git404hub

what is firing-range fr?

inian/firing-range — explained in plain English

Analysis updated 2026-07-18 · repo last pushed 2015-02-17

JavaAudience · ops devopsComplexity · 3/5DormantSetup · moderate

tl;dr

A deliberately vulnerable test website used to verify that security scanning tools actually detect real-world-like vulnerabilities, hosted on Google App Engine.

vibe map

mindmap
  root((repo))
    What it does
      Hosts planted vulnerabilities
      Provides public test site
      Benchmarks scanners
    Tech stack
      Java
      Google App Engine
    Use cases
      Test a security scanner
      Learn vulnerability types
      Benchmark tool accuracy
    Audience
      Security teams
      Bug bounty hunters
      Tool developers

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

what do people make with this?

VIBE 1

Point a security scanner at the public Firing Range instance to verify it catches known vulnerabilities.

VIBE 2

Deploy your own copy on Google App Engine for a private, controlled testing environment.

VIBE 3

Study the range of planted vulnerability categories to learn about different bug types.

what's the stack?

JavaGoogle App Engine

how it stacks up fr

inian/firing-rangeabhishek-kumar09/pmdahus1/cdt
LanguageJavaJavaJava
Last pushed2015-02-172020-11-152024-11-05
MaintenanceDormantDormantStale
Setup difficultymoderatemoderatemoderate
Complexity3/53/53/5
Audienceops devopsdeveloperdeveloper

Figures from each repo's GitHub metadata at analysis time.

how do i run it?

Difficulty · moderate time til it works · 30min

A public hosted instance exists, so self-deploying on App Engine is optional.

in plain english

Firing Range is a deliberately vulnerable website created to test security scanning tools. Think of it like a practice range for security researchers, instead of hunting for bugs in real applications, they can use this controlled environment to see if their security scanners actually work. The site contains a wide variety of intentional security flaws across different categories. These aren't bugs you'd want in production, they're planted there on purpose so security tools have plenty of real-world-like problems to find and report on. This helps developers of security scanners verify that their tools catch what they're supposed to catch. The project is built as a Google App Engine application, which means it runs on Google's cloud infrastructure and can scale automatically. There's even a public version running online that anyone can access to test their security tools against, without needing to set it up themselves. This makes it easy for security researchers and tool developers to validate their work, they can point their scanners at the public instance and see how well they perform. Firing Range would be useful for security teams building or evaluating scanning tools, bug bounty hunters learning about different vulnerability types, or anyone running a security testing platform who wants a reliable benchmark to measure their tool's effectiveness. It provides a consistent, known set of vulnerabilities so you can verify your scanner works correctly before using it on real applications.

prompts (copy fr)

prompt 1
Explain what categories of vulnerabilities Firing Range includes for testing scanners.
prompt 2
Help me set up my own Firing Range instance on Google App Engine.
prompt 3
Show me how to point a security scanner at the public Firing Range test site.
prompt 4
Walk me through interpreting a scanner's results against Firing Range's known vulnerabilities.

Frequently asked questions

what is firing-range fr?

A deliberately vulnerable test website used to verify that security scanning tools actually detect real-world-like vulnerabilities, hosted on Google App Engine.

What language is firing-range written in?

Mainly Java. The stack also includes Java, Google App Engine.

Is firing-range actively maintained?

Dormant — no commits in 2+ years (last push 2015-02-17).

How hard is firing-range to set up?

Setup difficulty is rated moderate, with roughly 30min to a first successful run.

Who is firing-range for?

Mainly ops devops.

peek the repo → explain another one

This repo across BitVibe Labs

double-check against the repo, no cap.