The widely-used hacking tool has been relaunched with the addition of a new CORS misconfiguration detection feature, following an announcement of its end-of-life.
The XSS Hunter tool has now become part of Truffle Security, which has introduced an updated version after the tool’s original creator announced its deprecation scheduled for February.
XSS Hunter is recognized as an essential open-source tool for uncovering cross-site scripting (XSS) vulnerabilities in online platforms.
The revamped version, now available on Truffle Security’s site, is a new open-source iteration of the original, now equipped with additional functionalities and improved security measures. Alternative forks are also provided for users seeking to shift to different implementations.
<p‘mandatory’ (matthew="" bryant),="" the="" original="" creator="" of="" xss="" hunter,="" described="" tool="" as="" a="" long-standing="" passion="" project="" and="" expressed="" his="" commitment="" to="" maintaining="" xsshunter-express repository diligently, enabling users to self-host their own instances.
Concerns Regarding Privacy
The occurrence of XSS vulnerabilities is notably high, contributing to 23% of all bug reports submitted on the HackerOne platform.
“Aside from manual testing, XSSHunter has been the leading tool for identifying XSS vulnerabilities,” noted Dylan Ayrey, co-founder of Truffle Security, in a statement to The Daily Swig. “While it is incredibly useful for the community, it also carries inherent risks.”
Many users found themselves inadvertently sending sensitive information to the platform, which posed a risk of data breaches. Ayrey recalled an incident where he discovered 50,000 Google user records while utilizing the previous version of XSS Hunter, an experience that later became a highlight of his talk at Black Hat 2022.
“While Mandatory oversaw the service, I had no concerns regarding the handling of any data collected,” Ayrey commented.
“However, with the announcement of its EOL, there was apprehension that a new tool could emerge with operators having potentially different handling practices regarding collected data.”
Explore further updates about web hacking tools
The new iteration of XSS Hunter incorporates mechanisms to obscure screenshots captured, protecting sensitive data associated with XSS payloads. It has also eliminated support for full DOM capture and requires Google SSO login to heighten account security.
In response to the cessation of the prior service, Mandatory expressed to The Daily Swig his growing discomfort with the volume of vulnerability information retained within the service.
“Ideally, I prefer to have no vulnerability information stored for XSS Hunter users, which will be accomplished through this deprecation,” he said.
Mandatory characterized Truffle Security’s fork as a “positive step” and remarked, “It’s promising that Truffle Security approaches the balance between privacy and bug bounty research interests thoughtfully.”
Enjoyed this article? Subscribe to our new newsletter – Daily Swig Deserialized
Truffle Security has integrated functionalities to identify other types of vulnerabilities, including CORS misconfigurations. This vulnerability allows unauthorized external sites to access and extract data from internal domains, posing significant risks, as recently shown in Truffle Security’s findings during investigations of various corporate networks.
The company has embedded the lite version of its TruffleHog tool into the newly updated XSSHunter, allowing for the scanning of HTML pages in search of secrets, including AWS, GCP, and Slack credentials. This tool also checks for potential source code leaks within .git directories on the tested websites.
“We recognized an opportunity to not only address privacy issues but also to equip the cybersecurity community with enhanced capabilities through the XSS Hunter tool,” remarked Ayrey.
According to Ayrey, Mandatory lent his support during this development phase. Truffle Security is committed to continually enhancing XSS Hunter with additional features, including a full version of TruffleHog in upcoming releases.
“There was initial skepticism about blind XSS being a ‘real’ threat when I first created the service,” he reflected. “Today, there is no question regarding the prevalence and risks associated with these vulnerabilities, confirming the original intent of the tool.”
ADDITIONAL RECOMMENDATIONS Discover TruffleHog – a browser extension designed to detect secret keys in JavaScript code
Based on an article from ports.wigger.net: https://portswigger.net/daily-swig/truffle-security-relaunches-xss-hunter-tool-with-new-features
