Google Firing Range is a test bed for automated web application security scanners.
It is available online at https://public-firing-range.appspot.com/ and the GitHub repo is https://github.com/google/firing-range
It does not appear to be being actively maintained and some of the tests no longer appear to work with modern browsers.
Click on the Sections to see the full set of results, which also link to the online test page and the scan rule which should find the vulnerability.
Changes which find any of the missed vulnerabilities are eligible for a bounty: see Issue #7122 for more details.
| Section | Score | ||
|---|---|---|---|
Escaped XSS |
29% |
||
Mixed content |
100% |
||
Reflected XSS |
98% |
||
Remote Inclusion XSS |
60% |
||
Reverse ClickJacking |
67% |
||
Leaked httpOnly cookie |
100% |
||
Clickjacking |
100% |
Configuration
| Config | Details |
|---|---|
| Frequency | Daily |
| Scripts | https://github.com/zapbot/zap-mgmt-scripts/blob/master/scans/firingrange/ |
| Action | https://github.com/zapbot/zap-mgmt-scripts/actions/workflows/zap-vs-firingrange.yml |
Settings
The latest Nightly ZAP Docker image is run with the default settings against this app with the following exceptions:
- The XSS rule is set to use LOW threshold in order to detect 2 cases which are not strictly vulnerable.