Netflix Sleepy Puppy – Nothing new

Netflix has released an open source tool that their engineering team have developed in-house that can find second-order XSS vulnerabilities in web applications. The tool is called Sleepy Puppy, and while it’s a good initiative from Netflix, the auto-detection of ‘Delayed XSS’ is nothing new.

In August 2013, Acunetix announced it’s 9th edition of it’s flagship web vulnerability scanner. Among the new features, Acunetix released a new service called AcuMonitor. AcuMonitor is a free service that is included with Acunetix Vulnerability Scanner that allows the detection of vulnerabilities that do not provide a response to a scanner during testing, therefore, the response from the vulnerability test is delayed.

Detection of second-order vulnerabilities requires an intermediary service; Acunetix Vulnerability Scanner, combined with it’s built-in AcuMonitor Technology, makes automatic detection of such vulnerabilities possible and transparent to the user running an automated web vulnerability scan.

In addition to Blind XSS (or Delayed XSS), AcuMonitor can also detect other second-order vulnerabilities such as XML External Entity Injection (XXE), Server Side Request Forgery (SSRF), Host Header Attacks, Email Header Injection, Password Reset Poisoning, Blind Out of Band SQL Injection and Blind Out of Band Remote Code Execution.

What’s in a name?

Unfortunately, names don’t always properly or fully reflect what they are trying to describe – some argue that cross-site scripting should be named something more representative such as JavaScript injection. Be that as it may, everyone refers to it as XSS and using another name would only cause confusion.

The same applies for Blind XSS and Delayed XSS. One of the first popular talks about the subject was at DEFCON 20 by Adam Baldwin. During his talk, Baldwin specifically mentions the following about Blind XSS.

It’s not like Blind SQLi where you get immediate feedback.

While it could be argued that Delayed XSS is technically a better name for what Acunetix AcuMonitor and Sleepy Puppy attempt to find, for all intents and purposes, Delayed XSS is nothing new – it’s Blind XSS with a different name.