Most automated scanning and security tools that ferret out cross-site scripting vulnerabilities don’t do much analysis beyond the target application. Netflix this week, however, released to open source a tool developed in-house that persists beyond the target app and can flag potential XSS trouble in secondary applications.
The tool, called Sleepy Puppy, is available on Netflix’s Github repository, and for starters, says one of the developers Scott Behrens, it fills a gap for security engineers doing application assessments.
“We were looking for a way to provide coverage on applications that come from different origins or may not be publicly accessible,” said Behrens, a senior application security engineer at Netflix. “We also wanted to observe where stored data gets reflected back, and how data that may be stored publicly could also be reflected in a large number of internal applications.”
Behrens and co-developer Patrick Kelley describe Sleepy Puppy as a cross-site scripting payload management framework that provides delayed XSS testing, a riff on stored XSS testing. For example, a cross-site scripting payload can be injected into one application that may not trigger a XSS alert in the target app, but that payload is stored in a database and reflected to a second application that is not immediately accessible, yet can fire off an email alert once the payload is triggered elsewhere.
“Sleepy Puppy provides context rich data on where and how cross-site scripting vulnerabilities propagate through various applications,” Behrens said, adding that Sleepy Puppy provides a persistence mechanism, also known as a callback, to help identify secondary applications where XSS vulnerabilities may exist.
“As an example, a field in an application like ‘first name’ may be stored in a database and reflected back in many applications (eCommerce application, customer service portal, backend reporting application),” Behrens said. “By injecting a Sleepy Puppy payload into that field, it may be possible for the security engineer to identify XSS vulnerabilities in applications that aren’t publicly accessible when that information is retrieved from the database.”
Sleepy Puppy has a fan in Daniel Miessler, whose day job is as a Practice Principal at HP’s security organization. He’s also a leader of the OWASP Bay Area Group and a team member of the Seclists Project. Miessler wrote a blog post in July when he saw a demo of Sleepy Puppy that praised the concept of a trackable XSS payload, and Sleepy Puppy’s ability to persist and trigger alerts when XSS vulnerabilities happen in secondary applications months later, for example.
“It’s a phenomenal concept,” Miessler said, adding in his post that Netflix should also concentrate on growing the tool’s attribution mechanism that tracks who detonated a payload and under what context. “That’s huge, especially when you could be getting detonation events days, weeks, or months after the attack was sent. It’s a really cool feature that should take front and center in the explanation of the tool.”
Cross-site scripting vulnerabilities are dangerous Web application flaws that can compromise a victim’s client, in this case the browser, and allow an attacker to run code, perform malicious actions, steal cookies or exploit other issues in the browser. And despite being atop every list of common web application vulnerabilities for more than a decade, XSS is still a challenge.
“Testing for cross-site scripting can be challenging as it requires developers to map all the input and output of their application,” Behrens said. “In a web application, any location where input, either from the user or another data store, is reflected back to a user, there is the potential for cross-site scripting. To test certain fields and parameters a web application proxy is needed, which requires a deeper understanding of how and what to test.”
Sleepy Puppy is just the latest Netflix tool to be released as open source. Last year, a number of tools were released, including Scumblr and Sketchy, search tools that comb social media and forums for hints of attacks, and Security Monkey, a tool used to monitor and analyze the security Amazon Web Services configurations.