Google today released security testing tool Firing Range, a Java application that contains a wide range of XSS and a few other web vulnerabilities. A deployed version is available on Google App Engine and since the tool is open source you can check out the code on GitHub.
Firing Range was developed by Google and researchers at <a href="http://www.polimi.it/"Politecnico di Milano in the hopes of building a test ground for automated scanners. The company has used Firing Range itself both as a continuous testing aid and as a driver for its own development by “defining as many bug types as possible, including some that we cannot detect (yet!).”
Unlike many other vulnerable test applications, Google says Firing Range doesn’t focus on creating realistic-looking testbeds for human testers. Instead, the tool uses automation to exhaustively enumerate the contexts and the attack vectors that an application might exhibit.
Rather than emulating a real application or exercising the crawling capabilities of a scanner, the testbed is simply a collection of unique bug patterns drawn from vulnerabilities that Google has seen in the wild. In this way, the company hopes it can more thoroughly verify the detection capabilities of security tools.
In fact, Firing Range was built out of the company’s need for a synthetic testbed to both test its current capabilities and set goals for what to try to catch next. The company says it is using an internal web application security scanning tool, codenamed Inquisition, in its latest attempts at beefing up security. It is built entirely on Google technologies like Chrome and Google Cloud Platform, with support for the latest HTML5 features, a low false positive rate, and ease of use in mind.
Google doesn’t say whether it plans to release Inquisition next, but we wouldn’t be surprised. Earlier this month, the company open sourced a network traffic security testing tool.