Truffle Security is proud to host a new XSSHunter

We at Truffle Security are excited to announce that we have partnered with the creator of XSSHunter, Mandatory, to stand up a new version of the popular open-source blind cross-site scripting detection platform that comes with a number of privacy and feature enhancements.

You will also be able to seamlessly migrate your old XSSHunter account onto the new XSSHunter, in a way that preserves all your existing payloads. Instructions on how to do this at the bottom of this post.

Enhancements of this new XSSHunter include the following:

  • CORS analysis
  • Detection of secrets on the page the payload fires
  • Detection of exposed .git directory
  • Privacy features that reduce the risk of accidental data breach
  • Google SSO login to prevent the use of passwords

As many of you know, XSSHunter has been a valuable tool for detecting and preventing cross-site scripting vulnerabilities. However, Mandatory has announced that he will no longer be running the platform:

We understand the importance of XSSHunter to the security community, and we are committed to continuing its legacy by creating a new version that incorporates new privacy features and looks for new types of vulnerabilities.

CORS checks

You may have read our recent blog post on CORS issues. XSS Hunter will now be able to detect when internal domains have CORS issues that allow external sites to view and exfil data from them.

Detecting CORS headers

TruffleHog-lite secrets checks

Additionally, in the true spirit of Truffle Security, XSSHunter will now be going through the HTML of the page it executes on looking for a small handful of secrets. This isn’t using our full secrets engine written in go-lang, and doesn’t include secrets verification we introduced in V3 but instead just comes with some very basic regexes looking for AWS, GCP and Slack keys. We can expect this will improve over time, and we think it might actually be possible to in the future compile TruffleHog to Javascript using a webASM compiler.

TruffleHog-lite secrets detection

Source code leaked via .git directory checks

XSSHunter will also check to see of the host in question has exposed it’s .git directory by doing a lightweight call to /.git/config and reporting on the contents of the file if it matches expected formats of a git config. If this directory is exposed, that means the source code is exposed.

.git directory exposed

We firmly believe that if these 3 vulnerabilities are present, they should be treated as 3 separate vulnerabilities, so if you’re submitting these findings to a bug bounty, feel free to refer them to this blog post for why each of the 3 vulnerabilities deserve their own consideration for reward.

Privacy enhancements

Lastly, on the data privacy side, new privacy features we will be implementing is the blurring of screenshots captured by the platform. This will ensure that sensitive information on the pages the XSS renders is protected.

Last year I co-presented a talk at Blackhat talking about 50,000 Google user records leaking out from an XSSHunter payload. This occurrence is not uncommon, so to address this, screenshots will now be blurred, and full DOM captures will no longer be supported.

Blurred screenshots

Google SSO

All logins to this new version of XSSHunter will be handled through Google SSO, and you will not be able to login with your old account. This should improve account security, and prevent the possibility of password hashes being stolen.

Google SSO

Migrating from old XSSHunter

Fortunately Mandatory has created a fairly straightforward way to keep all your old injected payloads alive. To do this you’ll need to take a user action though, and at the time of writing this, many XSSHunter users still need to perform this action.

Step 1: Create an account on Truffle Security’s XSSHunter

Navigate to and login with Google SSO. Then go to your settings page. Here you’ll find your XSSHunter path. This is akin to the old XSSHunter’s subdomains (ie You’ll probably want to set this to as short of a string as you can. Please note that after you find a path you’re happy with, that others haven’t already taken, you should not modify your path, as this will make all payloads sent under old paths not correlate to your account anymore. Find a path you like (shorter the better) and stick with it.

Step 2: Set a redirect on old XSSHunter

Navigate to your settings in the old XSSHunter, and set a redirect path to the new XSSHunter. Your redirect URL should look like this:<yourpath>

Settings page

Setting your redirect

And it’s as simple as that! Your old XSSHunter payloads will continue to work, with the new features, and Mandatory has generously agreed to leave the Javascript redirect service running into the foreseeable future.


The new version is open source, and you can view our fork here:

We are excited to bring this new and improved version of XSSHunter to the community, and we look forward to working with Mandatory to continue to make the internet a safer place for everyone.

Recent Posts


Secure Credential Storage in 2023


Truffle Security is proud to host a new XSSHunter


Protecting Cloud SQL Data with cloudsql-exporter

Take control of your secrets with TruffleHog. Contact us to get started on a free 7-day trial.

© 2022 Truffle Security. All Rights Reserved.