Hacking, Tools And Tricks, Top News

Google Releases Open Source Tool for Testing Web App Security Scanners

Google on Tuesday launched a Security testing tool “Firing Range”, which aimed at improving the efficiency of automated Web application security scanners by evaluating them with a wide range of cross-site scripting (XSS) and a few other web vulnerabilities seen in the wild.

 

Firing Range basically provides a synthetic testing environment mostly for cross-site scripting (XSS) vulnerabilities that are seen most frequently in web apps. According to Google security engineer Claudio Criscione, 70 percent of the bugs in Google’s Vulnerability Reward Program are cross-site scripting flaws.

According to Google security engineer Claudio Criscione, 70 percent of the bugs in Google’s Vulnerability Reward Program are cross-site scripting flaws. In a talk at the Google Test Automation Conference (GTAC) last year, Criscione explained that uncovering XSS bugs by hand “at Google scale” is like drinking the ocean.

Google’s internal XSS tool is known as “Inquisition.” It was built entirely on Google Chrome and Cloud Platform technologies, with support for the latest HTML5 features. However, while working with and on Inquisition, Google researchers came to realize they needed a testbed with which analyze current and future scanning capabilities.

At the Google Testing Automation Conference (GTAC) last year, Criscione said that detecting XSS vulnerabilities by hand “at Google scale” is like drinking the ocean. Going through the information manually is both exhausting and counter-productive for the researcher, so here Firing Range comes into play that would essentially exploit the bug and detect the results of that exploitation.

Our testbed doesn’t try to emulate a real application, nor exercise the crawling capabilities of a scanner: it’s a collection of unique bug patterns drawn from vulnerabilities that we have seen in the wild, aimed at verifying the detection capabilities of security tools,” Criscione explained on the Google Online Security Blog.

Firing Range tool has been developed by the search engine giant while working on “Inquisition”, an internal web application security scanning tool built entirely on Google Chrome and Cloud Platform technologies, with support for the latest HTML5 features and has a low false positive rate.

Firing Range became the eventual product of that realization. It’s a Java application built with the Google App Engine. It predominately looks for XSS bugs, but there are other vulnerabilities it can find as well. It differs from previously available tests for XSS scanners in that it doesn’t try to emulate all the possible attack scenarios in a specific application. Instead it relies on automation based on a collection of unique bug patterns drawn from in-the-wild vulnerabilities observed by Google.

As Criscione explained in his GTAC presentation last year, instead of detecting the presence of a payload and from there deriving the presence of a bug, Firing Range would essentially exploit the bug and detect the results of that exploitation.

“Our testbed doesn’t try to emulate a real application, nor exercise the crawling capabilities of a scanner: it’s a collection of unique bug patterns drawn from vulnerabilities that we have seen in the wild, aimed at verifying the detection capabilities of security tools,” Criscione explained on the Google Online Security Blog. “We have used Firing Range both as a continuous testing aid and as a driver for our development, defining as many bug types as possible, including some that we cannot detect (yet!).”

You can find the Firing Range code on Github and a deployed version is at public-firing-range.appspot.com. Users are encouraged to contribute to the tool with any feedback.

Previous ArticleNext Article
Send this to a friend