We at Truffle Security are excited to announce that we have partnered with the creator of XSSHunter, Mandatory, to stand up a new version of the popular open-source blind cross-site scripting detection platform that comes with a number of privacy and feature enhancements.
Check it out here: https://xsshunter.trufflesecurity.com
You will also be able to seamlessly migrate your old XSSHunter account onto the new XSSHunter, in a way that preserves all your existing payloads. Instructions on how to do this at the bottom of this post.
Enhancements of this new XSSHunter include the following:
CORS analysis
Detection of secrets on the page the payload fires
Detection of exposed .git directory
Privacy features that reduce the risk of accidental data breach
Google SSO login to prevent the use of passwords
As many of you know, XSSHunter has been a valuable tool for detecting and preventing cross-site scripting vulnerabilities. However, Mandatory has announced that he will no longer be running the platform:
We understand the importance of XSSHunter to the security community, and we are committed to continuing its legacy by creating a new version that incorporates new privacy features and looks for new types of vulnerabilities.
CORS CHECKS
You may have read our recent blog post on CORS issues. XSS Hunter will now be able to detect when internal domains have CORS issues that allow external sites to view and exfil data from them.
Detecting CORS headers
TRUFFLEHOG-LITE SECRETS CHECKS
Additionally, in the true spirit of Truffle Security, XSSHunter will now be going through the HTML of the page it executes on looking for a small handful of secrets. This isn’t using our full secrets engine written in go-lang, and doesn’t include secrets verification we introduced in V3 but instead just comes with some very basic regexes looking for AWS, GCP and Slack keys. We can expect this will improve over time, and we think it might actually be possible to in the future compile TruffleHog to Javascript using a webASM compiler.
TruffleHog-lite secrets detection
SOURCE CODE LEAKED VIA .GIT DIRECTORY CHECKS
XSSHunter will also check to see of the host in question has exposed it’s .git directory by doing a lightweight call to /.git/config and reporting on the contents of the file if it matches expected formats of a git config. If this directory is exposed, that means the source code is exposed.
.git directory exposed
We firmly believe that if these 3 vulnerabilities are present, they should be treated as 3 separate vulnerabilities, so if you’re submitting these findings to a bug bounty, feel free to refer them to this blog post for why each of the 3 vulnerabilities deserve their own consideration for reward.
PRIVACY ENHANCEMENTS
Lastly, on the data privacy side, new privacy features we will be implementing is the blurring of screenshots captured by the platform. This will ensure that sensitive information on the pages the XSS renders is protected.
Last year I co-presented a talk at Blackhat talking about 50,000 Google user records leaking out from an XSSHunter payload. This occurrence is not uncommon, so to address this, screenshots will now be blurred, and full DOM captures will no longer be supported.
Blurred screenshots
GOOGLE SSO
All logins to this new version of XSSHunter will be handled through Google SSO, and you will not be able to login with your old account. This should improve account security, and prevent the possibility of password hashes being stolen.
Google SSO
Migrating from old XSSHunter
Fortunately Mandatory has created a fairly straightforward way to keep all your old injected payloads alive. To do this you’ll need to take a user action though, and at the time of writing this, many XSSHunter users still need to perform this action.
STEP 1: CREATE AN ACCOUNT ON TRUFFLE SECURITY’S XSSHUNTER
Navigate to https://xsshunter.trufflesecurity.com and login with Google SSO. Then go to your settings page. Here you’ll find your XSSHunter path. This is akin to the old XSSHunter’s subdomains (ie something.xss.ht). You’ll probably want to set this to as short of a string as you can. Please note that after you find a path you’re happy with, that others haven’t already taken, you should not modify your path, as this will make all payloads sent under old paths not correlate to your account anymore. Find a path you like (shorter the better) and stick with it.
STEP 2: SET A REDIRECT ON OLD XSSHUNTER
Navigate to your settings in the old XSSHunter, and set a redirect path to the new XSSHunter. Your redirect URL should look like this: https://js.rip/<yourpath>
Settings page
Setting your redirect
And it’s as simple as that! Your old XSSHunter payloads will continue to work, with the new features, and Mandatory has generously agreed to leave the Javascript redirect service running into the foreseeable future.
Conclusion
The new version is open source, and you can view our fork here: https://github.com/trufflesecurity/xsshunter
We are excited to bring this new and improved version of XSSHunter to the community, and we look forward to working with Mandatory to continue to make the internet a safer place for everyone.
