Update docs

Author: hahwul

docs/_docs/json.md

@@ -8,29 +8,20 @@ permalink: /docs/json/
 {
  "logs": null,
  "pocs": [
-  {
-   "type": "R",
-   "inject_type": "inHTML-none(1)-URL",
-   "poc_type": "plain",
-   "method": "GET",
-   "data": "https://xss-game.appspot.com/level1/frame?query=%3Cxmp%3E%3Cp+title%3D%22%3C%2Fxmp%3E%3Csvg%2Fonload%3Dprint%281%29%3E",
-   "param": "query",
-   "payload": "\u003cxmp\u003e\u003cp title=\"\u003c/xmp\u003e\u003csvg/onload=print(1)\u003e",
-   "evidence": "13 line:  s were found for \u003cb\u003e\u003cxmp\u003e\u003cp title=\"\u003c/xmp\u003e\u003csvg/onload=print(1)\u003e\u003c/b\u003e. \u003ca href='?'\u003e",
-   "cwe": "CWE-79",
-   "severity": "Medium"
-  },
   {
    "type": "V",
    "inject_type": "inHTML-none(1)-URL",
    "poc_type": "plain",
    "method": "GET",
-   "data": "https://xss-game.appspot.com/level1/frame?query=%3CdETAILS%250aopen%250aonToGgle%250a%3D%250aa%3Dprompt%2Ca%28%29+class%3Ddalfox%3E",
+   "data": "https://xss-game.appspot.com/level1/frame?query=%3Caudio+controls+ondurationchange%3Dalert%281%29+id%3Ddalfox%3E%3Csource+src%3D1.mp3+type%3Daudio%2Fmpeg%3E%3C%2Faudio%3E",
    "param": "query",
-   "payload": "\u003cdETAILS%0aopen%0aonToGgle%0a=%0aa=prompt,a() class=dalfox\u003e",
-   "evidence": "13 line:  s were found for \u003cb\u003e\u003cdETAILS%0aopen%0aonToGgle%0a=%0aa=prompt,a() class=dalfox\u003e\u003c",
+   "payload": "\u003caudio controls ondurationchange=alert(1) id=dalfox\u003e\u003csource src=1.mp3 type=audio/mpeg\u003e\u003c/audio\u003e",
+   "evidence": "13 line:  s were found for \u003cb\u003e\u003caudio controls ondurationchange=alert(1) id=dalfox\u003e\u003csource ",
    "cwe": "CWE-79",
-   "severity": "High"
+   "severity": "High",
+   "message_id": 223,
+   "message_str": "Triggered XSS Payload (found DOM Object): query=\u003caudio controls ondurationchange=alert(1) id=dalfox\u003e\u003csource src=1.mp3 type=audio/mpeg\u003e\u003c/audio\u003e",
+   "raw_request": "GET /level1/frame?query=%3Caudio+controls+ondurationchange%3Dalert%281%29+id%3Ddalfox%3E%3Csource+src%3D1.mp3+type%3Daudio%2Fmpeg%3E%3C%2Faudio%3E HTTP/1.1\r\nHost: xss-game.appspot.com\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:75.0) Gecko/20100101 Firefox/75.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\r\nAccept-Encoding: gzip\r\n\r\n"
   }
  ],
  "params": [
@@ -41,33 +32,33 @@ permalink: /docs/json/
    "ReflectedPoint": "/inHTML-none(1)",
    "ReflectedCode": "13 line:  Sorry, no results were found for \u003cb\u003eDalFox\u003c/b\u003e. \u003ca href='?'\u003eTry again",
    "Chars": [
-    "\u003e",
-    "-",
-    "\u003c",
-    "\"",
-    "[",
-    ",",
     "\\",
-    "]",
-    "(",
-    "$",
-    ":",
-    ";",
-    "{",
-    "`",
-    "'",
-    "}",
     ")",
+    "|",
+    "\"",
+    "'",
+    "-",
+    "`",
+    "\u003e",
+    "$",
     "+",
+    "]",
     "=",
-    "|",
-    "."
