-
Notifications
You must be signed in to change notification settings - Fork 137
Tutorial
#Tutorial This section will describe how Sleepy Puppy is organized, as well as walk through a few use cases on ways you can leverage Sleepy Puppy into your penetration testing methodology.
This tutorial does not demonstrate a delayed xss payload propagating through internal systems, but does provide you with the tools/techniques to use those payloads in your own applications. For testing internal systems, it is suggested to consider data elements which may propagate to other applications. Some examples may include:
- First name/last name
- User-agent strings
- Chat systems
This tutorial assumes you have already deployed Sleepy Puppy, have configured either SES or SMTP email, and have confirmed successful authentication to the web UI. For more information, visit the setup guide. This tutorial also assumes you will be using Firefox for testing.
This tutorial does not require Sleepy Puppy with TLS Nginx configuration, which means you can use the Docker image found here: (https://github.com/Netflix-Skunkworks/zerotodocker)
##How Cross-site Scripting Collection Works Sleepy Puppy ships with a number of XSS payloads you can use. Each payload is associated with the "General" assessment, however you can create new assessments which will create unique payloads for identifying captures. After an assessment is created, the attacker can copy a payload from that assessment to inject in the application. When the script containing the payload is loaded in in that application or another application (delayed) the following events occur:
The PuppyScript file(s) associated with that payload are retrieved from the server. The payload is identified by passing the u
parameter which contains a unique identifier used to link the Payload with the capture and the a
parameter which contains the assessment the payload is associated with. Each PuppyScript fires based on the order which they were chained together. By default, only one Puppyscript runs which collects metadata and a screenshot where the payload fired. The server also replaces associated variables and hostnames within the PuppyScript file. If you decide to write your own PuppyScripts you can leverage the following Jinja2 templates which will automatically be filled in when the PuppyScript is loaded:
- {{payload}} this is a required field if your PuppyScript contains callbacks. This let's Sleepy Puppy record which payload was fired before the capture.
- {{assessment}} this is a required field if your PuppyScript contains callbacks. This let's Sleepy Puppy map the capture with the correct assessment.
- {{hostname}}
- {{callback_protocol}}
##How The Default PuppyScript Cross-site Scripting Collection Works For most use cases, no customization of PuppyScripts is required. All payloads that ship with Sleepy Puppy will use the default PuppyScript unless explicitly customized. The default Puppyscript performs the following actions when rendered:
-
Puppyscript loader loads Jquery
-
Puppyscript loader makes a request to /api/puppyscript_loader/{{payload}}?a={{assessment}} where payload is the associated payload and assessment is the associated assessment id.
-
puppyscript_loader API returns the default Puppyscript and loader executes that PuppyScript.
-
Default PuppyScript loads the HTML2Canvas framework
-
Script POSTS to /callbacks and includes:
- URI, Referrer, Cookies, User Agent, DOM, Screenshot ID, Payload, Assessment
- Script POSTS to /up and includes a screenshot of the capture stored in binary PNG format.
Let's start by creating a new assessment. An assessment helps keep your work organized, provides you with distinct payloads to use during the course of your assessment as well as limit the scope of email notifications when one of your payloads fire.
We will create an assessment titled "XSS Game", which will include The XSS Challenge web application.
Let's add your user account to this assessment to receive email notifications. Any time a payload fires that is associated with the assessment, we will receive an email notification and can investigate the findings in the UI.
Navigate to the User table, click edit on your username, and add the assessment to your account.
Sleepy Puppy ships with a number of useful payloads. If we navigate to the Payload tab, we can view, modify, and create new payloads. When creating new payloads, simply use the $1 placeholder to let Sleepy Puppy know where it should inject the script url. You can also set up which PuppyScript to load with each Payload and you can chain as many PuppyScripts together as you like.
Let's navigate back over to our XSS Game assessment by clicking the Assessment tab. Here we see our assessment names, as well as a table of payloads for each assessment. Each payload has an associated count for captures, generic collectors, and access log requests which hyperlink to the appropriate data. You can switch assessments by clicking them.
Let's copy the first payload for our assessment.
##XSS Game Payload Test Using Firefox, visit the XSS Challenge Web Application (http://xss-quiz.int21h.jp). In the search bar, paste the payload we created earlier. Click Search.
If you have the Developer console open, you will see our script get loaded and the callbacks succeeded.
You should have now received an email notification letting you know the payload fired:
##Capture UI Overview Navigate to the Capture portion of the web application. We can now see all the metadata we collected from the capture.
You can click view the screenshot, captured cookies, as well as DOM to investigate where the payload fired.