Netflix releases reflected XSS audit tool for biz
Sleepy Puppy latest in Open Source security love
Netflix has continued its contribution to the open source security community with the release of a tool to better help developers and admins identify cross-site scripting.
The Sleeping Puppy tool joins Netflix's released security tools including Fully Integrated Defense Operation automated incidence response platform, the Dirty Laundry blabbing staff monitor, and the trio of Scumblr, Sketchy, and Workflowable hack monitors.
Netflix boffins Scott Behrens (@helloarbit) and Patrick Kelley (@monkeysecurity) launched Sleepy Puppy with payloads that admins can unleash to track cross-site scripting (XSS) vulnerabilities in their web apps.
"While this provides ample coverage for the application in scope, there is a possibility that the code engineers are injecting may be reflected back in a completely separate application.
The pair give a shoutout to existing open source tools like BEef, PortSwigger BurpSuite Collaborator, and XSS.IO and say Sleepy Puppy is different in that it serves as a comprehensive XSS testing framework that simplifies XSS propagation and identification.
Admins will view Sleepy Puppy data including payload firing, URLs, referrers, cookies, user agents, Document Object Models, and screenshots.
The platform works with Docker, and is highly configurable allowing users to implement their own payloads and monitoring tools, the latter dubbed 'puppy scripts'.
It can also be plugged into Burp suite or Zap using the API.
Behrens and Kelly welcome code contributions from the community. Netflix's full GitHub repo is here. ®