Netflix Sleepy Puppy XSS flaw detection tool goes open source

The tool aims to make XSS vulnerability detection easier and more efficient through secondary application tests.
Written by Charlie Osborne, Contributing Writer
Netflix has released 'Sleepy Puppy,' XSS flaw detection software, to the open-source community for further development.

Cross-site scripting is a web application vulnerability which allows attackers to execute arbitrary code client-side in a victim's browser, which can lead to browser session hijacking or the theft of sensitive data. XSS flaws compile a wide range of hacking techniques and buggy code issues which can compromise a web page, and while there are a number of tools available to mitigate the problem, XSS vulnerabilities remain a persistent problem for webmasters to cope with.

On Monday, Netflix team members Scott Behrens and Patrick Kelley revealed the open source release of the firm's cross-site scripting (XSS) payload management framework. Dubbed Sleepy Puppy, Netflix says the tool goes beyond only testing main applications for XSS flaws and also encompasses scans for secondary applications which may provide the conduit for XSS security flaw exploit.

In other words, Sleepy Puppy keeps an eye out for XSS payloads which may be injected within primary applications -- but not trigger an alert -- before shifting to a secondary area and executing. The Netflix team call this "delayed" XSS testing.

Sleepy Puppy is designed to simplify the process of capturing, managing, and tracking XSS propagation over periods of time and testing sessions. The configurable tool leverages an assessment model to categorize XSS strings and injections and allows users to subscribe to email notifications when delayed cross-site scripting events are triggered.

Sleepy Puppy comes with a number of payloads, as well as an API for users who wish to develop plugins to support scanners such as Burp or Zap.

The default "PuppyScript," a Java-based script which collects information on an executed payload, captures metadata including the URL, DOM, user-agent, cookies, referer header, and a screenshot of the application where a payload executed. The team explained:

"As payloads propagate throughout a network, the tester can trace what applications the payload has executed in.
For more advanced use cases, security engineers can chain PuppyScripts together and even leverage the generic collector model to capture arbitrary data from any input source."

The XSS flaw detection tool also makes use of Python 2.7 with Flask, SQLAlchemy with configurable backend storage, the Ace Javascript editor and Html2Canvas JavaScript for screenshot capture, as well as the optional use of AWS Simple Email Service (SES) for email notifications.

"Sleepy Puppy is helping the Netflix security team identify XSS propagation through a number of systems even when those systems aren't assessed directly. We hope that the open source community can find new and interesting uses for Sleepy Puppy, and use it to simplify their XSS testing and improve remediation times," the team says.

Sleepy Puppy, available from the Netflix Open Source website, comes with built-in payloads, PuppyScripts and a default assessment scheme.

Last month, the Core Infrastructure Initiative asked for input from the open-source community concerning what standards should be in place to measure the security, quality and stability of open-source software.

Read on: Researcher lashes out at Hacking Team over open-source code discovery

20 must-have back to school, college gadgets and gifts

Read on: Top picks

In pictures:

Editorial standards