A group of Engineers from Netflix has developed an app which is open sourced and can scan or audit for XSS vulnerabilities that spread to secondary apps. This open sourced application is known as ‘Sleepy Puppy’.
Sleeping puppy is an addition in the massive list of security tools released by Netflix, including Dirty Laundry, IDO (Integrated Defense Operation platform), Sketchy, Scumblr, and many others. The Sleeping puppy is aiding the security team of Netflix in identifying XSS vulnerabilities through various systems even when those systems are not linked directly.
Patrick Kelly and Scott Behrens, engineers from Netflix exposed the open source release of the Netflix’s XSS system. The firm says the application goes away from testing main apps for cross-site scripting vulnerabilities and also includes scans for secondary apps which may deliver the conduit for cross-site scripting vulnerabilities.
Or you can say, the application is developed to simplify the process of managing, tracking, and capturing XSS vulnerability over testing sessions and periods of time. The configurable application forces a scan to categorize cross-scripting injections and strings and enables users to subscribe to newsletters when delayed XSS events are triggered.
Behrens, app engineer at Netflix said, “We were looking for a way to provide coverage on applications that come from different origins or may not be publicly accessible. We also wanted to observe where stored data gets reflected back, and how data that may be stored publicly could also be reflected in a large number of internal applications.”
“Sleepy Puppy provides context-rich data on where and how cross-site scripting vulnerabilities propagate through various applications. As an example, a field in an application like ‘first name’ may be stored in a database and reflected back in many applications (eCommerce application, customer service portal, backend reporting application), by injecting a Sleepy Puppy payload into that field, it may be possible for the security engineer to identify XSS vulnerabilities in applications that aren’t publicly accessible when that information is retrieved from the database.”
Daniel Miessler from HP, wrote an article in July when Miessler saw a demonstration of the application that praised the idea of a trackable XSS vulnerability, and app’s ability to trigger and persist alerts when cross-site vulnerabilities occur in secondary apps after some time, for example.
Miessler said, “It’s a phenomenal concept. That’s huge, especially when you could be getting detonation events days, weeks, or months after the attack was sent. It’s a really cool feature that should take front and center in the explanation of the tool.”
On the other hand Behrens said, “Testing for cross-site scripting can be challenging as it requires developers to map all the input and output of their application. In a web application, any location where input, either from the user or another data store, is reflected back to a user, there is the potential for cross-site scripting. To test certain fields and parameters a web application proxy is needed, which requires a deeper understanding of how and what to test.”
If the vulnerability may need some time to execute and propagate, the app also supports notifications via emails.
The source code for the application (Sleeping Puppy) is obtainable on GitHub, including a setup guide.