Security experts can now debug broad-ranging XSS bugs

Sep 3, 2015 10:05 GMT  ·  By

Netflix engineers have created an open sourced application that can scan for XSS vulnerabilities that propagate to secondary applications.

Open source security auditing tools are scarce and usually very feature-lacking. Most of them have basic features, and in the case of XSS detectors, even the enterprise-level solutions scan the local target application only.

Netflix's Sleepy Puppy XSS testing toolkit comes with a twist. Besides checking local applications for cross-site scripting problems, this freely available toolkit can also check how XSS flaws are reflected into second-level applications that may utilize the data of the parent application.

This applies to API-based services, internal (or even in some cases third-party developed) applications that are allowed to use shared databases.

Engineers can track XSS propagation inside their systems

As Netflix engineers explain, "Sleepy Puppy helps facilitate inter-application XSS testing by providing JavaScript payloads that callback to the Sleepy Puppy application."

This simplifies the process of tracking the location and the time when an XSS flaw is executed, letting developers know if XSS flaws will propagate into client applications, or if they are simply local or internal.

The XSS test scripts, called PuppyScripts, allow a developer to track in-depth details like the URL where the XSS payload was executed, the page's DOM content with payload highlighting, the browser's User Agent string, local cookies, referrer header information, and even a screenshot of the application where the payload was executed.

In case the payload may require some time to propagate and execute, Sleepy Puppy also supports email notifications.

The Sleepy Puppy toolkit's source code is available on GitHub, along with a setup guide.

If you need help understanding what are and how XSS (cross-site scripting) attacks work, there's an infographic that may help.