Netflix Open Sources Sleepy Puppy XSS Hunter

msm1267 writes: Netflix has released a tool it calls Sleepy Puppy. The tool injects cross-site scripting payloads into a target app that may not be vulnerable, but could be stored in a database and tracks the payload if it's reflected to a secondary application that makes use of the data in the same field. "We were looking for a way to provide coverage on applications that come from different origins or may not be publicly accessible," said co-developer Scott Behrens, a senior application security engineer at Netflix. "We also wanted to observe where stored data gets reflected back, and how data that may be stored publicly could also be reflected in a large number of internal applications." Sleepy Puppy is available on Netflix's Github repository and is one of a slew of security tools its engineers have released to open source.

Re: oOo

More like Snoopy Puppy, amirite?

Re:Correct Me If I Am Wrong, But

[taustin]

Er, no. The summary is, as usual on /., largely unrelated to the actual article.

It is apparently (the article is a little fuzzy, too) a tool for people designing web sites to track cross-site scripting, to look for vulnerabilities. This is a good thing. I think.

Names

[wonkey_monkey]

Netflix has released a tool it calls Sleepy Puppy.

Whatever happened to names that were at least tangentially related to the function of the software?

Actual Code

[TFlan91]

Link to the actual repo:

https://github.com/Netflix/sle...

API

[OakDragon]

I wish they would bring back the API to access their catalog data.

Re:Correct Me If I Am Wrong, But

[erapert]

the program injects an "alert" message into a bunch of DB entries just to see if they are being used later by other websites.

Fixed that for you.