Yesterday, Google Security Engineer Claudio Criscione released version 0.42 of the web scanner test application called Firing Range. The author of the test app describes Firing Range as “a Java application built on Google App Engine and contains a wide range of XSS…” They make the source available on github or there is a public website available for target practice.
At first glance, Firing Range looks sparse. However, those who don’t look past the landing page and launch a tool or two are not going to be able to appreciate the elegance of the test site. Firing Range is a unique and valuable addition to the web’s portfolio of test sites.
While the Hackazon test site provides what I have described as a “torture test” for scanners Firing Range is more of a “Rubik’s cube.” Most scanners will complete a test of Firing Range in well under an hour and nothing about the site is resource intensive or attempts to hide vulnerabilities from the test tool. Instead, Firing Range takes the opposite approach and focuses on completeness of the assessment. That is, every test page is directly available within the first two levels of the landing page and all the test pages are labeled for the target test. For example, all of the pages that test for reflective cross site scripting are available from the reflected cross site scripting page. This page is then broken in to clearly defined sections:
Firing Range on its own should not be considered a single source for testing a scanner (and I do not believe the author ever meant for it to be). However I believe that it will soon become a gold standard when assessing a scanner’s ability to detect and report on cross-site scripting.
- For evaluating a scanner’s strengths and weaknesses in detecting and reporting on cross-site scripting, you won’t find a better tool than Firing Range.
- The author has carefully and thoroughly labeled each test and offered explanations where needed.
- Firing Range allows an assessor to map the true positive findings and false negative findings.
- Firing Range makes no attempt to test a scanner’s ability to test in real life situations such as complex workflows like you would find in an eCommerce site.
- Firing Range tests very little beyond cross site scripting. It would be great to see this model extended to other vulnerability families.