Deemon is a tool to detect CSRF in web applications. Deemon has been used for the paper "Deemon: Detecting CSRF with Dynamic Analysis and Property Graphs" by G. Pellegrino, M. Johns, S. Koch, M. Backes, and C. Rossow.
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
csrf-test-runner
data
deep-modeling
docs
mosgi
rawtrace-analysis
selenese-runner
testing
vilanoo/src
zumka
.gitignore
README.md
create-consecutive-state.sh
run-csrf-test.sh
run-test-runner.sh
run-test.sh

README.md

Deemon Project

This is the code base of Deemon, a tool to detect CSRF in web applications. Deemon is an application-agnostic, automated framework designed to be used by developers and security analysts during the security testing phase of the software development life-cycle. The current version of Deemon supports PHP-based web applications that use MySQL databases.

Deemon has been used for the paper Deemon: Detecting CSRF with Dynamic Analysis and Property Graphs by G. Pellegrino, M. Johns, S. Koch, M. Backes, and C. Rossow.

Bibtex:

@inproceedings{deemon2017,
  title={{\textsc{Deemon}: Detecting CSRF with Dynamic Analysis and Property Graphs}},
  author={Pellegrino, Giancarlo and Johns, Martin and Koch, Simon and Backes, Michael and Rossow, Christian},
  booktitle={{Proceedings of the 2017 ACM Conference on Computer and Communications Security}},
  year={2017},
  organization={ACM}
}

Components

This project consists in a number of tools that are chained in a variety of ways. It also uses a number of existing tools:

  • zumka: Tools to instrument VM (bitnami + vbox only)
  • vilanoo: HTTP/S proxy that intercepts browser requests.
  • mosgi: Server to collect Web Application raw execution traces, session data, and file I/O.
  • rawtrace-analysis: A tool that extracts SQL traces, session data snapshots, and file I/O operations from raw traces of mosgi and vilanoo.
  • dbmanager: The tool create a property graph of the web application. It imports dynamic traces and infers (1) finate-state machines, (2) data-flow models, and (3) data types.
  • testermanager: The tool to generate tests to detect CSRF vulnerabilities
  • csrf-test-runner: The tool to execute tests against a web application

External components

Deemon relies on two external tools:

  • Selenium IDE: (not included in Deemon) Tool to capture user-generated Selenese HTML
  • selenese-runner-java: (included as binary in Deemon) Tool to run Selenese HTML.
  • proxy2: (included in Deemon) HTTP/HTTPS proxy in a single python script.

License

GPL v3

Installation

Requirements and installation of internal component are here. For the external ones, please refer to the documentation of each project.

Note: A standalone .jar file of the interactive selenese-runner is in our repository.

Tutorials

We prepared a quick tutorial to get into the testing for CSRF vulnerabilities right away here as well as a more extensive documentation of each tool involved here.

Authors

  • Giancarlo Pellegrino <gpellegrino[at]cispa.saarland>
  • Simon Koch <s9sikoch[at]stud.uni-saarland.de>
  • Florian Loch
  • Benny Rolle