A Burp Suite extension that integrates Dalfox XSS scanner directly into your workflow.
- 🎯 Right-click scanning - Scan requests directly from Proxy History or Repeater.
- ⚙️ Full Dalfox options - Context-aware, WAF evasion, Blind XSS and more.
Dalfox must be installed on your system before using BurpFox.
macOS (Homebrew):
brew install dalfoxLinux (Go):
go install github.com/hahwul/dalfox/v2@latestVerify installation:
dalfox versionNote: Ensure
dalfoxis in your PATH. BurpFox also checks common locations like~/go/bin/dalfoxand/usr/local/bin/dalfox.
- Download the latest
burpfox-x.x.jarfrom Releases - Open Burp Suite
- Go to Extensions → Installed → Add
- Select Extension type: Java
- Click Select file and choose the downloaded JAR
- Click Next to load the extension
Requirements:
- Java 17+
- Maven 3.6+
# Clone the repository
git clone https://github.com/halilkirazkaya/burpfox.git
cd burpfox
# Build
mvn clean package
# The JAR will be at target/burpfox-0.1.jarThen follow steps 2-6 from Option A to install the JAR.
- In Burp Suite, capture a request (Proxy, Repeater, etc.)
- Right-click on the request
- Select BurpFox Scan
- Configure scan options and select parameters
- Click Start Scan
| Category | Options |
|---|---|
| Detection | Context Aware, Deep DOM XSS, WAF Evasion, Follow Redirects, Fast Scan |
| Mining | Mining Dict, Mining DOM, Skip BAV, Remote Payloads |
| Output | No Color, Silence Mode, Report, PoC Type (plain/curl/httpie) |
| Advanced | Workers, Timeout, Delay, Proxy, Ignore Return |
- Reflected XSS (url) - Standard XSS scanning
- Stored XSS (sxss) - Requires a trigger URL where the payload will execute
Select multiple requests in Proxy History or Site Map, then right-click to:
- Scan All Selected - Opens config dialogs for each request
- Scan Individual - Choose specific requests from the submenu
If Dalfox is not in your PATH, set the system property:
# In Burp Suite JVM options
-Ddalfox.path=/custom/path/to/dalfoxEnable the Proxy option in Advanced settings to route Dalfox traffic through Burp (default: http://127.0.0.1:8080).
1. Send to BurpFox
2. Configure Scan
3. Scan Results
- Verify Dalfox is installed:
dalfox version - Check if it's in PATH:
which dalfox
- Increase Scan Timeout in Advanced options (default: 30 minutes)
- Try enabling Fast Scan for quicker results
- Check if target is reachable
- Ensure parameters are selected for scanning
- Try disabling Skip Discovery to find more injection points
- Enable Mining Dict and Mining DOM for comprehensive scanning
Contributions are welcome! Please feel free to submit a Pull Request.
This project is licensed under the MIT License - see the LICENSE file for details.
- Dalfox by @hahwul - The powerful XSS scanner
- Burp Suite by PortSwigger - The web security testing platform
Halil Kirazkaya - @halilkirazkaya
Made with ❤️ for the security community.