Hi guys, so in this blog, we will be covering 4different ways of setting up xss hunter for blinding xss vulnerabilities.
As we all know that recently the official xsshunter has been deprecated means it discontinued its service and now, we can’t use it further.
So, what now? Let’s learn about its alternative.
Method 1 - XSS Hunter by Truffle Security
Just after the xsshunter creator tweets about the discontinuing xsshunter, Truffle Security has come into the game by relaunching a new version of it by collaborating with its actual creator. So, we can use that as an alternative to xsshunter. The new version of it can be accessed at https://xsshunter.trufflesecurity.com/app/#/
It also offers some more features and privacy as compared to the original version. But recently they tweeted about some stats which they deleted soon once people start blaming them for accessing users’ data.
It’s having some claim that they have access to the data and they also will come to know whenever any blindxss executes, which means it’s not safe to use their xsshunter, it may be a false claim as they also have said that its an anonymous stats, so it’s totally your choice to choose if you want to use it or wanted to go with other alternatives.
You can read about all the features they offer at their blog https://trufflesecurity.com/blog/xsshunter/
Their setup instructions are just easy, log in via google sso and start using, so let’s not waste our time reading about that.
Method 2 - Using bxsshunter and other alternatives
Till date, there is not any bad news about bxsshunter and xss.report, so you can also give them a shot. The most popular ones are
https://bxsshunter.com/
https://xss.report/
The installation and usage are very easy, just signup, and good to go for finding blind xss.
Method 3 - Setup your own version of xsshunter
Why do we need to set up our own version when we have options like bxsshunter and all other alternatives?
The first thing is recently bug bounty programs started changing their policies which now say that you can’t use any third-party service for finding blind xss and if you do so, you won’t be eligible to get the reward as using third-party has the risk of potentially leaking any vulnerability details before the company fixes it.
Secondly, privacy issues too, check out the below tweet for getting a clear insight on this.
How to Setup -
Go to https://github.com/mandatoryprogrammer/xsshunter-express and follow the instructions written in this GitHub repo.
Secondly, you can set up this version too. https://github.com/ssl/ezXSS
There are many more too like this, its totally your choice which one you want to deploy.
Method 4 - Setup xless via vercel
I personally feel this one would be better than using any other xsshunter alternative, as it removes the privacy issue. If you don’t have a budget or money for deploying xsshunter on your own server, I suggest going through with this.
How to setup -
Go to the below repo and follow the instruction as written.
https://github.com/mazen160/xless
Also, you can ask chatgpt for the installation process if facing any difficulty with this particular version.
Everyone has different needs and different mindsets, so choose yourself which one you want to choose and why. That’s it for today’s blog.
Follow me on Twitter: https://twitter.com/Dheerajydv19