Google open sources Firing Range, a test tool for web app security scanners

Google has open sourced another security tool: it’s called Firing Range, and it’s an effective testing ground for a variety of automated web application security scanners.

“Firing Range is a Java application built on Google App Engine and contains a wide range of XSS and, to a lesser degree, other web vulnerabilities,” Claudio Criscione, Security Engineer at Google, explained in the announcement.

Unlike other test applications that are already available, this one is aimed at automated solutions and not human testers.

“Our testbed doesn’t try to emulate a real application, nor exercise the crawling capabilities of a scanner: it’s a collection of unique bug patterns drawn from vulnerabilities that we have seen in the wild, aimed at verifying the detection capabilities of security tools,” he added. “We have used Firing Range both as a continuous testing aid and as a driver for our development, defining as many bug types as possible, including some that we cannot detect (yet!).”

The tool was created by researchers from Google and the Polytechnic University of Milan because they needed a way to test Inquisition, a web application security scanning tool the company has created for in-house use.

The source code for Firing Range can be found on GitHub. There’s also a public instance open for use.

“We hope that others will find it helpful in evaluating the detection capabilities of their own automated tools, and we certainly welcome any contributions and feedbacks from the broader security research community,” Criscione concluded.

This is the second security testing tool that Google has open sourced in the last two weeks. Earlier this month it has released nogotofail, a network security testing tool designed to probe device and apps for SSL certificate verification issues, HTTPS and TLS/SSL library bugs, SSL and STARTTLS stripping issues, and so on.