Image
"Often when testing for client side injections (HTML/JS/etc.) security engineers are looking for where the injection occurs within the application they are testing only," observe the researchers in a description of Sleepy Puppy on GitHub. "While this provides ample coverage for the application in scope, there is a possibility that the code engineers are injecting may be reflected back in a completely separate application."Behrens and Kelley go on to explain that their tool addresses this shortcoming via the use of inter-application XSS testing by enabling JavaScript payloads that callback to the Sleepy Puppy application. This allows for the tracking of payloads across different users and applications as well as over extended periods of time. At the heart of Sleepy Puppy is the 'PuppyScript,' a customizable JavaScript that collects information on the client and application whenever the payload executes. The default configuration of the PuppyScript generates useful metadata including the URL, user-agent, referer headers, cookies, and other sources of data.
Image
“It’s a phenomenal concept,” said Daniel Miessler, Practice Principal at HP’s security organization “That’s huge, especially when you could be getting detonation events days, weeks, or months after the attack was sent. It’s a really cool feature that should take front and center in the explanation of the tool."As noted by The Register, Sleepy Puppy works with Docker and can be plugged into Burp Suite or Zap using the API. The platform follows a series of other security tools released by Netflix, including the Fully Integrated Defense Operation (FIDO) incident response tool that was made available earlier this year.
