mining (e.g --mining-dict-word word.txt)
      --mining-dom                  Find new parameter in DOM (attribute/js value) (default true)
      --no-color                    Not use colorize
      --no-spinner                  Not use spinner
      --only-custom-payload         Only testing custom payload (required --custom-payload)
      --only-discovery              Only testing parameter analysis (same '--skip-xss-scanning' option)
  -o, --output string               Write to output file
  -p, --param string                Only testing selected parameters
      --proxy string                Send all request to proxy server (e.g --proxy http://127.0.0.1:8080)
      --silence                     Not printing all logs
      --skip-bav                    Skipping BAV(Basic Another Vulnerability) analysis
      --skip-grepping               Skipping built-in grepping
      --skip-mining-all             Skipping ALL parameter mining
      --skip-mining-dict            Skipping Dict base parameter mining
      --skip-mining-dom             Skipping DOM base parameter mining
      --skip-xss-scanning           Skipping XSS Scanning (same '--only-discovery' option)
      --timeout int                 Second of timeout (default 10)
      --user-agent string           Add custom UserAgent
  -w, --worker int                  Number of worker (default 100)

Server Flags:
  -h, --help          help for server
      --host string   Bind address (default "0.0.0.0")
      --port int      Bind Port (default 6664)
      
Pipe Flags:
  -h, --help        help for pipe
      --mass              Parallel scanning N*Host mode (show only poc code)
      --mass-worker int   Parallel worker of --mass and --multicast option (default 10)
      --multicast   Parallel scanning N*Host mode (show only poc code)
      
File Flags:
  -h, --help        help for file
      --http        Using force http on rawdata mode
      --mass              Parallel scanning N*Host mode (show only poc code)
      --mass-worker int   Parallel worker of --mass and --multicast option (default 10)
      --multicast   Parallel scanning N*Host mode (show only poc code)
      --rawdata     Using req rawdata from Burp/ZAP
      
SXSS Flags:
  -h, --help             help for sxss
      --mass             Testing mass vector (comming soon)
      --sequence int     Set sequence to first number (e.g --trigger https://~/view?no=SEQNC --sequence 3) (default -1)
      --trigger string   Checking this url after inject sxss code (e.g --trigger https://~~/profile)
▶ dalfox [mode] [flags] [data]

Single target mode

▶ dalfox url http://testphp.vulnweb.com/listproducts.php\?cat\=123\&artist\=123\&asdf\=ff -b https://hahwul.xss.ht

Multiple target mode from file

▶ dalfox file urls_file --custom-payload ./mypayloads.txt

Pipeline mode

▶ cat urls_file | dalfox pipe -H "AuthToken: bbadsfkasdfadsf87"

Other tips, See wiki for detailed instructions!

POC format

Sample poc log

[POC][G][BUILT-IN/dalfox-error-mysql/GET] http://testphp.vulnweb.com/listproducts.php?artist=123&asdf=ff&cat=123DalFox
[POC][V][GET] http://testphp.vulnweb.com/listproducts.php?artist=123&asdf=ff&cat=123%22%3E%3Csvg%2Fclass%3D%22dalfox%22onLoad%3Dalert%2845%29%3E

Format

Identity Type Information BLANK PoC Code
POC G BUILT-IN/dalfox-error-mysql/GET http://testphp.vulnweb.com/listproducts.php?artist=123&asdf=ff&cat=123DalFox
POC R GET http://testphp.vulnweb.com/listproducts.php?artist=123&asdf=ff&cat=123%22%3E%3Csvg%2Fclass%3D%22dalfox%22onLoad%3Dalert%2845%29%3E
POC V GET http://testphp.vulnweb.com/listproducts.php?artist=123&asdf=ff&cat=123%22%3E%3Csvg%2Fclass%3D%22dalfox%22onLoad%3Dalert%2845%29%3E
  • Type: G(Grep) , R(Reflected) , V(Verify)
  • Informatin: Method, grepping name, etc..

Why is there a gap? It is a method to make it easier to parse only the poc code through cut etc. For example, you can do this.

▶ dalfox url http://testphp.vulnweb.com/listproducts.php\?cat\=123\&artist\=123\&asdf\=ff | cut -d " " -f 2 > output
▶ cat output
http://testphp.vulnweb.com/listproducts.php?artist=123&asdf=ff&cat=123DalFox
http://testphp.vulnweb.com/listproducts.php?artist=123&asdf=ff&cat=123%22%3E%3Csvg%2FOnLoad%3D%22%60%24%7Bprompt%60%60%7D%60%22+class%3Ddalfox%3E

Screenshots

1414 1415
Single URL Scanning Massive(Multicast/Mass) Scanning
1416 1417
REST API Server Mode Output and Customizing (found-action / grepping)

Wiki

Wiki

Contribute

Contribute

Contributors

Comments
  • Dalfox uses the filename instead of it's content on the file mode

    Dalfox uses the filename instead of it's content on the file mode

    the tools seem to be loading the filename instead of its real content using the file mode. I'm using dalfox latest version. here are the commands I used:

    Command

    dalfox -b username.xss.ht file ~/tools/ParamSpider/output/target.com.txt
    

    Results:

    
        _..._
      .' .::::.   __   _   _    ___ _ __ __ 
     :  :::::::: |  \ / \ | |  | __/ \\ V / 
     :  :::::::: | o ) o || |_ | _( o )) (  
     '. '::::::' |__/|_n_||___||_| \_//_n_\                           
       '-.::''
    
    Parameter Analysis and XSS Scanning tool based on golang
    Finder Of XSS and Dal is the Korean pronunciation of moon. @hahwul
    [*] Using file mode(targets list)
    [*] Loaded 0 target urls
    

    Second Command:

    dalfox -b username.xss.ht file test
    

    Results:

    
        _..._
      .' .::::.   __   _   _    ___ _ __ __ 
     :  :::::::: |  \ / \ | |  | __/ \\ V / 
     :  :::::::: | o ) o || |_ | _( o )) (  
     '. '::::::' |__/|_n_||___||_| \_//_n_\                           
       '-.::''
    
    Parameter Analysis and XSS Scanning tool based on golang
    Finder Of XSS and Dal is the Korean pronunciation of moon. @hahwul
    [*] Using file mode(targets list)
    [*] Loaded 1 target urls
    [*] Target URL: test
    [E] not running Get lol: unsupported protocol scheme ""
    
    opened by DEMON1A 17
  • Blind XSS payload is ignored

    Blind XSS payload is ignored

    Summary

    Hello First of all thanks for the awesome tool , I wanted to make some BXSS attack oneliner and I used your tool to perform such action

    Description

    XSS get triggered but my blind XSS is ignored .. asciicast After visiting the links the payload used is not my BXSS payload

    Command

    echo "testphp.vulnweb.com" |  waybackurls | anti-burl | grep -Eo "https?://[^\"\\'> ]+" | grep "=" | grep -v ".jpg\|.png\|.css\|.js" | dalfox pipe -b https://sicksec.xss.ht
    

    Requirement go get -v github.com/tomnomnom/waybackruls go get -v github.com/tomnomnom/hacks/anti-burl

    System Config

    Ubuntu 18.04 Go1.14 Dalfox 1.1.2

    opened by Sicks3c 17
  • [@Headless] No result/PoC on known target (OWASP Juice Shop)

    [@Headless] No result/PoC on known target (OWASP Juice Shop)

    Question

    When I tried dalfox on real site, I only ever got up to [I] Reflected PATH messages but never got a [PoC] result or an output file, so I'm testing it on OWASP Juice Shop. The test is as follows:

    $ cat tmp
    http://localhost:3000/#/search?q=FUZZ
    
    $ dalfox file tmp -o dalfox.txt
    
        _..._
      .' .::::.   __   _   _    ___ _ __ __
     :  :::::::: |  \ / \ | |  | __/ \\ V /
     :  :::::::: | o ) o || |_ | _( o )) (
     '. '::::::' |__/|_n_||___||_| \_//_n_\
       '-.::''
    
