"Our testbed doesn't try to emulate a real application, nor exercise the crawling capabilities of a scanner: it's a collection of unique bug patterns drawn from vulnerabilities that we have seen in the wild, aimed at verifying the detection capabilities of security tools," Criscione explained on the Google Online Security Blog.
Google on Tuesday launched a Security testing tool "Firing Range", which aimed at improving the efficiency of automated Web application security scanners by evaluating them with a wide range of cross-site scripting (XSS) and a few other web vulnerabilities seen in the wild.
Firing Range basically provides a synthetic testing environment mostly for cross-site scripting (XSS) vulnerabilities that are seen most frequently in web apps. According to Google security engineer Claudio Criscione, 70 percent of the bugs in Google's Vulnerability Reward Program are cross-site scripting flaws.
In addition to XSS vulnerabilities, the new web app scanner also scans for other types of vulnerabilities including reverse clickjacking, Flash injection, mixed content, and cross-origin resource sharing vulnerabilities.
Firing Range was developed by Google with the help of security researchers at Politecnico di Milano in an effort to build a test ground for automated scanners. The company has used Firing Range itself "both as a continuous testing aid and as a driver for our development, defining as many bug types as possible, including some that we cannot detect (yet!)."
What makes it different from other vulnerable test applications available is its ability to use automation, which makes it more productive. Instead of focusing on creating realistic-looking testbeds for human testers, Firing Range relies on automation based on a collection of unique bug patterns drawn from in-the-wild vulnerabilities observed by Google.
Firing Range is a Java application that has been built on Google App Engine. It includes patterns for the scanner to focus on DOM-based, redirected, reflected, tag-based, escaped and remote inclusion bugs.
At the Google Testing Automation Conference (GTAC) last year, Criscione said that detecting XSS vulnerabilities by hand "at Google scale" is like drinking the ocean. Going through the information manually is both exhausting and counter-productive for the researcher, so here Firing Range comes into play that would essentially exploit the bug and detect the results of that exploitation.
Firing Range tool has been developed by the search engine giant while working on "Inquisition", an internal web application security scanning tool built entirely on Google Chrome and Cloud Platform technologies, with support for the latest HTML5 features and has a low false positive rate.