What I'm doing wrong? dalfox was unable to detect XSS in vulnweb.com

[highchoice]

Question

I'm testing Dalfox against the Angular app testhtml5.vulnweb.com without success.

Environment

• Dalfox Version: 2.12.0
• Installed from: go-get

Parameter "url=" is vulnerable to XSS with payload "javascript:alert()"

http://testhtml5.vulnweb.com/#/redir?url=javascript:alert()

1 attempt:
dalfox url http://testhtml5.vulnweb.com/#/redir?url=
...
[duration: 9.023743225s][issues: 0] Finish Scan!

2 attempt
dalfox url http://testhtml5.vulnweb.com/#/redir?url= --deep-domxss
...
[500/703 Queries][71.12%] Testing "/redir?url" param and waiting headless <-- looks like fragment # is a problem.
...
[duration: 9.023743225s][issues: 0] Finish Scan!

3 attempt
dalfox url http://testhtml5.vulnweb.com/#/redir?url= --deep-domxss -p url --custom-payload testxss.txt --only-custom-payload

🎯  Target                 http://testhtml5.vulnweb.com/#/redir?url=
 🏁  Method                 GET
 🖥   Performance            100 worker / 1 cpu
 ⛏   Mining                 true (Gf-Patterns, DOM Mining Enabled)
 ⏱   Timeout                10
 📤  FollowRedirect         false
 🕰   Started at             2025-10-04 16:35:16

[*] -------------------------------------------------------------------------------------------------------------------
[*] Starting scan [SID:Single] / URL: http://testhtml5.vulnweb.com/#/redir?url=
[I] Found 19 testing points in DOM-based parameter mining
[I] Content-Type is text/html; charset=utf-8
[I] Access-Control-Allow-Origin is *
[*] -------------------------------------------------------------------------------------------------------------------
[*] [duration: 2.805039063s][issues: 0] Finish Scan!

testxss.txt contains payloads like "javascript:alert()"
BUT I'm not even sure if Dalfox processes a custom payloads from file.

[Sopland520]

Hello, i have the same problem as you for the custom payload.
The tool is not using the custom payload.

[hahwul]

Closing this as stale. If you're still experiencing this issue, please feel free to reopen or file a new issue. Thanks!

[hahwul]

Reopening this to investigate further. Will check this on the current v2 (Go) version as well. FYI, v3 is being rewritten in Rust with improved detection capabilities — so this may also be worth re-testing once v3 is released. Thanks for reporting!

[hahwul]

Root Cause Analysis (v2)

The core issue is that dalfox v2 does not properly discover parameters inside URL hash fragments.

Target URL: http://testhtml5.vulnweb.com/#/redir?url=javascript:alert()

The url parameter lives inside the fragment (#), which is a client-side routing pattern (Angular). Here's why dalfox fails:

1. parseURL() ignores hash fragments

In pkg/scanning/parameterAnalysis.go, the parseURL() function only extracts parameters from u.RawQuery (query string), completely skipping u.Fragment:

p, _ := url.ParseQuery(u.RawQuery)  // only query string — fragment is ignored

2. Hash fallback is too limited

In pkg/scanning/scan.go, there is a fallback that parses u.Fragment — but only when the URL has zero query parameters. This doesn't cover mixed cases or SPA routing patterns like #/redir?url=.

3. Cascading failure

Since hash parameters are never discovered:

• Custom payloads (--custom-payload) are not tested against them
• DOM XSS dynamic testing is skipped for those params
• --only-custom-payload has no effect

4. ParamTypeHash defined but unused

pkg/model/param.go defines a HASH param type, but it is never populated during parameter discovery.

Conclusion: This is a structural limitation in v2's parameter discovery — hash fragment parameters are not supported. Will also check v3 (Rust rewrite) for coverage.