Sleepy Puppy is a XSS payload management framework that enables security engineers to simplify the process of capturing, managing, and tracking XSS propagation over long periods of time and numerous assessments.
We will use the following terminology throughout the rest of the discussion:
- Assessments describe specific testing sessions and allow the user to optionally receive email notifications when XSS issues are identified for those assessments.
- Payloads are XSS strings to be executed and can include the full range of XSS injection.
- Captures are the screenshots and metadata collected by the default PuppyScript
- Generic Collector is an endpoint that allows you to optionally log additional data outside the scope of a traditional capture.
Sleepy Puppy is highly configurable, and you can create your own payloads and PuppyScripts as needed.
Security engineers can leverage the Sleepy Puppy assessment model to categorize payloads and subscribe to email notifications when delayed cross-site scripting events are triggered.
Testing is straightforward as Sleepy Puppy ships with a number of payloads, PuppyScripts, and an assessment. To provide a better sense of how Sleepy Puppy works in action, let’s take a look at an assessment we created for the XSS Challenge web application, a sample application that allows users to practice XSS testing.
To test the XSS Challenge web app, we created an assessment named ‘XSS Game’, which is highlighted above. When you click and highlight an assessment, you can see a number of payloads associated with this assessment. These payloads were automatically configured to have unique identifiers to help you correlate which payloads within your assessment have executed. Throughout the course of testing, counts of captures, collections, and access log requests are provided to quickly identify which payloads are executing.
Simply copy any payload and inject it in the web application you are testing. Injecting Sleepy Puppy payloads in stored objects that may be reflected in other applications is highly recommended.
The default PuppyScript configured for payloads captures useful metadata including the URL, DOM with payload highlighting, user-agent, cookies, referer header, and a screenshot of the application where the payload executed. This provides the tester ample knowledge to identify the impacted application so they may mitigate the vulnerability quickly. As payloads propagate throughout a network, the tester can trace what applications the payload has executed in. For more advanced use cases, security engineers can chain PuppyScripts together and even leverage the generic collector model to capture arbitrary data from any input source.
After the payload executes, the tester will receive an email notification (if configured) and be presented with actionable data associated with the payload execution:
Sleepy Puppy makes use of the following components :
- Python 2.7 with Flask (including a number of helper packages)
- SQLAlchemy with configurable backend storage
- Optional use of AWS Simple Email Service (SES) for email notifications and S3 for screenshot storage
We’re shipping Sleepy Puppy with built-in payloads, PuppyScripts and a default assessment.