Netflix releases Sleepy Puppy anti-XSS tool

By

Helps devs tackle common yet dangerous security problem.

Video streaming giant Netflix has open-sourced its customisable Sleepy Puppy anti-cross site scripting tool to help developers secure their web applications against the vulnerability.

Netflix releases Sleepy Puppy anti-XSS tool
Sleepy Puppy. Source: Netflix.

Cross-site scripting (XSS) is a common security problem for website developers. It allows attackers to run potentially damaging scripts in visitors' web browsers, and has featured in the Open Web Applications Security Project top ten list of vulnerabilities for more than a decade.

Netflix engineers Scott Behrens and Patrick Kelley said that while there were existing tools to ferret out XSS holes in web apps, the company wanted a more comprehensive security framework to simplify cross-scripting propagation and identification, so as to allow developers to fix issues faster.

Netflix Sleepy Puppy testing workflow diagram.

The anti-XSS tool lets testers create payloads and PuppyScripts to collect data on when payloads are executed, along with screenshots and metadata on events.

Sleepy Puppy was released as open source on Github. It requires Python 2.7 with Flask and helper packages, SQLAlchemy with configurable backend storage, the Ace Javascript editor, and Html2Canvas Javascript for screenshots, which can be stored in Amazon S3 cloud storage.

Notifications can be set up via Amazon Web Services simple email service (SES).

Netflix, a large developer and user of open source software, has released several tools to the community over past years.

Just over a year ago, the company open sourced the Scumblr and Sketchy security scannng tools, and prior to that, the Security Monkey configuration, monitoring and analysis tool for Amazon Web Services, which hosts Netflix around the world.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

Qantas facing 'significant' data theft after cyber attack

Qantas facing 'significant' data theft after cyber attack

Home Affairs officer accessed data on "friends and associates"

Home Affairs officer accessed data on "friends and associates"

Ex-student charged over Western Sydney University cyberattacks

Ex-student charged over Western Sydney University cyberattacks

Sportsbet recruits 'security champions' in shift-left strategy

Sportsbet recruits 'security champions' in shift-left strategy

Log In

  |  Forgot your password?