    Parameter Analysis and XSS Scanning tool based on golang
    Finder Of XSS and Dal is the Korean pronunciation of moon. @hahwul
    
     🎯  Target                 tmp
     🏁  Method                 GET
     🖥   Worker                 100
     🔦  BAV                    true
     ⛏   Mining                 true (Gf-Patterns)
     🔬  Mining-DOM             true (mining from DOM)
     ⏱   Timeout                10
     📤  FollowRedirect         false
     🕰   Started at             2021-06-09 21:13:18.114339628 +0700 +07 m=+0.007974295
    
     >>>>>>>>>>>>>>>>>>>>>>>>>
    [*] 🦊 Start scan [SID:0][0/1][0.00%%] / URL: http://localhost:3000/#/search?q=FUZZ
    [I] Found 0 testing point in DOM Mining
    [I] Content-Type is text/html; charset=UTF-8ter and static analysis 🔍
    [I] X-Frame-Options is SAMEORIGIN
    [I] Access-Control-Allow-Origin is *
    [*] Finish Scan
    
    $ ls
    tmp
    

    I've confirmed that the q parameter in the URL is vulnerable to XSS but dalfox is getting nothing. Am I doing something wrong?

    Environment

    • Dalfox Version: v2.3.7
    • Installed from: go-get
    • OWASP Juice Shop running with docker on localhost:3000
    question develope 
    opened by ChocolateOverflow 15
  • How to test only with custom XSS payload?

    How to test only with custom XSS payload?

    Hi, good work I have a question, I just cant make custom XSS payloads to work.

    by using dalfox url https://xss-game.appspot.com/level1/frame?query= -b https://keev.es/XSS.txt I will get

    [V] Triggered XSS Payload (found DOM Object): query=<scRipT class=dalfox>confirm(45)</script>
        13 line:  s were found for <b><scRipT class=dalfox>confirm(45)</script></b>. <a href='?'>T
    [POC][V][GET] https://xss-game.appspot.com/level1/frame?query=%3CscRipT+class%3Ddalfox%3Econfirm%2845%29%3C%2Fscript%3E
    

    it somehow always use Dalfox XSS payloads

    Any idea what I am doing wrong? Thank you 1

    question 
    opened by keev-studio 15
  • False positives

    False positives

    Hello again,

    I know there has already been one open inquiry regarding false positives but I am quite more curious about the current situation. Have you personally stumbled upon any? Recently, for instance, I might have possibly got one positive for an XSS but am not sure about it because in browser (only tested in the latest Chromium) it doesn't trigger the alert on load. What do you think?

    [V] Triggered XSS Payload (found DOM Object): callback='><sVg/onload=alert(45) class=dalfox> 1 line: FUZZ\'><sVg/onload=alert(45) class=dalfox>({"status":"ok","count":12,"count_tota

    My question therefore is, how can we distinguish that? Is it dependent on anything?

    Thank you very much in advance for your help and comment on this topic.

    opened by ghost 15
  • runtime error: invalid memory address or nil pointer dereference

    runtime error: invalid memory address or nil pointer dereference

    Hello,

    Getting same error as with your other tool (s3reverse) when piping through other commands:

    echo "redacted.com" | waybackurls | head -5 | egrep -o "http?.*" | grep "="| egrep -v ".(jpg|jpeg|gif|css|tif|tiff|png|ttf|woff|woff2|ico|pdf|svg|txt|js)" | qsreplace -a | dalfox pipe -blind https://xxx.xss.ht/

    _..._
    

    .' .::::. __ _ _ ___ _ __ __ : :::::::: | \ / \ | | | / \ V / : :::::::: | o ) o || | | ( o )) (
    '. '::::::' |/|n||
    ||
    | _//n\
    '-.::''

