Netflix recently open sourced Sleepy Puppy — a cross-site scripting (XSS) payload management framework for security assessments.

One of the most frequently requested features for Sleepy Puppy has been for an extension for Burp Suite, an integrated platform for web application security testing. Today, we are pleased to open source a Burp extension that allows security engineers to simplify the process of injecting payloads from Sleepy Puppy and then tracking the XSS propagation over longer periods of time and over multiple assessments.

Prerequisites and Configuration

First, you need to have a copy of Burp Suite running on your system. If you do not have a copy of Burp Suite, you can download/buy Burp Suite here. You also need a Sleepy Puppy instance running on a server. You can download Sleepy Puppy here. You can try out Sleepy Puppy using Docker. Detailed instructions on setup and configuration are available on the wiki page.

Once you have these prerequisites taken care of, please download the Burp extension here.

If the Sleepy Puppy server is running over HTTPS (which we would encourage), you need to inform the Burp JVM to trust the CA that signed your Sleepy Puppy server certificate. This can be done by importing the cert from Sleepy Puppy server into a keystore and then specifying the keystore location and passphrase while starting Burp Suite. Specific instructions include:

Visit your Sleepy Puppy server and export the certificate using Firefox in pem format

Import the cert in pem format into a keystore with the command below. keytool -import -file /path/to/cert.pem -keystore sleepypuppy_truststore.jks -alias sleepypuppy

You can specify the truststore information for the plugin either as an environment variable or as a JVM option.

Set truststore info as environmental variables and start Burp as shown below: export SLEEPYPUPPY_TRUSTSTORE_LOCATION=/path/to/sleepypuppy_truststore.jks export SLEEPYPUPPY_TRUSTSTORE_PASSWORD=passphrase provided while creating the truststore using keytool command above java -jar burp.jar

Set truststore info as part of the Burp startup command as shown below: java -DSLEEPYPUPPY_TRUSTSTORE_PASSWORD=/path/to/sleepypuppy_truststore.jks -DSLEEPYPUPPY_TRUSTSTORE_PASSWORD=passphrase provided while creating the truststore using keytool command above -jar burp.jar

Now it is time to load the Sleepy Puppy extension and explore its functionality.

Using the Extension

Once you launch Burp and load up the Sleepy Puppy extension, you will be presented with the Sleepy Puppy tab.

This tab will allow you to leverage the capabilities of Burp Suite along with the Sleepy Puppy XSS Management framework to better manage XSS testing.

Some of the features provided by the extension include:

Create a new assessment or select an existing assessment

Add payloads to your assessment and the Sleepy Puppy server from the the extension

When an Active Scan is conducted against a site or URL, the XSS payloads from the selected Sleepy Puppy Assessment will be executed after Burp’s built-in XSS payloads

In Burp Intruder, the Sleepy Puppy Extension can be chosen as the payload generator for XSS testing

In Burp Repeater, you can replace any value in an existing request with a Sleepy Puppy payload using the context menu

The Sleepy Puppy tab provides statistics about any payloads that have been triggered for the selected assessment

You can watch the Sleepy Puppy extension in action at YouTube.

Interested in Contributing?

Feel free to reach out or submit pull requests if there’s anything else you’re looking for. We hope you’ll find Sleepy Puppy and the Burp extension as useful as we do!

— by Rudra Peram