Hello,

I am trying to deploy firing-range on GAE however I'm running into issues.
First, trying to deploy as "gcloud deploy app" I get this error:

Error: Server Error
The server encountered an error and could not complete your request.
Please try again in 30 seconds.

Second, trying to deploy as " mvn deploy: appengine" runs into many errors such as there isn't a pom file . Therefore I created the pom file but still got errors such as:

[ERROR] Could not find goal '' in plugin org.apache.maven.plugins:maven-deploy-plugin:2.7 among available goals deploy-file, help, deploy -> [Help 1]

Every time I sort out an error another comes out, which makes me wonder if I am following the correct way.
Can you provide some steps on how to deploy this app on GAE?

Thank you

When running 'ant runserver' on Mac OSX 10.13.4 I get the multiple instances of the following error:

[enhance] Apr. 10, 2018 12:29:57 VORM. org.datanucleus.enhancer.DataNucleusEnhancer addMessage [enhance] SCHWERWIEGEND: An error occured for ClassEnhancer "ASM" when trying to call the method "org.datanucleus.enhancer.asm.ASMClassEnhancer" on class "getClassNameForFileName" : null [enhance] java.lang.IllegalArgumentException [enhance] at org.objectweb.asm.ClassReader.<init>(ClassReader.java:170) [enhance] at org.objectweb.asm.ClassReader.<init>(ClassReader.java:153) [enhance] at org.objectweb.asm.ClassReader.<init>(ClassReader.java:424) [enhance] at org.datanucleus.enhancer.asm.ASMClassEnhancer.getClassNameForFileName(ASMClassEnhancer.java:155) [enhance] at jdk.internal.reflect.GeneratedMethodAccessor1.invoke(Unknown Source) [enhance] at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [enhance] at java.base/java.lang.reflect.Method.invoke(Method.java:564) [enhance] at org.datanucleus.enhancer.DataNucleusEnhancer.getClassNameForFilename(DataNucleusEnhancer.java:920) [enhance] at org.datanucleus.enhancer.DataNucleusEnhancer.getFileMetadataForInput(DataNucleusEnhancer.java:736) [enhance] at org.datanucleus.enhancer.DataNucleusEnhancer.enhance(DataNucleusEnhancer.java:545) [enhance] at org.datanucleus.enhancer.DataNucleusEnhancer.main(DataNucleusEnhancer.java:1252) [enhance] at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [enhance] at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) [enhance] at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [enhance] at java.base/java.lang.reflect.Method.invoke(Method.java:564) [enhance] at com.google.appengine.tools.enhancer.Enhancer.execute(Enhancer.java:74) [enhance] at com.google.appengine.tools.enhancer.Enhance.<init>(Enhance.java:70) [enhance] at com.google.appengine.tools.enhancer.Enhance.main(Enhance.java:50)

I am using the following Java version:

$ java --version java 10 2018-03-20 Java(TM) SE Runtime Environment 18.3 (build 10+46) Java HotSpot(TM) 64-Bit Server VM 18.3 (build 10+46, mixed mode)

You can find the full log attached,
log.log

The public-firing-range is several versions old and a new version needs to be pushed. Note for example the difference between what is checked into the repo and what's hosted at public-firing-range.appspot.com/dom - specifically the lack of external script loading toxicdomscripts tests.

Including unvalidated data in an HTTP response header can enable cache-poisoning, cross-site scripting, cross-user defacement, page hijacking, cookie manipulation or open redirect.

Original report: #15 (comment)

"The problem seems to be that in the local instance a / gets appended after the /tags path. I'm using Java 8 and appengine-java-sdk-1.9.54."

Hi, could you please push the 0.47 version of firing range that is also deployed at https://public-firing-range.appspot.com/? Or is it not inteded to be public?

The version on github is still 0.46.

https://github.com/jesuscmartinez/docker-firing-range has a Dockerfile that works, but only up to
commit c7033ad.

