TestREx: a Framework for Repeatable Exploits

TL;DR

TestREx is a comprehensive framework designed to enable automated, repeatable testing of security exploits across diverse web application environments, aiding vulnerability discovery and security assessment.

Contribution

It introduces a novel framework that simplifies the deployment, execution, and monitoring of exploits in varied settings, enhancing security testing efficiency.

Findings

Supports automated exploit injection and monitoring

Enables large-scale vulnerability testing

Provides a corpus of example applications

Abstract

Web applications are the target of many well known exploits and also a fertile ground for the discovery of security vulnerabilities. Yet, the success of an exploit depends both on the vulnerability in the application source code and the environment in which the application is deployed and run. As execution environments are complex (application servers, databases and other supporting applications), we need to have a reliable framework to test whether known exploits can be reproduced in different settings, better understand their effects, and facilitate the discovery of new vulnerabilities. In this paper, we present TestREx - a framework that allows for highly automated, easily repeatable exploit testing in a variety of contexts, so that a security tester may quickly and efficiently perform large-scale experiments with vulnerability exploits. It supports packing and running applications with their environments, injecting exploits, monitoring their success, and generating security reports. We also provide a corpus of example applications, taken from related works or implemented by us.