XSS TIPS WITH PARAMSPIDER AND DALFOX

Hades
2 min readFeb 27, 2023

--

Disclaimer everything that happens is beyond my responsibility. Use knowledge as wisely as possible.

Paramspider Tools
Dalfox Tools

Hello everyone, how are you, on this occasion I want to share XSS tips with both tools, namely paramspider and dalfox which are very powerful.
Both tools have their respective roles when you want to do bug hunting. Paramspider itself is useful for collecting parameters on the target website and wants to be very helpful when we want to search for a special XSS vulnerability in this tip.

Then for Dalfox itself is very useful for exploring deeper when we have collected the parameters obtained from paramspider. so on this occasion I want to share tips on combining these two tools for our bug hunting process.

Installasi Paramspider
Note : Use python 3.7+

$ git clone https://github.com/devanshbatham/ParamSpider
$ cd ParamSpider
$ pip3 install -r requirements.txt
$ python3 paramspider.py --domain hackerone.com

Thanks To Devanshbatham

Installasi Dalfox

go1.17

go install github.com/hahwul/dalfox/v2@latest

go1.16

GO111MODULE=on go get github.com/hahwul/dalfox/v2

Using homebrew (macos)

brew tap hahwul/dalfox
brew install dalfox

Using snapcraft (ubuntu)

sudo snap install dalfox

After the installation process is complete, let’s get straight to the point of sharing
1. Parameter crawling process using paramspider

python3 paramspider.py — domain https://redacted.com — level high — exclude woff,css,js,png,svg,php,jpg — output redacted.txt

2. Next, explore the process further using dalfox

dalfox file redacted.txt -b bugbountyicodeidc.bxss.in -o hasil-redacted.txt

Dan hasil dari dalfox ketika Triggered XSS Payload

That’s all from me, hopefully it will be useful and helpful, don’t forget to use it as wisely as possible. if there are wrong words, please apologize.

--

--