Truffle Security relaunches XSS Hunter tool with new features

Renowned hacking resource is now equipped with a CORS misconfiguration detection feature following its end-of-life announcement.

XSS Hunter has found a new home at Truffle Security, which has released an updated version of this essential tool after its original creator announced plans to phase it out in February.

XSS Hunter is a widely used open-source solution for detecting cross-site scripting (XSS) vulnerabilities on websites.

The newly revamped version, available under the Truffle Security umbrella, is an open-source fork of the original project, now enhanced with additional features and improved security measures. Alternative forks are also available for users to transition to.

The original developer of XSS Hunter, ‘Mandatory’ (Matthew Bryant), referred to XSS Hunter as a passion project he has nurtured for a long time, promising to continue supporting the xsshunter-express repository for users interested in self-hosting.

Concerns Regarding Privacy

XSS vulnerabilities are prevalent, representing around 23% of the bug reports filed on the HackerOne bug bounty platform.

“XSS Hunter is arguably the most effective tool for detecting XSS beyond manual testing methods,” shared Dylan Ayrey, co-founder of Truffle Security, with The Daily Swig. “It plays a crucial role for the community, though it poses inherent risks.”

Many users of XSS Hunter inadvertently transmitted sensitive data to the platform, exacerbating the risk of data leakage. Ayrey recalled uncovering 50,000 Google user records while utilizing the previous version of XSS Hunter, a subject he addressed in a presentation at Black Hat 2022.

“My concerns regarding data handling were alleviated while Mandatory was at the helm, but with the end-of-life announcement, I grew wary about potential replacements with less scrupulous intentions,” Ayrey noted.

The new iteration of XSS Hunter actively blurs the captured screenshots to safeguard sensitive information revealed through XSS payloads. It has eliminated support for full DOM capture and mandates Google SSO login to bolster account security.

Reflecting on the older service’s discontinuation, Mandatory expressed, “I’ve become increasingly uneasy with the sheer volume of vulnerability data stored on the service.” He aims to reach a point of storing zero vulnerability information related to XSS hunter users through this deprecation.

Mandatory labeled Truffle Security’s fork as “a significant improvement,” acknowledging, “Truffle Security is beginning with a focus on balancing privacy concerns alongside bug bounty research interests, which is encouraging.”

Truffle Security has also extended its capabilities to identify a wider array of vulnerabilities, including CORS misconfigurations—which could permit external entities to access internal domain data. Such vulnerabilities are notably harmful, as revealed by Truffle Security in their investigation of various corporate networks.

Furthermore, Truffle Security has integrated a basic version of their TruffleHog tool within the new XSS Hunter, allowing scans of HTML pages for secret data like AWS, Google Cloud Platform, and Slack credentials, as well as monitoring tested sites for source code leaks via .git directories.

“We identified a chance to tackle privacy issues while also providing the cybersecurity community with new functionalities in the XSS Hunter tool,” Ayrey added.

Ayrey noted that Mandatory supported this development and contributed to the initiative. Truffle Security aspires to introduce further functionalities to XSS Hunter shortly, including a more comprehensive iteration of TruffleHog.

“When I originally launched the service, many doubted the severity of blind XSS vulnerabilities,” Ayrey reflected. “Today, there is no ambiguity about the prevalence and seriousness of these issues, signifying that it has effectively fulfilled its intended purpose.”

Truffle Security also encourages readers to stay updated with the latest advancements in web hacking tools by exploring additional resources.