Popular hacking aid now available with CORS misconfig detection function following end-of-life announcement
XSS Hunter now has a home at Truffle Security, which has launched a new version of the tool after its original creator declared that he will be deprecating it in February.
The new version, hosted on Truffle Security’s domain, is an open source fork of the original code with new features and enhanced security. Other forks are also available for users to migrate to.
The original architect of XSS Hunter, ‘Mandatory’ (aka Matthew Bryant), described XSS Hunter as his long time passion project, and said he will maintain the xsshunter-express repository “more dutifully in the future to support those who wish to self-host their own instance”.
XSS is a very common vulnerability, accounting for 23% of bug reports submitted to bug bounty platform HackerOne, for example.
“The most popular tool for looking for XSS aside from manual testing is XSSHunter,” Dylan Ayrey, co-founder of Truffle Security, told The Daily Swig. “It’s an extremely valuable tool to the community, but it also had risks.”
Many users of XSS Hunter would accidentally send sensitive data to the platform and possibly cause data leakage. Ayrey had previously stumbled on 50,000 Google user records while working with the old XSS Hunter, which became the topic of a talk he gave at Black Hat 2022.
“As long as Mandatory was in charge of the service, I wasn’t concerned with what the platform might do with that data collected,” Ayrey said.
“But we were concerned after the EOL [end of life] was announced, another tool might have come along to replace it with operators that may have had different intentions with the data collected.”
The new XSS Hunter tool blurs screenshots captured by the platform to protect sensitive information rendered by the XSS payload. It has also removed support for full DOM capture and enforces Google SSO login to improve account security.
Regarding the deprecation of the old service, Mandatory told The Daily Swig that he had become “increasingly uncomfortable with the amount of vulnerability information stored in the service.
“Ideally I’d like to be storing zero vulnerability information for XSS hunter users, which this deprecation will achieve,” he said.
Mandatory described Truffle Security’s fork as “a step in the right direction” and said: “I think the fact that Truffle Security is starting out with an eye on balancing privacy and bug bounty research interests is a good sign.”
Liked this article? Sign up to our new newsletter – Daily Swig Deserialized
Truffle Security has added support for detecting other kinds of vulnerabilities, including cross-origin resource sharing (CORS) misconfigurations that would allow external sites to view and extract data from internal domains. CORS vulnerabilities can be especially damaging, as Truffle Security recently discovered while investigating different internal corporate networks.
Truffle Security has integrated the lite version of its TruffleHog tool into the new XSSHunter, enabling it to scan HTML pages for secrets such as AWS, GCP, and Slack keys. It will also scan tested websites for source code leaks via .git directories.
“We saw an opportunity to both address privacy concerns as well as give the cybersecurity community new capabilities within the XSS Hunter tool,” Ayrey said.
Ayrey said Mandatory was supportive of the effort and helped out in the process. Truffle Security plans to add more features to XSS Hunter in the future, including adding a more complete version of TruffleHog.
“When I first built the service many people didn’t really believe that blind XSS was a ‘real’ concern,” he said. “Today I don’t think anyone doubts the pervasiveness and severity of these vulnerabilities, so it has pretty much achieved what it was meant to do.”