Google released a new security testing tool called Firing Range which help developers to evaluate Cross-site Scripting (XSS) and other vulnerabilities that are seen most frequently in web apps.
According to Claudio Criscione, Security Engineer at Google,70 percent of bugs in Google Bug Bounty Programme are cross-site scripting.
Firing Range also scans for vulnerabilities like reverse clickjacking,flash injection and cross-origin resource sharing vulnerabilities.
This tool was made by Google with the help of security researchers at Politecnico di Milano in an effort to build a test ground for automated scanners.
Firing Range is a Java application built on Google App Engine and contains a wide range of XSS and, to a lesser degree, other web vulnerabilities.
At the Google Testing Automation Conference (GTAC) last year, Criscione said that detecting XSS vulnerabilities by hand “at Google scale” is like drinking the ocean.
"Our testbed doesn’t try to emulate a real application, nor exercise the crawling capabilities of a scanner: it’s a collection of unique bug patterns drawn from vulnerabilities that we have seen in the wild, aimed at verifying the detection capabilities of security tools,"said Claudio Criscione.The scanner is built entirely on Google technologies like Chrome and Google Cloud Platform, with support for the latest HTML5 features, a low false positive rate and ease of use in mind.
The open source tool is available at GitHub, while deployed version is available at Google App Engine.
Post a Comment