SleepyPuppy is a Cross-Site Scripting (XSS) management tool which is not only full of features and customization options, but also has a really enjoyable name. SleepyPuppy was originally developed by the Netflix Skunkworks security team released back in ~2015, and unfortunately deprecated from future updates around ~2018. While the original creators state that other tools have come along which streamline the process, which may be true, other tools are lacking in the features that I personally want: dynamic customization of payloads, payload templating, and a way to logically sort and filter out all the responses you may get back. These XSS management tools are especially useful when attempting Blind XSS.
Let's quickly cover the risk of Blind XSS. In traditional XSS variants, an attacker is attacking the 'front door' of an application... meaning whatever is user facing. Most commonly you're targeting other users of the same application, or perhaps an administrator account to steal. While you may be able to go several applications deep if this is a portal application, all your attacks typically end up executing at the 'front of the stack.' However, in Blind XSS, an attacker attempts to send malicious payloads through any service they can get their hands on such as APIs, Logging, Headers, Database calls, File Uploads, and more in order to pop a payload somewhere down the stack.
For example, in order to keep up with modern standards and demands of clients, a development team is forced to implement logging across the board for all their APIs... and to meet the demands they decide to log everything and anything from an HTTP request. They're sending these logs to 'XYZ Log Viewer' which someone occasionally checks when errors arise. We decide to start uploading xss payloads inside of the User-Agent calling back to our xss tool of choice. Several days/weeks/months later all of a sudden we've received a callback to our tool! What happened? Well in this hypothetical scenario, let's say the XYZ Log Viewer is vulnerable to some form of XSS, and finally some internal user decided to check the logs and because they've been logging all HTTP data, our User-Agent XSS pops and we get our execution.
These various XSS tools present an attacker the insight on script execution and a feedback mechanism to tailor, and potentially chain, attacks against a given target, especially against services several layers deep typically hidden from an external point of view.
So back to SleepyPuppy, what are its features?
- Create templated script variants to share across pentesters
- Dynamically update these 'PuppyScript' payloads (in case of error, new features, or de-weaponizing)
- Provides a way to have a single generic payload that only requests the data you need
- Allows "assessments" to be created which can sort assessment A from assessment B; critical for deploying the tool on a single asset for pentesters
- Takes a screenshot upon xss execution
- Has Access Logs independent of script execution (handy for troubleshooting or identifying controls)
- Actually has Users and Authentication
In future posts I'll touch on why those bullet points above are especially important, and touch on other tools that are missing some (such as ezXSS).
Modern application development has started relying on the LocalStorage and SessionStorage for storing sensitive information and by default SleepyPuppy does not support this unless you stub stealing that data in a generic collector payload. Borrowing this UI idea from ezXSS, I've decided to stub in this information by default into SleepyPuppy payloads, as well as clean up the theme, update the UI to the newest Flask Admin templates, and fix a couple hardcoded url issues. In the near future I'm hoping to take a crack at fixing the Burp Plugin to work with Burp 2.0 in order to allow an easy stub for SleepyPuppy payloads.