ZAP vs Firing Range

Google Firing Range is a test bed for automated web application security scanners.

It is available online at https://public-firing-range.appspot.com/ and the GitHub repo is https://github.com/google/firing-range

It does not appear to be being actively maintained and some of the tests no longer appear to work with modern browsers.

Click on the Sections to see the full set of results, which also link to the online test page and the scan rule which should find the vulnerability.

Changes which find any of the missed vulnerabilities are eligible for a bounty: see Issue #7122 for more details.

Section Score
Escaped XSS
29%
Mixed content
100%
Reflected XSS
98%
Remote Inclusion XSS
60%
Reverse ClickJacking
67%
Leaked httpOnly cookie
100%
Invalid framing configuration
100%

 

Configuration

Config Details
Frequency Daily
Scripts https://github.com/zapbot/zap-mgmt-scripts/blob/master/scans/firingrange/
Action https://github.com/zapbot/zap-mgmt-scripts/actions/workflows/zap-vs-firingrange.yml

 

Settings

The latest Nightly ZAP Docker image is run with the default settings against this app with the following exceptions:

  • The XSS rule is set to use LOW threshold in order to detect 2 cases which are not strictly vulnerable.