Google has open-sourced a new tool this Tuesday, in an attempt to enhance the performance of automated web security scanners by assessing them with patterns of flaws that have already been seen in the wild. The utility dubbed Firing Range is a synthetic testing field for XSS (cross-site scripting) vulnerabilities. These are the most often encountered flaws in web applications.Firing Range also includes other kinds of bugs like:
- Flash injection
- Reverse click-jacking
- Mixed content
- Cross-origin resource sharing
Firing Range Tests Web Application Security Scanners
Google has developed this tool during the process of creating another product – a web application security scanning tool, dubbed Inquisition. Firing Range is a Java app, created on Google App Engine, which can be purchased on GitHub. The tool has patterns for the scanner to detect various XSS flaws like redirected, DOM-based, tag-based, reflected, escaped and remote inclusion.
→“Our testbed doesn’t try to emulate a real application, nor exercise the crawling capabilities of a scanner: it’s a collection of unique bug patterns drawn from vulnerabilities that we have seen in the wild, aimed at verifying the detection capabilities of security tools,” states Claudio Criscione, a Google security engineer, in a blog post.
According to Criscione, XSS bugs were 70% of all security vulnerabilities detected at Google. The manual process of examining the information is quite wearing for the researcher.
Automated XSS Finding
Google experts find an automated method for examining an application for different attack vectors and known contexts it can be vulnerable to more productive. An extended version of Firing Range is available for researchers and developers to check and give a feed-back about any improvements that can be made to the tool.
Researchers with Politecnico di Milano have also contributed to the development of Firing Range.
Another security-related tool was open-sourced by Google at the beginning of November – Nogotofail. Its purpose is to inspect the traffic’s security in the network, concentrating on encryption protection flaws, by providing a MitM (man-in-the-middle) testing field.
This is a rather helpful tool that allows developers to check if their applications are secure against SSL/TLS flaws, like POODLE for example.
The tests involved refer to:
- HTTPS and TLS/SSL library bugs
- SSL certificate verification problems
- SSL and STARTTLS stripping issues
- Clear text problems