Netflix wants to put cross-site scripting (XSS) to sleep with the introduction of its latest open-source framework: Sleepy Puppy. Sleepy Puppy is a XSS payload-management framework designed to help security engineers capture, manage and track XSS propagation.
“We wanted a more comprehensive XSS testing framework to simplify XSS propagation and identification, and allow us to work with developers to remediate issues faster,” wrote Scott Behrens ambassador of app security, and Patrick Kelley, cloud security engineer at Netflix, in a blog post. “We hope that the open-source community can find new and interesting uses for Sleepy Puppy, and use it to simplify their XSS testing and improve remediation times.”
(Related: Other news out of Netflix)
Sleepy Puppy provides JavaScript payloads to enable inter-application XSS testing, and it tracks when and where a payload fires from another user or another app. According to Netflix, security engineers can create their own payloads as needed, leverage the solution’s assessment model to categorize payloads, and develop plug-ins for scanners.
In addition, Sleepy Puppy includes PuppyScripts to track and collect payload information, and it uses captures and collectors to view data from the PuppyScripts.
Sleepy Puppy is available on GitHub.