UPDATE: A previous version of this story incorrectly reported that Firing Range is a scanner when in reality Firing Range is a tool that tests Web application security scanners.
Google today released to open source tool called Firing Range, which is designed as a test bed for Web application security scanners that provides coverage for a wide variety of cross-site scripting (XSS) and other vulnerabilities on a massive scale.
According to Google security engineer Claudio Criscione, 70 percent of the bugs in Google’s Vulnerability Reward Program are cross-site scripting flaws. In a talk at the Google Test Automation Conference (GTAC) last year, Criscione explained that uncovering XSS bugs by hand “at Google scale” is like drinking the ocean.
Google’s internal XSS tool is known as “Inquisition.” It was built entirely on Google Chrome and Cloud Platform technologies, with support for the latest HTML5 features. However, while working with and on Inquisition, Google researchers came to realize they needed a testbed with which analyze current and future scanning capabilities.
Firing Range became the eventual product of that realization. It’s a Java application built with the Google App Engine. It predominately looks for XSS bugs, but there are other vulnerabilities it can find as well. It differs from previously available tests for XSS scanners in that it doesn’t try to emulate all the possible attack scenarios in a specific application. Instead it relies on automation based on a collection of unique bug patterns drawn from in-the-wild vulnerabilities observed by Google.
As Criscione explained in his GTAC presentation last year, instead of detecting the presence of a payload and from there deriving the presence of a bug, Firing Range would essentially exploit the bug and detect the results of that exploitation.
“Our testbed doesn’t try to emulate a real application, nor exercise the crawling capabilities of a scanner: it’s a collection of unique bug patterns drawn from vulnerabilities that we have seen in the wild, aimed at verifying the detection capabilities of security tools,” Criscione explained on the Google Online Security Blog. “We have used Firing Range both as a continuous testing aid and as a driver for our development, defining as many bug types as possible, including some that we cannot detect (yet!).”
You can find the Firing Range code on Github and a deployed version is at public-firing-range.appspot.com. Users are encouraged to contribute to the tool with any feedback.