    Parameter Analysis and XSS Scanning tool based on golang Finder Of XSS and Dal is the Korean pronunciation of moon. @hahwul [*] Using pipeline mode [*] Loaded 1 target urls [*] Target URL: http://www.redacted.com?cmp=701j000000096imaai [*] Vaild target [ code:200 / size:93822 ] [*] Start static analysis.. 🔍 [*] Start parameter analysis.. 🔍 ◓ Waiting routines.. panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x38 pc=0x78b7af]

    goroutine 42 [running]: github.com/hahwul/dalfox/pkg/scanning.StaticAnalysis(0xc0000b40c0, 0x2c, 0xc0000a33e0, 0x1c) /home/xxx/go/src/github.com/hahwul/dalfox/pkg/scanning/scan.go:463 +0x8f github.com/hahwul/dalfox/pkg/scanning.Scan.func1(0xc00018c0b4, 0xc0000a33e0, 0xc0000b40c0, 0x2c, 0xc0000bc080) /home/xxx/go/src/github.com/hahwul/dalfox/pkg/scanning/scan.go:75 +0xb5 created by github.com/hahwul/dalfox/pkg/scanning.Scan /home/xxx/go/src/github.com/hahwul/dalfox/pkg/scanning/scan.go:72 +0x342

    go version go1.13.5 linux/amd64

    bug develope exception 
    opened by ddervosj 15
  • delay not used for BAV

    delay not used for BAV

    Describe the bug

    The delay option is only used when testing for XSS and thus if BAV is not turned off, it would generate ~60 requests per parameter without delay. Now in some cases this might be enough to trigger a WAF and thus block requests from ip even after using the delay option.

    Environment

    • Dalfox Version: latest version
    • Installed from: go
    bug 
    opened by gauravnarwani97 14
  • Not adding any custom payload in path base xss

    Not adding any custom payload in path base xss

    Describe the bug

    I was trying to add my custom payload to dalfox, but It doesn't look to add any. Looking at the other output on GitHub it looks like it would tell me something like

    "[*] Added your 6 custom xss payload".
    

    It doesn't say that, and also checking in burpsuite for request, doesn't seem to add the custom payload to request. I've done many tests, but I'll use this vulnerable endpoint to show you:

    dalfox url "https://jobs.corporate.ford.com/List/Custom/Ford-Department"
    
    [POC][V][GET] https://jobs.corporate.ford.com/List/Custom/Ford-Department%22%3E%3Ciframe%20srcdoc=%22%3Cinput%20onauxclick=prompt%281%29%3E%22%20class=dalfox%3E%3C/iframe%3E?=
    

    So I've created a custom file payload like that (just to try):

    cat /tmp/dalfox_custom.txt                                                                                                                                                                          
    "><img src=x onerror=alert('test')>
    

    Then I run

    dalfox url "https://jobs.corporate.ford.com/List/Custom/Ford-Department" --custom-payload /tmp/dalfox_custom.txt --only-custom-payload --proxy http://127.0.0.1:8080
    

    Not only output doesn't show anything about adding payload, but I can't see any request regarding that on burpsuite

    Environment

    • Dalfox Version: 2.4.9
    • Installed from: go-get
    bug 
    opened by leorac 11
  • Panic: runtime error

    Panic: runtime error

    Describe the bug

    panic: runtime error: index out of range [2] with length 2
    
    goroutine 1 [running]:
    github.com/hahwul/dalfox/v2/pkg/scanning.Scan(0xc00002c100, 0x34, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...)
    	/home/edoardottt/go/pkg/mod/github.com/hahwul/dalfox/[email protected]/pkg/scanning/scan.go:197 +0x574e
    github.com/hahwul/dalfox/v2/cmd.glob..func2(0x19adbe0, 0xc000126620, 0x0, 0x2)
    	/home/edoardottt/go/pkg/mod/github.com/hahwul/dalfox/[email protected]/cmd/pipe.go:99 +0xb38
    github.com/spf13/cobra.(*Command).execute(0x19adbe0, 0xc000126600, 0x2, 0x2, 0x19adbe0, 0xc000126600)
    	/home/edoardottt/go/pkg/mod/github.com/spf13/[email protected]/command.go:856 +0x29d
    github.com/spf13/cobra.(*Command).ExecuteC(0x19ade60, 0x443cfa, 0x106d940, 0xc000000180)
    	/home/edoardottt/go/pkg/mod/github.com/spf13/[email protected]/command.go:960 +0x349
    github.com/spf13/cobra.(*Command).Execute(...)
    	/home/edoardottt/go/pkg/mod/github.com/spf13/[email protected]/command.go:897
    github.com/hahwul/dalfox/v2/cmd.Execute()
    	/home/edoardottt/go/pkg/mod/github.com/hahwul/dalfox/[email protected]/cmd/root.go:38 +0x31
    main.main()
    	/home/edoardottt/go/pkg/mod/github.com/hahwul/dalfox/[email protected]/dalfox.go:10 +0x20
    

