inian/firing-range — explained in plain English
Analysis updated 2026-07-18 · repo last pushed 2015-02-17
Point a security scanner at the public Firing Range instance to verify it catches known vulnerabilities.
Deploy your own copy on Google App Engine for a private, controlled testing environment.
Study the range of planted vulnerability categories to learn about different bug types.
| inian/firing-range | abhishek-kumar09/pmd | ahus1/cdt | |
|---|---|---|---|
| Language | Java | Java | Java |
| Last pushed | 2015-02-17 | 2020-11-15 | 2024-11-05 |
| Maintenance | Dormant | Dormant | Stale |
| Setup difficulty | moderate | moderate | moderate |
| Complexity | 3/5 | 3/5 | 3/5 |
| Audience | ops devops | developer | developer |
Figures from each repo's GitHub metadata at analysis time.
A public hosted instance exists, so self-deploying on App Engine is optional.
Firing Range is a deliberately vulnerable website created to test security scanning tools. Think of it like a practice range for security researchers, instead of hunting for bugs in real applications, they can use this controlled environment to see if their security scanners actually work. The site contains a wide variety of intentional security flaws across different categories. These aren't bugs you'd want in production, they're planted there on purpose so security tools have plenty of real-world-like problems to find and report on. This helps developers of security scanners verify that their tools catch what they're supposed to catch. The project is built as a Google App Engine application, which means it runs on Google's cloud infrastructure and can scale automatically. There's even a public version running online that anyone can access to test their security tools against, without needing to set it up themselves. This makes it easy for security researchers and tool developers to validate their work, they can point their scanners at the public instance and see how well they perform. Firing Range would be useful for security teams building or evaluating scanning tools, bug bounty hunters learning about different vulnerability types, or anyone running a security testing platform who wants a reliable benchmark to measure their tool's effectiveness. It provides a consistent, known set of vulnerabilities so you can verify your scanner works correctly before using it on real applications.
A deliberately vulnerable test website used to verify that security scanning tools actually detect real-world-like vulnerabilities, hosted on Google App Engine.
Mainly Java. The stack also includes Java, Google App Engine.
Dormant — no commits in 2+ years (last push 2015-02-17).
Setup difficulty is rated moderate, with roughly 30min to a first successful run.
Mainly ops devops.
This repo across BitVibe Labs
Don't trust strangers blindly. Verify against the repo.