The popular hacking aid has been reintroduced with a new feature for detecting CORS misconfigurations following the announcement of its end-of-life status.
The tool known as XSS Hunter is now hosted by Truffle Security, having undergone a significant update after its original creator announced plans to discontinue it earlier this year.
XSS Hunter is widely recognized as an open-source tool used to identify cross-site scripting (XSS) vulnerabilities in web applications.
The newly released version is a fork of the original tool, hosted under Truffle Security’s banner, and incorporates additional features aimed at enhancing security. Users now have multiple forks to transition to as needed.
<pthe original="" developer="" of="" xss="" hunter,="" known="" as="" ‘mandatory’="" (matthew="" bryant),="" expressed="" that="" hunter="" has="" been="" a="" long-standing="" project="" he="" nurtured,="" and="" plans="" to="" manage="" the="" xsshunter-express repository more thoroughly to support users wishing to self-host.
Concerns Regarding Privacy
XSS vulnerabilities are notably prevalent, representing 23% of all bug reports filed on the popular bug bounty platform, HackerOne.
Dylan Ayrey, co-founder of Truffle Security, commented on the importance of XSS Hunter, stating, “It’s a crucial resource for the community, but it does come with certain risks.”
There have been instances where users inadvertently sent sensitive data to XSS Hunter, resulting in potential data exposure. During his prior use of the original XSS Hunter, Ayrey encountered a database containing 50,000 Google user records, which he later discussed in a conference presentation at Black Hat 2022.
“As long as Mandatory was managing the service, I felt secure about how the platform handled the data,” he noted.
“Our worries escalated after the end-of-life announcement, as we feared a new service could emerge that might not handle data with the same integrity.”
To address these issues, the new iteration of XSS Hunter deliberately obfuscates screenshots captured by the platform to safeguard any sensitive content displayed by XSS payloads. The update also eliminates full DOM capture and mandates Google SSO for account security improvements.
Concerning the discontinuation of the previous service, Mandatory revealed to The Daily Swig his growing discomfort with the volume of vulnerability data stored by the platform.
“Ideally, I would prefer not to store any vulnerability information for XSS Hunter users, which this transition will accomplish,” he explained.
Mandatory acknowledged the new fork by Truffle Security as an improvement, stating, “The approach of Truffle Security in balancing privacy and bug bounty research is promising.”
If you found this article informative, consider subscribing to the new newsletter, Daily Swig Deserialized, for more updates.
Truffle Security has incorporated features that enable the detection of various other vulnerabilities, including cross-origin resource sharing (CORS) misconfigurations that could permit unauthorized access to internal domains. Such vulnerabilities can be particularly severe, as evidenced by Truffle Security’s findings during recent internal network investigations.
The new XSS Hunter tool integrates the light version of TruffleHog, a feature that scans for secrets within HTML pages, including AWS, Google Cloud, and Slack credentials. Additionally, it checks web applications for source code leaks via .git repositories.
Ayrey expressed that there was an opportunity to address privacy concerns while equipping the cybersecurity community with new capabilities through the revamped XSS Hunter tool.
Mandatory supported this initiative and assisted during the process. Truffle Security is committed to further enhancing XSS Hunter in the future, including a more robust version of TruffleHog.
“When I initially created the service, many could not perceive blind XSS as a legitimate concern,” he recalled. “Today, however, there is universal acknowledgment of the gravity and frequency of these vulnerabilities, thus achieving one of the objectives of the platform.”
Other Articles You Might Enjoy Explore TruffleHog – an extension that detects secret keys in JavaScript
Based on an article from portsweigger.net: https://portswigger.net/daily-swig/truffle-security-relaunches-xss-hunter-tool-with-new-features