    Environment

    • Dalfox Version: v2.3.6
    • Installed from: GO111MODULE=on go get -v github.com/hahwul/dalfox/v2
    bug 
    opened by edoardottt 11
  • Some ideas!

    Some ideas!

    Hi mate! I want to hear your opinion about some things.

    1. I believe the best option could be to move out the xss scanner to his own bav to have a better understanding of what you are trying to find. Then we can split again xss on differents bav modules for each type. (blind, etc). Whit this, we will also need to move detection and extra checks to his own files. I honestly feel that the code on scan.go is a bit complicated to follow.

    2. Would be great to have the possibility (via configuration or using a command-line flag ) to disable some feature like parameter mining, parameter analysis, or Static analysis. Sometimes you just want to test on the current parameter list and each default option adds a lot of extra HTTP queries and that could finish on your ip blocked/banned.

    let me know. :)

    opened by bp0lr 11
  • Problem using file

    Problem using file

    Hi. I am trying to start dalfox with a file containing all the URLs but unsuccessfully. I have tried almost anything, I always get this output:

    [*] Using file mode(targets list) [*] Loaded 0 target urls

    or

    [*] Using file mode(targets list) [*] Loaded 1 target urls [*] Target URL: /Downloads/domains.txt [E] not running Get /Downloads/domains.txt: unsupported protocol scheme ""

    I am trying dalfox file ./domains.txt or just domains.txt, full path, nothing works. You could probably add that to the readme. What should I do? It's a simple file like:

    domains.txt https://dfds.dfd https://dghkgsdkjg.dgdsg

    etc

    opened by ghost 11
  • Bump github.com/labstack/echo/v4 from 4.9.1 to 4.10.0

    Bump github.com/labstack/echo/v4 from 4.9.1 to 4.10.0

    Bumps github.com/labstack/echo/v4 from 4.9.1 to 4.10.0.

    Release notes

    Sourced from github.com/labstack/echo/v4's releases.

    v4.10.0

    Security

    • We are deprecating JWT middleware in this repository. Please use https://github.com/labstack/echo-jwt instead.

      JWT middleware is moved to separate repository to allow us to bump/upgrade version of JWT implementation (github.com/golang-jwt/jwt) we are using which we can not do in Echo core because this would break backwards compatibility guarantees we try to maintain.

    • This minor version bumps minimum Go version to 1.17 (from 1.16) due golang.org/x/ packages we depend on. There are several vulnerabilities fixed in these libraries.

      Echo still tries to support last 4 Go versions but there are occasions we can not guarantee this promise.

    Enhancements

    • Bump x/text to 0.3.8 #2305
    • Bump dependencies and add notes about Go releases we support #2336
    • Add helper interface for ProxyBalancer interface #2316
    • Expose middleware.CreateExtractors function so we can use it from echo-contrib repository #2338
    • Refactor func(Context) error to HandlerFunc #2315
    • Improve function comments #2329
    • Add new method HTTPError.WithInternal #2340
    • Replace io/ioutil package usages #2342
    • Add staticcheck to CI flow #2343
    • Replace relative path determination from proprietary to std #2345
    • Remove square brackets from ipv6 addresses in XFF (X-Forwarded-For header) #2182
    • Add testcases for some BodyLimit middleware configuration options #2350
    • Additional configuration options for RequestLogger and Logger middleware #2341
    • Add route to request log #2162
    • GitHub Workflows security hardening #2358
    • Add govulncheck to CI and bump dependencies #2362
    • Fix rate limiter docs #2366
    • Refactor how e.Routes() work and introduce e.OnAddRouteHandler callback #2337
    Changelog

    Sourced from github.com/labstack/echo/v4's changelog.

    v4.10.0 - 2022-12-27

    Security

    • We are deprecating JWT middleware in this repository. Please use https://github.com/labstack/echo-jwt instead.

