Web applications are the target of many well-known exploits and also a fertile ground for the discovery of security vulnerabilities. Yet, the success of an exploit depends both on the vulnerability in the application source code and the environment in which the application is deployed and run. As execution environments are complex (application servers, databases and other supporting applications), we need to have a reliable framework to test whether known exploits can be reproduced in different settings, better understand their effects, and facilitate the discovery of new vulnerabilities. In this paper, we present TESTREX—a framework that allows for highly automated, easily repeatable exploit testing in a variety of contexts, so that a security tester may quickly and efficiently perform large-scale experiments with vulnerability exploits. It supports packing and running applications with their environments, injecting exploits, monitoring their success, and generating security reports. We also provide a corpus of example applications, taken from related works or implemented by us.
TestREx: a framework for repeatable exploits / Dashevskyi, Stanislav; Dos Santos, Daniel Ricardo; Massacci, Fabio; Sabetta, Antonino. - In: INTERNATIONAL JOURNAL ON SOFTWARE TOOLS FOR TECHNOLOGY TRANSFER. - ISSN 1433-2779. - 21:1(2019), pp. 105-119. [10.1007/s10009-017-0474-1]
TestREx: a framework for repeatable exploits
Dashevskyi, Stanislav;Dos Santos, Daniel Ricardo;Massacci, Fabio;
2019-01-01
Abstract
Web applications are the target of many well-known exploits and also a fertile ground for the discovery of security vulnerabilities. Yet, the success of an exploit depends both on the vulnerability in the application source code and the environment in which the application is deployed and run. As execution environments are complex (application servers, databases and other supporting applications), we need to have a reliable framework to test whether known exploits can be reproduced in different settings, better understand their effects, and facilitate the discovery of new vulnerabilities. In this paper, we present TESTREX—a framework that allows for highly automated, easily repeatable exploit testing in a variety of contexts, so that a security tester may quickly and efficiently perform large-scale experiments with vulnerability exploits. It supports packing and running applications with their environments, injecting exploits, monitoring their success, and generating security reports. We also provide a corpus of example applications, taken from related works or implemented by us.| File | Dimensione | Formato | |
|---|---|---|---|
|
Dashevskyi, S.a_TestREx-a-framework-for-repeatable-exploits-Article-in-press-_2017.pdf
Solo gestori archivio
Descrizione: Versione online first
Tipologia:
Versione editoriale (Publisher’s layout)
Licenza:
Tutti i diritti riservati (All rights reserved)
Dimensione
841.04 kB
Formato
Adobe PDF
|
841.04 kB | Adobe PDF | Visualizza/Apri |
|
Dashevskyi2019_Article_TestRExAFrameworkForRepeatable.pdf
Solo gestori archivio
Descrizione: Versione editoriale finale
Tipologia:
Versione editoriale (Publisher’s layout)
Licenza:
Tutti i diritti riservati (All rights reserved)
Dimensione
830.11 kB
Formato
Adobe PDF
|
830.11 kB | Adobe PDF | Visualizza/Apri |
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione
