This pull request adds an .lgtm.yml configuration file to teach lgtm.com to build this repository.

See also: https://discuss.lgtm.com/t/cannot-build-ant-build-logs-unhelpful/736/2 @paradoxengine

Added support for local GAE via Ant, based off of the template in appengin-java-sdk-1.9.17.

Added default index.html. I couldn't find the default in the pages directory. Just copy and pasted the default from the public running instance minus the version info. I don't know the best way to pull this data from the project. Should it be a property file, version.java file or introduce it into the build progress?

If these changes make it in, then I can dockerize based off of the google master branch, rather then my branch.

Thanks

Example: https://public-firing-range.appspot.com/escape/serverside/escapeHtml/body?q=a Our ZAP regression tests are failing ;) https://github.com/zapbot/zap-mgmt-scripts/runs/6977470176?check_suite_focus=true

Hi, could you please push the 0.47 version of firing range that is also deployed at https://public-firing-range.appspot.com/? Or is it not inteded to be public?

The version on github is still 0.46.

https://public-firing-range.appspot.com/reverseclickjacking/singlepage/ParameterInQuery/?q=foo and others in the same section yield Invalid location of the vulnerable parameter. and they should be showing something completely different.

Hello, I am struggling in exploiting some of the challenges, can you provide the solutions for that it will be really helpful for me to learn and understand advanced level challenges of XSS as I solved all the Reflected XSS module but I am struggling in solving EscapedXSS module.

The public-firing-range is several versions old and a new version needs to be pushed. Note for example the difference between what is checked into the repo and what's hosted at public-firing-range.appspot.com/dom - specifically the lack of external script loading toxicdomscripts tests.

Currently the link goes to a page showing an error: http://public-firing-range.appspot.com/%5D(http://public-firing-range.appspot.com/)

Error: Not Found

The requested URL /%5D(http://public-firing-range.appspot.com/) was not found on this server.

https://github.com/jesuscmartinez/docker-firing-range has a Dockerfile that works, but only up to commit https://github.com/google/firing-range/commit/c7033adbd15551fc10c1041b5a29d41ccca55cc9.

I adapted it to use the build context's copy of firing-range:

FROM ubuntu:trusty
RUN apt-get update \
 && apt-get install -y -qq wget unzip ant git openjdk-7-jdk \
 && apt-get clean
RUN wget https://storage.googleapis.com/appengine-sdks/featured/appengine-java-sdk-1.9.24.zip \
 && unzip appengine-java-sdk-1.9.24.zip \
 && rm appengine-java-sdk-1.9.24.zip
WORKDIR appengine-java-sdk-1.9.24/demos/firing-range
COPY build.xml build.xml
COPY src src
COPY WEB-INF WEB-INF
EXPOSE 8080
CMD ["sh", "-c", "ant -Daddress=0.0.0.0 runserver && while true; do sleep 10000; done"]

The next commit, https://github.com/google/firing-range/commit/fe45c389a9b58ec46bac0f305f6217f0ac838dd8, ported firing-range to java 8, and I couldn't figure out how to get firing-range working with that in Docker. My experience with Java predates ant... and I'm allergic to xml :-)

The testcases with where the second parameter should be according to the description echoed withing the HEAD tag is being echoed inside the BODY tag.

Body - HTML escaped - The parameter is echoed within the main BODY tag. Body - URL escaped - The parameter is echoed within the main BODY tag. Head - HTML escaped - The parameter is echoed within the HEAD tag. Head - URL escaped - The parameter is echoed within the HEAD tag.

Hello, I am trying to find a way how to perform XSS in style tags. However it seems to me that unless I rely on deprecated or not fixed features of old browsers like :expression and -moz-binding the following pages cannot be exploted. Is it true? If so, could you give me a hint on how to exploit them?

The testcases: /serverside/escapeHtml/css_style /serverside/escapeHtml/css_style_font_value /serverside/escapeHtml/css_style_value /serverside/encodeUrl/css_style /serverside/encodeUrl/css_style_value /serverside/encodeUrl/css_style_value

Hello, this link does not work, the corresponding template is missing. The link is referenced here under URLs section in links "URL - HREF - HTML escaped" and "URL - HREF - URL escaped"

I have been trying to perform XSS for serverside URL encoding challenges like https://public-firing-range.appspot.com/escape/serverside/encodeUrl/attribute_name but I cannot bypass the encoding. Can I get some help regarding this?

Need challenges for some of the below-mentioned list https://public-firing-range.appspot.com/dom/toxicdom/document/cookie_set/eval https://public-firing-range.appspot.com/dom/toxicdom/document/referrer/eval https://public-firing-range.appspot.com/dom/toxicdom/window/name/eval https://public-firing-range.appspot.com/address/location.hash/documentwrite Please provide solutions from these mentioned URLs it will be a great help from your side

thanks and regards