      JWT middleware is moved to separate repository to allow us to bump/upgrade version of JWT implementation (github.com/golang-jwt/jwt) we are using which we can not do in Echo core because this would break backwards compatibility guarantees we try to maintain.

    • This minor version bumps minimum Go version to 1.17 (from 1.16) due golang.org/x/ packages we depend on. There are several vulnerabilities fixed in these libraries.

      Echo still tries to support last 4 Go versions but there are occasions we can not guarantee this promise.

    Enhancements

    • Bump x/text to 0.3.8 #2305
    • Bump dependencies and add notes about Go releases we support #2336
    • Add helper interface for ProxyBalancer interface #2316
    • Expose middleware.CreateExtractors function so we can use it from echo-contrib repository #2338
    • Refactor func(Context) error to HandlerFunc #2315
    • Improve function comments #2329
    • Add new method HTTPError.WithInternal #2340
    • Replace io/ioutil package usages #2342
    • Add staticcheck to CI flow #2343
    • Replace relative path determination from proprietary to std #2345
    • Remove square brackets from ipv6 addresses in XFF (X-Forwarded-For header) #2182
    • Add testcases for some BodyLimit middleware configuration options #2350
    • Additional configuration options for RequestLogger and Logger middleware #2341
    • Add route to request log #2162
    • GitHub Workflows security hardening #2358
    • Add govulncheck to CI and bump dependencies #2362
    • Fix rate limiter docs #2366
    • Refactor how e.Routes() work and introduce e.OnAddRouteHandler callback #2337
    Commits
    • f36d566 Changelog for 4.10.0
    • a69727e Mark JWT middleware deprecated
    • 0056cc8 Improve comments wording
    • 45402bb Add echo.OnAddRouteHandler field. As name says - this handler is called when ...
    • f1cf1ec Fix adding route with host overwrites default host route with same method+pat...
    • 895121d Fix rate limiter docs (#2366)
    • abecadc Merge pull request #2362 from aldas/add_govulncheck_2_ci
    • bc75cc2 Add govulncheck to CI and bump dependencies. Refactor GitHub workflows.
    • 40eb889 build: harden echo.yml permissions
    • 135c511 Add request route with "route" tag to logger middleware (#2162)
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 1
  • Bump github.com/briandowns/spinner from 1.19.0 to 1.20.0

    Bump github.com/briandowns/spinner from 1.19.0 to 1.20.0

    Bumps github.com/briandowns/spinner from 1.19.0 to 1.20.0.

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 0
  • dalfox has suddenly stopped working

    dalfox has suddenly stopped working

    this is the output i am now getting

    ⠸ [SA: ✓ PA: ✓ BAV: ✓ ] Waiting for analysis 🔍panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x60 pc=0x5f0df4]

    goroutine 26 [running]: net/url.(*URL).Query(0xc000f79200) /usr/local/go/src/net/url/url.go:1130 +0x14 github.com/hahwul/dalfox/v2/pkg/scanning.ParameterAnalysis.func6(0xc00000e028, 0xc00056a000) /Users/ichei/Projects/release/dalfox/pkg/scanning/parameterAnlaysis.go:193 +0xaa github.com/PuerkitoBio/goquery.(*Selection).Each(0xc000f404b0, 0xc0000e5318) /Users/ichei/go/pkg/mod/github.com/!puerkito!bio/[email protected]/iteration.go:10 +0x46 github.com/hahwul/dalfox/v2/pkg/scanning.ParameterAnalysis({_, _}, {{0x1ba2cf8, 0x0, 0x0}, {0x0, 0x0}, {0x1ba2cf8, 0x0, 0x0}, ...}, ...) /Users/ichei/Projects/release/dalfox/pkg/scanning/parameterAnlaysis.go:189 +0xf05 github.com/hahwul/dalfox/v2/pkg/scanning.Scan.func3() /Users/ichei/Projects/release/dalfox/pkg/scanning/scan.go:151 +0xf8 created by github.com/hahwul/dalfox/v2/pkg/scanning.Scan /Users/ichei/Projects/release/dalfox/pkg/scanning/scan.go:149 +0x1195

