DISI Security Research Group Wiki

User Tools

Site Tools

Trace: testrex
testrex

This is an old revision of the document!

TestREx (Testbed for Repeatable Exploits) - Download Guide

If you are interested in the research topics of the Security Group please about testbeds please check the page on Cyber Security Testbeds and Malware Testing.

TestREx is a system for building repeatable exploits. Its main features include the following:

  • Packing and running web applications with their software environments
  • Injecting scripted exploits and monitoring the results of their execution
  • Generating reports with successes/failures of the exploits
  • A corpus of sample applications and exploits is provided for the demonstration purposes

The corresponding publication is

  • S. Dashevskyi, D. Ricardo dos Santos, F. Massacci, A. Sabetta. TestREx: a Testbed for Repeatable Exploits In: Proc. of Usenix Security CSET 2014, San Diego (CA), USA. PDF

Downloads:

  • The exploitation is protected by a patent application owned by SAP.
  • To obtain the sources please contact us.

Quick installation notes:

Required software and its versions

  • Ubuntu 16.04
  • Python 2.7.* (should also work with Python 3.4.*)
  • Docker, Selenium and several other packages (can be installed via './scripts/install.sh' script)

REMARK: While TestREx should work on any Linux distribution (tested on Ubuntu 16.04), the 'install,sh' script will work only if the apt package manager is available. Otherwise, all the required software could be installed manually.

  • Copy the sources into a separate folder
  • Run the 'install.sh' file from the TestREx root folder:
       sudo sh ./scripts/install.sh

       
* You might need to reboot/log out when all packages are installed
* Build the base software images by running:
       sudo python [TestREx_root_folder]/util/build-base-images.py

To check whether TestREx works:

  • Manual testing of the Wordpress 3.2 (manual testing)

sudo python run.py –manual wordpress3.2ubuntu-apache-mysql –port 80 * Open a web browser and type: http://localhost:49160/wordpress/wp-login.php Automated testing of the Nodegoat application: * Run all available (few) exploit scripts against a single instance of the Nodegoat image: sudo python run.py –batch nodegoatubuntu-node-mongo –noreset –visible –verbose –port 8888

Publications

  • A. Sabetta, L. Compagna, S. Ponta,S. Dashevskyi, D.R. dos Santos, F. Massacci. Multi-context exploit test management. US Patent 20160314302, 2016. https://www.google.com/patents/US20160314302
  • S. Dashevskyi, D.R. dos Santos, F. Massacci, and A. Sabetta. TestREx: a Testbed for Repeatable Exploits, In Proceedings of the 7th USENIX conference on Cyber Security Experimentation and Test (CSET), 2014. PDF
testrex.1498119326.txt.gz · Last modified: 2021/01/29 10:58 (external edit)

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki