Sleepy Puppy

Sleepy Puppy is a cross-site scripting payload management framework that provides delayed XSS testing, a riff on stored XSS testing.This XSS vulnerability scanning tool persists beyond the target app and can flag potential XSS trouble in secondary applications,unlike most of the existing scanners. It was initially developed by Netflix,and now made opensource. Developers claims it fills a gap for security engineers doing application assessments.

XSS(Cross Site Scripting)

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side script into web pages viewed by other users. A cross-site scriptingvulnerability may be used by attackers to bypass access controls such as the same-origin policy. There are many commercial as well as open source tools to scan applications for XSS vulnerability. Sleepy Puppy is a new addition to the list,featuring some advanced options.

Advanced Features Of Sleepy Puppy

According to the developers Sleepy Puppy provide coverage on applications that come from different origins or may not be publicly accessible. It also helps to observe where stored data gets reflected back, and how data that may be stored publicly could also be reflected in a large number of internal applications. Using Sleepy Puppy a cross-site scripting payload can be injected into one application that may not trigger a XSS alert in the target app, but that payload is stored in a database and reflected to a second application that is not immediately accessible, yet can fire off an email alert once the payload is triggered elsewhere. It also provides context rich data on where and how cross-site scripting vulnerabilities propagate through various applications. Developers also added that Sleepy Puppy provides a persistence mechanism, also known as a callback, to help identify secondary applications where XSS vulnerabilities may exist.

SleepyPuppy Is available at Netflix's GitHub Repository  


XSS is still a challenge despite being one of the most common web application vulnerabilities for more than a decade. XSS can be prevented by adopting preventive methods like contextual output encoding/escaping of string input,cookie security,proper Content Security Policy,disabling scripts etc.

Post a Comment