    bug 
    opened by AnubisTwine 0
  • Duplicate output?

    Duplicate output?

    Describe the bug

    dalfox appears to be repeating scans of the same url and payload? e.g.

    $ urls | dalfox pipe \
                    --skip-mining-dict \
                    --deep-domxss \
                    --remote-payloads=payloadbox,portswigger
    ...
    [#36] http://127.0.0.1:9093/angular/angular_body/1.2.0?q=code
    [#37] http://127.0.0.1:9093/angular/angular_body/1.2.0?q=code
    [#38] http://127.0.0.1:9093/angular/angular_body/1.2.0?q=code
    

    Environment

    • Dalfox Version: 2.8.2+
    • Installed from: go install github.com/hahwul/dalfox/v2@863c1ce0a2ddf0f4e318ffb7318b7ecd079cab5b
    bug 
    opened by dkegel-fastly 0
  • form action urls not followed?

    form action urls not followed?

    Describe the bug

    Given the page http://localhost containing

    <form action="/xss.php">
      <input type="text" id="xss" name="xss"><br>
      <input type="submit" value="Submit">
      </ul>
    </form>
    

    the command

    dalfox url http://localhost
    

    fetches from

    http://localhost/?xss=DalFox
    

    when it should fetch from

    http://localhost/app.php?xss=DalFox
    

    It seems ParameterAnalysis() is ignoring the url part of the form action? See https://github.com/hahwul/dalfox/blob/c344c5842423f76e05e98db99965c504bc413e8b/pkg/scanning/parameterAnlaysis.go#L177

    doc.Find("form").Each(func(i int, s *goquery.Selection) {
            action, _ := s.Attr("action")
            if strings.HasPrefix(action, "/") || strings.HasPrefix(action, "?") { // assuming this is a relative URL
                    url, _ := url.Parse(action)
                    query := url.Query()
                    for aParam := range query { 
                            p, dp = setP(p, dp, aParam, options)
                            count = count + 1
                    }                                  
            }       
    })      
    

    Environment

    • Dalfox Version: c344c5842423f76e0
    • Installed from: github clone
    bug 
    opened by dkegel-fastly 1
  • Optionally include HTTP Request and Response in the JSON output

    Optionally include HTTP Request and Response in the JSON output

    It would be really helpful if we could optionally have the entire HTTP request and HTTP Response in the JSON output as well. I realize this could become very large but it would be super helpful for providing useful context for the reader. Perhaps as two different options: --output-request and --output-response.

    Feature request 
    opened by kmcquade 1
Releases(v2.8.2)
Owner
HAHWUL
Security Engineer and Developer and H4cker
HAHWUL
A scanner/exploitation tool written in GO, which leverages Prototype Pollution to XSS by exploiting known gadgets.

ppmap A simple scanner/exploitation tool written in GO which automatically exploits known and existing gadgets (checks for specific variables in the g

kleiton0x00 379 Jan 9, 2023
Nuclei is a fast tool for configurable targeted vulnerability scanning based on templates offering massive extensibility and ease of use.

