Firing Range: Google Open Source Tool for Testing Web App Security Scanners

Security is the one of the most important factor of every business, as it is offline or online. Search giants Google also gives prior importance to its users security and privacy, and earlier also Google had helped online users in many ways via implementing higher security features on its products or by other means.

In this response Google security team had once again came forward in the security concerns. Today Google released a open source tool called "Firing Range", which is specially designed for testing the Web application security scanners. The tool is featured with the variety of cross-site scripting (XSS) and other vulnerabilities on a massive scale.
Google Security Engineer Claudio Criscione, explained about the Firing Range on the blog post. He mentioned that about 70 per cent of the bugs in Google’s Vulnerability Reward Program are cross-site scripting flaws. In a talk at the Google Test Automation Conference (GTAC) last year, Criscione explained that uncovering XSS bugs by hand “at Google scale” is like drinking the ocean.

Google had its own internal XSS scanners known as “Inquisition”. It was built entirely on Google Chrome and Cloud Platform technologies, with support for the latest HTML5 features. However, while working with and on Inquisition, Google researchers came to realize they needed a testbed with which analyze current and future scanning capabilities.

What is Firing Range ?
Firing Range is a Java application built on Google App Engine and contains a wide range of XSS and, to a lesser degree, other web vulnerabilities. Code is available on github.com/google/firing-range, while a deployed version is at public-firing-range.appspot.com.

Our testbed doesn’t try to emulate a real application, nor exercise the crawling capabilities of a scanner: it’s a collection of unique bug patterns drawn from vulnerabilities that we have seen in the wild, aimed at verifying the detection capabilities of security tools - Criscione worte.

“We have used Firing Range both as a continuous testing aid and as a driver for our development, defining as many bug types as possible, including some that we cannot detect (yet!).” - he added.