Skip to content

Sleepy Puppy

Scott Behrens edited this page Aug 25, 2015 · 1 revision

Sleepy Puppy

                            __
     ,                    ," x`--o
    ((                   (  | __,'
     \\~----------------' \_;/
hjw  (   alert('yawn')      /
     /) ._______________.  )
    (( (               (( (
     ``-'               ``-'

#Overview# ##What is Sleepy Puppy?##

Sleepy Puppy is a blind cross-site scripting (xss) collector which was created to simplify blind xss testing.

##Why Should I use Sleepy Puppy?## Often when testing for client side injections (HTML/JS/etc.) security engineers are looking for where the injection occurs within the application they are testing only. While this provides ample coverage for the application in scope, there is a possibility that the code engineers are injecting may be reflected back in a completely separate application.

Sleepy Puppy helps facilitate inter-application xss testing by providing PuppyScript payloads that callback to the Sleepy Puppy application.

##How Does Sleepy Puppy Do It?##

Sleepy Puppy provides a PuppyScript payload that security engineers can use for Blind xss testing. The callback functions provided by the Puppyscript generate useful capture metadata including the uri, DOM, user-agent, cookies, referer header, and a screenshot where the payload executed. This allows a tester to generate unique PuppyScript payloads and trace what applications they execute in throughout the payload lifecycle.

Sleepy Puppy also supports email notifications for captures received for specific assessments.

Sleepy Puppy exposes an API for users who may want to develop plugins for scanners such as Burp or Zap.

API Documentation

#Release History# V1.0 - Initial Release

#Documentation# Documentation is maintained in the Github Wiki