Fast and customisable vulnerability scanner based on simple YAML based DSL. How • Install • For Security Engineers • For Developers • Documentation •

ProjectDiscovery 11.1k Dec 30, 2022
ARP spoofing tool based on go language, supports LAN host scanning, ARP poisoning, man-in-the-middle attack, sensitive information sniffing, HTTP packet sniffing

[ARP Spoofing] [Usage] Commands: clear clear the screen cut 通过ARP欺骗切断局域网内某台主机的网络 exit exit the program help display help hosts 主机管理功能 loot 查看嗅探到的敏感信息

Re 55 Dec 30, 2022
EarlyBird is a sensitive data detection tool capable of scanning source code repositories for clear text password violations, PII, outdated cryptography methods, key files and more.

EarlyBird is a sensitive data detection tool capable of scanning source code repositories for clear text password violations, PII, outdated cryptograp

American Express 519 Dec 10, 2022
Naabu - a port scanning tool written in Go that allows you to enumerate valid ports for hosts in a fast and reliable manner

Naabu is a port scanning tool written in Go that allows you to enumerate valid ports for hosts in a fast and reliable manner. It is a really simple tool that does fast SYN/CONNECT scans on the host/list of hosts and lists all ports that return a reply.

null 0 Jan 2, 2022
Portmantool - Port scanning and monitoring tool

portmantool Port scanning and monitoring tool Components runner while true do r

Thomann Bits & Beats 0 Feb 14, 2022
Session Cookie Finder

goSCF Session Cookie Finder - It helps you to find the main session cookie/s (upto 4) from the bunch of cookies, which is responsible for the user aut

Kamal Deep Bhati 8 May 28, 2022
Incident Response - Fast suspicious file finder

FastFinder - Incident Response - Fast suspicious file finder What is this project designed for? FastFinder is a lightweight tool made for threat hunti

Jean-Pierre GARNIER 169 Dec 28, 2022
A FreeSWITCH specific scanning and exploitation toolkit for CVE-2021-37624 and CVE-2021-41157.

PewSWITCH A FreeSWITCH specific scanning and exploitation toolkit for CVE-2021-37624 and CVE-2021-41157. Related blog: https://0xinfection.github.io/p

Pinaki 24 Nov 2, 2022
A fully self-contained Nmap like parallel port scanning module in pure Golang that supports SYN-ACK (Silent Scans)

gomap What is gomap? Gomap is a fully self-contained nmap like module for Golang. Unlike other projects which provide nmap C bindings or rely on other

jtimperio 75 Dec 10, 2022
The dynamic infrastructure framework for everybody! Distribute the workload of many different scanning tools with ease, including nmap, ffuf, masscan, nuclei, meg and many more!

Axiom is a dynamic infrastructure framework to efficiently work with multi-cloud environments, build and deploy repeatable infrastructure focussed on

pry0cc 3.1k Dec 30, 2022
Gryffin is a large scale web security scanning platform.

Gryffin (beta) Gryffin is a large scale web security scanning platform. It is not yet another scanner. It was written to solve two specific problems w

Yahoo 2.1k Dec 27, 2022
A Large killer focused on intranet scanning

FscanX 其实FscanX的灵感来源于fscan和LodanGo这两个开源项目,首先不得不说fscan和LadonGo两个都是非常优秀的内网扫描器。并且其独自的特色也让其在内网扫描器领域独占鳌头。其中LadonGo的插件式让其在扫描时更加专注,而fscan的傻瓜式则让其对内网的信息搜集更加高效。

SaiRson 203 Dec 31, 2021
WIP. Converts Azure Container Scan Action output to SARIF, for an easier integration with GitHub Code Scanning

container-scan-to-sarif container-scan-to-sarif converts Azure Container Scan Action output to Static Analysis Results Interchange Format (SARIF), for

Armel Soro 2 Jan 25, 2022
Wrapper to communicate with the wifi scanning protocol on Brother MFC-J430W

Brother MFC-J430W protocol wrapper (wifi scanner) Reasons Brother MFC-J430W has already scanner driver and you can download here but that are prebuilt

Andrea Maugeri 4 Dec 20, 2022
Go-basic-port-scanner: Scanning of TCP ports only

go-basic-port-scanner Scanning of TCP ports only. Usage git clone https://git

BenKF 1 Jan 22, 2022
null 0 Feb 2, 2022