Netflix releases reflected XSS audit tool for biz

Sleepy Puppy latest in Open Source security love

Netflix has continued its contribution to the open source security community with the release of a tool to better help developers and admins identify cross-site scripting.

The Sleeping Puppy tool joins Netflix's released security tools including Fully Integrated Defense Operation automated incidence response platform, the Dirty Laundry blabbing staff monitor, and the trio of Scumblr, Sketchy, and Workflowable hack monitors.

Netflix boffins Scott Behrens (@helloarbit) and Patrick Kelley (@monkeysecurity) launched Sleepy Puppy with payloads that admins can unleash to track cross-site scripting (XSS) vulnerabilities in their web apps.

"Often when testing for client side injections (like HTML and JavaScript) security engineers are looking for where the injection occurs within the application they are testing," the pair say.

"While this provides ample coverage for the application in scope, there is a possibility that the code engineers are injecting may be reflected back in a completely separate application.

"Sleepy Puppy helps facilitate inter-application XSS testing by providing JavaScript payloads that callback to the Sleepy Puppy application. This allows tracking when/where a payload fires even if the execution is triggered by a different user, occurs in a different application, or happens long after the initial test was performed."

Sleepy Puppy flow

Sleepy Puppy flow

The pair give a shoutout to existing open source tools like BEef, PortSwigger BurpSuite Collaborator, and XSS.IO and say Sleepy Puppy is different in that it serves as a comprehensive XSS testing framework that simplifies XSS propagation and identification.

Admins will view Sleepy Puppy data including payload firing, URLs, referrers, cookies, user agents, Document Object Models, and screenshots.

The platform works with Docker, and is highly configurable allowing users to implement their own payloads and monitoring tools, the latter dubbed 'puppy scripts'.

It can also be plugged into Burp suite or Zap using the API.

Behrens and Kelly welcome code contributions from the community. Netflix's full GitHub repo is here. ®




Biting the hand that feeds IT © 1998–2018