+    ";",
+    ":",
+    "[",
+    "}",
+    "{",
+    ",",
+    "(",
+    ".",
+    "\u003c"
    ]
   }
  ],
- "duration": 6254560167,
- "start_time": "2022-09-16T13:24:02.693407+09:00",
- "end_time": "2022-09-16T13:24:08.947901+09:00"
+ "duration": 4841809667,
+ "start_time": "2023-03-28T11:07:15.574531+09:00",
+ "end_time": "2023-03-28T11:07:20.416285+09:00"
 }
 ```
 
@@ -83,7 +74,11 @@ permalink: /docs/json/
       "payload":"Attack Value",
       "evidence":"Evidence with response body",
       "cwe":"CWE ID",
-      "severity": "Severity (Low/Medium/High)"
+      "severity": "Severity (Low/Medium/High)",
+      "message_id": "Message ID",
+      "message_str": "Message String (POC)",
+      "raw_request": "Raw HTTP Request (require --output-request flag)",
+      "raw_response": "Raw HTTP Response (require --output-response flag)"
    }
 ```
 
@@ -99,6 +94,8 @@ permalink: /docs/json/
 | evidence    | Evidence with response body | - Simple codeview of where it's injected in response body.   |
 | cwe         | CWE ID                      | - Mapping CWE ID                                             |
 | severity    | Severity                    | - Severity (Low/Medium/High)                                 |
+| raw_request | Raw HTTP Request            | - Raw HTTP Request                                           |
+| raw_response| Raw HTTP Response           | - Raw HTTP Response                                          |
 
 ```json
 {

docs/_docs/output-handling.md

@@ -77,3 +77,8 @@ Command (only grep and verified poc)
 ```
 ▶ dalfox url http://testphp.vulnweb.com/listproducts.php --only-poc=g,v
 ```
+
+## Save Traffic in HAR File
+```
+▶ dalfox url http://testphp.vulnweb.com/listproducts.php --har-file-path=log.har
+```

docs/_docs/usage.md

@@ -19,69 +19,78 @@ Modes:
   version     Show version
 
 Global Flags:
--b, --blind string                Add your blind xss
-                                    * Example: -b your-callback-url
-    --config string               Using config from file
--C, --cookie string               Add custom cookie
-    --cookie-from-raw string      Load cookie from burp raw http request
-                                    * Example: --cookie-from-raw request.txt
-    --custom-alert-type string    Change alert value type
-                                    * Example: --custom-alert-type=none / --custom-alert-type=str,none (default "none")
-    --custom-alert-value string   Change alert value
-                                    * Example: --custom-alert-value=document.cookie (default "1")
-    --custom-payload string       Add custom payloads from file
--d, --data string                 Using POST Method and add Body data
-    --debug                       debug mode, save all log using -o option
-    --deep-domxss                 DOM XSS Testing with more payloads on headless [so slow]
-    --delay int                   Milliseconds between send to same host (1000==1s)
--F, --follow-redirects            Following redirection
-    --format string               Stdout output format
-                                    * Supported: plain / json (default "plain")
-    --found-action string         If found weak/vuln, action(cmd) to next
-                                    * Example: --found-action='./notify.sh'
-    --found-action-shell string Select shell application for --found-action (default "bash")
-    --grep string                 Using custom grepping file
-                                    * Example: --grep ./samples/sample_grep.json
--H, --header string               Add custom headers
--h, --help                        help for dalfox
-    --ignore-return string        Ignore scanning from return code
-                                    * Example: --ignore-return 302,403,404
--X, --method string               Force overriding HTTP Method
-                                    * Example: -X PUT (default "GET")
-    --request-method              Use custom method for --trigger url ( default "GET" )
-    --mining-dict                 Find new parameter with dictionary attack, default is Gf-Patterns=>XSS (default true)
--W, --mining-dict-word string     Custom wordlist file for param mining
-                                    * Example: --mining-dict-word word.txt
-    --mining-dom                  Find new parameter in DOM (attribute/js value) (default true)
-    --no-color                    Not use colorize
-    --no-spinner                  Not use spinner
-    --only-custom-payload         Only testing custom payload (required --custom-payload)
-    --only-discovery              Only testing parameter analysis (same '--skip-xss-scanning' option)
-    --only-poc string             Shows only the PoC code for the specified pattern (g: grep / r: reflected / v: verified)
--o, --output string               Write to output file (By default, only the PoC code is saved)
-    --output-all                  All log write mode (-o or stdout)
--p, --param string                Only testing selected parameters
-    --proxy string                Send all request to proxy server
-                                    * Example: --proxy http://127.0.0.1:8080
-    --remote-payloads string      Using remote payload for XSS testing
-                                    * Supported: portswigger/payloadbox
-                                    * Example: --remote-payloads=portswigger,payloadbox
-    --remote-wordlists string     Using remote wordlists for param mining
-                                    * Supported: burp/assetnote
-                                    * Example: --remote-wordlists=burp
-    --report                      Show detail report
-    --report-format string        Format of --report flag [plain/json] (default "plain")
--S, --silence                     Not printing all logs
-    --skip-bav                    Skipping BAV(Basic Another Vulnerability) analysis
-    --skip-grepping               Skipping built-in grepping
-    --skip-headless               Skipping headless browser base scanning[DOM XSS and inJS verify]
