TestREx: a Framework for Repeatable Exploits
This work addresses the need for security testers to efficiently perform large-scale vulnerability experiments, though it is incremental as it builds on existing exploit testing concepts.
The authors tackled the problem of reliably reproducing and testing web application exploits across different complex environments by introducing TestREx, a framework that enables automated, repeatable exploit testing with support for packing applications, injecting exploits, and generating security reports.
Web applications are the target of many well known exploits and also a fertile ground for the discovery of security vulnerabilities. Yet, the success of an exploit depends both on the vulnerability in the application source code and the environment in which the application is deployed and run. As execution environments are complex (application servers, databases and other supporting applications), we need to have a reliable framework to test whether known exploits can be reproduced in different settings, better understand their effects, and facilitate the discovery of new vulnerabilities. In this paper, we present TestREx - a framework that allows for highly automated, easily repeatable exploit testing in a variety of contexts, so that a security tester may quickly and efficiently perform large-scale experiments with vulnerability exploits. It supports packing and running applications with their environments, injecting exploits, monitoring their success, and generating security reports. We also provide a corpus of example applications, taken from related works or implemented by us.