Netflix releases Sleepy Puppy anti-XSS tool

Video streaming giant Netflix has open-sourced its customisable Sleepy Puppy anti-cross site scripting tool to help developers secure their web applications against the vulnerability.

Sleepy Puppy. Source: Netflix.

Cross-site scripting (XSS) is a common security problem for website developers. It allows attackers to run potentially damaging scripts in visitors' web browsers, and has featured in the Open Web Applications Security Project top ten list of vulnerabilities for more than a decade.

Netflix engineers Scott Behrens and Patrick Kelley said that while there were existing tools to ferret out XSS holes in web apps, the company wanted a more comprehensive security framework to simplify cross-scripting propagation and identification, so as to allow developers to fix issues faster.

Netflix Sleepy Puppy testing workflow diagram.

The anti-XSS tool lets testers create payloads and PuppyScripts to collect data on when payloads are executed, along with screenshots and metadata on events.

Sleepy Puppy was released as open source on Github. It requires Python 2.7 with Flask and helper packages, SQLAlchemy with configurable backend storage, the Ace Javascript editor, and Html2Canvas Javascript for screenshots, which can be stored in Amazon S3 cloud storage.

Notifications can be set up via Amazon Web Services simple email service (SES).

Netflix, a large developer and user of open source software, has released several tools to the community over past years.

Just over a year ago, the company open sourced the Scumblr and Sketchy security scannng tools, and prior to that, the Security Monkey configuration, monitoring and analysis tool for Amazon Web Services, which hosts Netflix around the world.