-    --skip-mining-all             Skipping ALL parameter mining
-    --skip-mining-dict            Skipping Dict base parameter mining
-    --skip-mining-dom             Skipping DOM base parameter mining
-    --skip-xss-scanning           Skipping XSS Scanning (same '--only-discovery' option)
-    --timeout int                 Second of timeout (default 10)
-    --user-agent string           Add custom UserAgent
--w, --worker int                  Number of worker (default 100)
+  -b, --blind string                Add your blind xss
+                                      * Example: -b your-callback-url
+      --config string               Using config from file
+  -C, --cookie string               Add custom cookie
+      --cookie-from-raw string      Load cookie from burp raw http request
+                                      * Example: --cookie-from-raw request.txt
+      --custom-alert-type string    Change alert value type
+                                      * Example: --custom-alert-type=none / --custom-alert-type=str,none (default "none")
+      --custom-alert-value string   Change alert value
+                                      * Example: --custom-alert-value=document.cookie (default "1")
+      --custom-payload string       Add custom payloads from file
+  -d, --data string                 Using POST Method and add Body data
+      --debug                       debug mode, save all log using -o option
+      --deep-domxss                 DOM XSS Testing with more payloads on headless [so slow]
+      --delay int                   Milliseconds between send to same host (1000==1s)
+  -F, --follow-redirects            Following redirection
+      --format string               Stdout output format
+                                      * Supported: plain / json (default "plain")
+      --found-action string         If found weak/vuln, action(cmd) to next
+                                      * Example: --found-action='./notify.sh'
+      --found-action-shell string   Select shell application for --found-action (default "bash")
+      --grep string                 Using custom grepping file
+                                      * Example: --grep ./samples/sample_grep.json
+      --har-file-path string        Path to save HAR of scan requests to
+  -H, --header strings              Add custom headers
+  -h, --help                        help for dalfox
+      --ignore-param strings        Ignores this parameter when scanning.
+                                      * Example: --ignore-param api_token --ignore-param csrf_token
+      --ignore-return string        Ignores scanning from return code
+                                      * Example: --ignore-return 302,403,404
+  -X, --method string               Force overriding HTTP Method
+                                      * Example: -X PUT (default "GET")
+      --mining-dict                 Find new parameter with dictionary attack, default is Gf-Patterns=>XSS (default true)
+  -W, --mining-dict-word string     Custom wordlist file for param mining
+                                      * Example: --mining-dict-word word.txt
+      --mining-dom                  Find new parameter in DOM (attribute/js value) (default true)
+      --no-color                    Not use colorize
+      --no-spinner                  Not use spinner
+      --only-custom-payload         Only testing custom payload (required --custom-payload)
+      --only-discovery              Only testing parameter analysis (same '--skip-xss-scanning' option)
+      --only-poc string             Shows only the PoC code for the specified pattern (g: grep / r: reflected / v: verified)
+                                     * Example: --only-poc='g,v'
+  -o, --output string               Write to output file (By default, only the PoC code is saved)
+      --output-all                  All log write mode (-o or stdout)
+      --output-request              Include raw HTTP requests in the results.
+      --output-response             Include raw HTTP response in the results.
+  -p, --param strings               Only testing selected parameters
+      --poc-type string             Select PoC type 
+                                     * Supported: plain/curl/httpie/http-request
+                                     * Example: --poc-type='curl' (default "plain")
+      --proxy string                Send all request to proxy server
+                                      * Example: --proxy http://127.0.0.1:8080
+      --remote-payloads string      Using remote payload for XSS testing
+                                      * Supported: portswigger/payloadbox
+                                      * Example: --remote-payloads=portswigger,payloadbox
+      --remote-wordlists string     Using remote wordlists for param mining
+                                      * Supported: burp/assetnote
+                                      * Example: --remote-wordlists=burp
+      --report                      Show detail report
+      --report-format string        Format of --report flag [plain/json] (default "plain")
+  -S, --silence                     Only print PoC Code and Progress(for pipe/file mode)
+      --skip-bav                    Skipping BAV(Basic Another Vulnerability) analysis
+      --skip-grepping               Skipping built-in grepping
+      --skip-headless               Skipping headless browser base scanning[DOM XSS and inJS verify]
+      --skip-mining-all             Skipping ALL parameter mining
+      --skip-mining-dict            Skipping Dict base parameter mining
+      --skip-mining-dom             Skipping DOM base parameter mining
+      --skip-xss-scanning           Skipping XSS Scanning (same '--only-discovery' option)
+      --timeout int                 Second of timeout (default 10)
+      --user-agent string           Add custom UserAgent
+      --waf-evasion                 Avoid blocking by adjusting the speed when detecting WAF (worker=1 delay=3s)
+  -w, --worker int                  Number of worker (default 100)
 
 Server Flags:
   -h, --help          help for server