Dylan Ayrey


January 30, 2023

Introducing: A New XSSHunter, Hosted by the Truffle Security Co.

Introducing: A New XSSHunter, Hosted by the Truffle Security Co.

Dylan Ayrey

January 30, 2023

We at Truffle Security are excited to announce that we have partnered with the creator of XSSHunter, Mandatory, to stand up a new version of the popular open-source blind cross-site scripting detection platform that comes with a number of privacy and feature enhancements.

Check it out here:

You will also be able to seamlessly migrate your old XSSHunter account onto the new XSSHunter, in a way that preserves all your existing payloads. Instructions on how to do this at the bottom of this post.

Enhancements of this new XSSHunter include the following:

  • CORS analysis

  • Detection of secrets on the page the payload fires

  • Detection of exposed .git directory

  • Privacy features that reduce the risk of accidental data breach

  • Google SSO login to prevent the use of passwords

As many of you know, XSSHunter has been a valuable tool for detecting and preventing cross-site scripting vulnerabilities. However, Mandatory has announced that he will no longer be running the platform:

We understand the importance of XSSHunter to the security community, and we are committed to continuing its legacy by creating a new version that incorporates new privacy features and looks for new types of vulnerabilities.


You may have read our recent blog post on CORS issues. XSS Hunter will now be able to detect when internal domains have CORS issues that allow external sites to view and exfil data from them.

Detecting CORS headers


Additionally, in the true spirit of Truffle Security, XSSHunter will now be going through the HTML of the page it executes on looking for a small handful of secrets. This isn’t using our full secrets engine written in go-lang, and doesn’t include secrets verification we introduced in V3 but instead just comes with some very basic regexes looking for AWS, GCP and Slack keys. We can expect this will improve over time, and we think it might actually be possible to in the future compile TruffleHog to Javascript using a webASM compiler.

TruffleHog-lite secrets detection


XSSHunter will also check to see of the host in question has exposed it’s .git directory by doing a lightweight call to /.git/config and reporting on the contents of the file if it matches expected formats of a git config. If this directory is exposed, that means the source code is exposed.

.git directory exposed

We firmly believe that if these 3 vulnerabilities are present, they should be treated as 3 separate vulnerabilities, so if you’re submitting these findings to a bug bounty, feel free to refer them to this blog post for why each of the 3 vulnerabilities deserve their own consideration for reward.


Lastly, on the data privacy side, new privacy features we will be implementing is the blurring of screenshots captured by the platform. This will ensure that sensitive information on the pages the XSS renders is protected.

Last year I co-presented a talk at Blackhat talking about 50,000 Google user records leaking out from an XSSHunter payload. This occurrence is not uncommon, so to address this, screenshots will now be blurred, and full DOM captures will no longer be supported.

Blurred screenshots


All logins to this new version of XSSHunter will be handled through Google SSO, and you will not be able to login with your old account. This should improve account security, and prevent the possibility of password hashes being stolen.

Google SSO

Migrating from old XSSHunter

Fortunately Mandatory has created a fairly straightforward way to keep all your old injected payloads alive. To do this you’ll need to take a user action though, and at the time of writing this, many XSSHunter users still need to perform this action.


Navigate to and login with Google SSO. Then go to your settings page. Here you’ll find your XSSHunter path. This is akin to the old XSSHunter’s subdomains (ie You’ll probably want to set this to as short of a string as you can. Please note that after you find a path you’re happy with, that others haven’t already taken, you should not modify your path, as this will make all payloads sent under old paths not correlate to your account anymore. Find a path you like (shorter the better) and stick with it.


Navigate to your settings in the old XSSHunter, and set a redirect path to the new XSSHunter. Your redirect URL should look like this:<yourpath>

Settings page

Setting your redirect

And it’s as simple as that! Your old XSSHunter payloads will continue to work, with the new features, and Mandatory has generously agreed to leave the Javascript redirect service running into the foreseeable future.


The new version is open source, and you can view our fork here:

We are excited to bring this new and improved version of XSSHunter to the community, and we look forward to working with Mandatory to continue to make the internet a safer place for everyone.