Last week Google released a security testing tool called “Firing Range“. The tool is a JAVA application that contains a wide range of XSS (Cross-Site scripting) and a few other web vulnerabilities. A deployed version is available on Google App Engine and since the tool is open source you can check out the code on GitHub. Firing Range was developed by Google and researchers at <a href=”http://www.polimi.it/”Politecnico di Milano in the hopes of building a test ground for automated scanners. The company has used Firing Range itself both as a continuous testing aid and as a driver for its own development by “defining as many bug types as possible, including some that we cannot detect (yet!).”
In addition to XSS vulnerabilities, the new web app scanner also scans for other types of vulnerabilities including reverse clickjacking, Flash injection, mixed content, and cross-origin resource sharingvulnerabilities.
Unlike many other vulnerable test applications, Google says Firing Range doesn’t focus on creating realistic-looking testbeds for human testers. Instead, the tool uses automation to exhaustively enumerate the contexts and the attack vectors that an application might exhibit.
Rather than emulating a real application or exercising the crawling capabilities of a scanner, the testbed is simply a collection of unique bug patterns drawn from vulnerabilities that Google has seen in the wild. In this way, the company hopes it can more thoroughly verify the detection capabilities of security tools.