Download
Firing Range is an intentionally vulnerable web application designed to evaluate the real-world effectiveness of web security scanners and training exercises. Deployed as a cloud-friendly app, it aggregates dozens of vulnerability patterns in repeatable, labeled routes so tools can be benchmarked on coverage and noise. The project doesn’t just include simple XSS forms; it spans variants such as DOM-based issues, context-sensitive sinks, template mishandling, CSRF, open redirects, and mixed content problems. Each scenario is crafted to reflect how bugs appear in production—behind frameworks, in odd encodings, or across redirects—so scanners must demonstrate accurate crawling and context understanding. Because the behaviors are stable and documented, teams can run comparative tests over time and quantify regression or improvement in their pipelines. It’s equally useful for human training, giving analysts a safe playground to practice exploitation and triage skills.
Features
- Curated routes that exercise many classes of web vulnerabilities
- Realistic variants of issues such as reflected, stored, and DOM XSS
- Scenarios targeting crawling, context resolution, and encoding edge cases
- Cloud-friendly deployment for consistent benchmarking runs
- Clear labeling and repeatability for longitudinal comparisons
- Suitable for both automated scanner evaluation and human training labs
Project Samples
