Google Open Sources Firing Range – New Testing Tool for Web Application Security Scanners

Google has open-sourced a new tool this Tuesday, in an attempt to enhance the performance of automated web security scanners by assessing them with patterns of flaws that have already been seen in the wild. The utility dubbed Firing Range is a synthetic testing field for XSS (cross-site scripting) vulnerabilities. These are the most often encountered flaws in web applications.Firing Range also includes other kinds of bugs like:Google open sources Firing Range - New Testing Tool for Web Application Security Scanners

  • Flash injection
  • Reverse click-jacking
  • Mixed content
  • Cross-origin resource sharing

Firing Range Tests Web Application Security Scanners

Google has developed this tool during the process of creating another product – a web application security scanning tool, dubbed Inquisition. Firing Range is a Java app, created on Google App Engine, which can be purchased on GitHub. The tool has patterns for the scanner to detect various XSS flaws like redirected, DOM-based, tag-based, reflected, escaped and remote inclusion.

→“Our testbed doesn’t try to emulate a real application, nor exercise the crawling capabilities of a scanner: it’s a collection of unique bug patterns drawn from vulnerabilities that we have seen in the wild, aimed at verifying the detection capabilities of security tools,” states Claudio Criscione, a Google security engineer, in a blog post.

According to Criscione, XSS bugs were 70% of all security vulnerabilities detected at Google. The manual process of examining the information is quite wearing for the researcher.

Automated XSS Finding

Google experts find an automated method for examining an application for different attack vectors and known contexts it can be vulnerable to more productive. An extended version of Firing Range is available for researchers and developers to check and give a feed-back about any improvements that can be made to the tool.

Researchers with Politecnico di Milano have also contributed to the development of Firing Range.

Another security-related tool was open-sourced by Google at the beginning of November – Nogotofail. Its purpose is to inspect the traffic’s security in the network, concentrating on encryption protection flaws, by providing a MitM (man-in-the-middle) testing field.

This is a rather helpful tool that allows developers to check if their applications are secure against SSL/TLS flaws, like POODLE for example.

The tests involved refer to:

  • HTTPS and TLS/SSL library bugs
  • SSL certificate verification problems
  • SSL and STARTTLS stripping issues
  • Clear text problems

Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share