Open source Sleepy Puppy tool finds XSS bugs in target apps and beyond

Since Monday, security pros can add another XSS-finding tool to their arsenal, as Netflix has open sourced their cross-site scripting payload management framework dubbed “Sleepy Puppy.”

Sleepy Puppy is meant to address the biggest problem with identifying omnipresent XSS issues: finding them not only on targeted applications, but also on others that are not available to the tester, but whose presence ultimately also endangers users.

“Even though the tester can’t access the vulnerable application, the vulnerability could still be used to take advantage of the user. In fact, these types of vulnerabilities can be even more dangerous than standard XSS since the potential victims are likely to be privileged types of users (employees, administrators, etc.),” Netflix security experts Scott Behrens and and Patrick Kelley explained.

Sleepy Puppy performs so-called delayed XSS testing, and it’s not the only existing app that does that.

“However, we wanted a more comprehensive XSS testing framework to simplify XSS propagation and identification and allow us to work with developers to remediate issues faster,” the researchers shared their motive for creating the tool.

Sleepy Puppy can send email notifications to security engineers when it finds the issues, and logs and documents its findings (click on the screenshot to enlarge it):

But what users will find most helpful is the fact that this testing framework can be configured to suit their needs. For example, they can create their own payloads and information collection scripts (initially the tool comes with several preconfigured payloads and scripts).

Sleepy Puppy can be found on GitHub.

The Netflix security team has for a while now been open sourcing security tools of their making.

Don't miss