I adapted it to use the build context's copy of firing-range:

FROM ubuntu:trusty
RUN apt-get update \
 && apt-get install -y -qq wget unzip ant git openjdk-7-jdk \
 && apt-get clean
RUN wget https://storage.googleapis.com/appengine-sdks/featured/appengine-java-sdk-1.9.24.zip \
 && unzip appengine-java-sdk-1.9.24.zip \
 && rm appengine-java-sdk-1.9.24.zip
WORKDIR appengine-java-sdk-1.9.24/demos/firing-range
COPY build.xml build.xml
COPY src src
COPY WEB-INF WEB-INF
EXPOSE 8080
CMD ["sh", "-c", "ant -Daddress=0.0.0.0 runserver && while true; do sleep 10000; done"]

The next commit, fe45c38, ported firing-range to java 8, and I couldn't figure out how to get firing-range working with that in Docker. My experience with Java predates ant... and I'm allergic to xml :-)

Need challenges for some of the below-mentioned list
https://public-firing-range.appspot.com/dom/toxicdom/document/cookie_set/eval
https://public-firing-range.appspot.com/dom/toxicdom/document/referrer/eval
https://public-firing-range.appspot.com/dom/toxicdom/window/name/eval
https://public-firing-range.appspot.com/address/location.hash/documentwrite
Please provide solutions from these mentioned URLs it will be a great help from your side

thanks and regards

Example: https://public-firing-range.appspot.com/escape/serverside/escapeHtml/body?q=a
Our ZAP regression tests are failing ;)
https://github.com/zapbot/zap-mgmt-scripts/runs/6977470176?check_suite_focus=true

Hello, I am trying to find a way how to perform XSS in style tags. However it seems to me that unless I rely on deprecated or not fixed features of old browsers like :expression and -moz-binding the following pages cannot be exploted. Is it true? If so, could you give me a hint on how to exploit them?

The testcases:
/serverside/escapeHtml/css_style
/serverside/escapeHtml/css_style_font_value
/serverside/escapeHtml/css_style_value
/serverside/encodeUrl/css_style
/serverside/encodeUrl/css_style_value
/serverside/encodeUrl/css_style_value

Hello,
I am struggling in exploiting some of the challenges, can you provide the solutions for that it will be really helpful for me to learn and understand advanced level challenges of XSS as I solved all the Reflected XSS module but I am struggling in solving EscapedXSS module.

Is there a place where we can find an exhaustive list of all the vulnerabilities exposed by firing-range?

I wanted to compare the result found by some tools with the reality and opening the vulnerabilities pages one by one is quite time consuming.

Thanks,

Hi,

Can you please let me know where can I find the solutions for these challenges please.

Hello, this link does not work, the corresponding template is missing. The link is referenced here under URLs section in links "URL - HREF - HTML escaped" and "URL - HREF - URL escaped"

I have been trying to perform XSS for serverside URL encoding challenges like https://public-firing-range.appspot.com/escape/serverside/encodeUrl/attribute_name but I cannot bypass the encoding. Can I get some help regarding this?

https://public-firing-range.appspot.com/reverseclickjacking/singlepage/ParameterInQuery/?q=foo and others in the same section yield Invalid location of the vulnerable parameter. and they should be showing something completely different.

The testcases with where the second parameter should be according to the description echoed withing the HEAD tag is being echoed inside the BODY tag.

Body - HTML escaped - The parameter is echoed within the main BODY tag.
Body - URL escaped - The parameter is echoed within the main BODY tag.
Head - HTML escaped - The parameter is echoed within the HEAD tag.
Head - URL escaped - The parameter is echoed within the HEAD tag.

In all the external toxicdom tests, eg /dom/toxicdom/external/localStorage/array/eval the path to the toxicdomscripts/ servlet is wrong and breaks.

I noticed that both test #1 and test #11 seem to point to the exact same target from the page: angular/index.html. Seems like they should be different and Claudio agrees.