This is the code base of Deemon, a tool to detect CSRF in web applications. Deemon is an application-agnostic, automated framework designed to be used by developers and security analysts during the security testing phase of the software development life-cycle. The current version of Deemon supports PHP-based web applications that use MySQL databases.
Deemon has been used for the paper Deemon: Detecting CSRF with Dynamic Analysis and Property Graphs by G. Pellegrino, M. Johns, S. Koch, M. Backes, and C. Rossow.
@inproceedings{deemon2017,
  title={{\textsc{Deemon}: Detecting CSRF with Dynamic Analysis and Property Graphs}},
  author={Pellegrino, Giancarlo and Johns, Martin and Koch, Simon and Backes, Michael and Rossow, Christian},
  booktitle={{Proceedings of the 2017 ACM Conference on Computer and Communications Security}},
  year={2017},
  organization={ACM}
}
This project consists in a number of tools that are chained in a variety of ways. It also uses a number of existing tools:
- zumka: Tools to instrument VM (bitnami + vbox only)
- vilanoo: HTTP/S proxy that intercepts browser requests.
- mosgi: Server to collect Web Application raw execution traces, session data, and file I/O.
- rawtrace-analysis: A tool that extracts SQL traces, session data snapshots, and file I/O operations from raw traces of mosgi and vilanoo.
- dbmanager: The tool create a property graph of the web application. It imports dynamic traces and infers (1) finate-state machines, (2) data-flow models, and (3) data types.
- testermanager: The tool to generate tests to detect CSRF vulnerabilities
- csrf-test-runner: The tool to execute tests against a web application
Deemon relies on two external tools:
- Selenium IDE: (not included in Deemon) Tool to capture user-generated Selenese HTML
- selenese-runner-java: (included as binary in Deemon) Tool to run Selenese HTML.
- proxy2: (included in Deemon) HTTP/HTTPS proxy in a single python script.
Requirements and installation of internal component are here. For the external ones, please refer to the documentation of each project.
Note: A standalone .jar file of the interactive selenese-runner is in our repository.
We prepared a quick tutorial to get into the testing for CSRF vulnerabilities right away here as well as a more extensive documentation of each tool involved here.
- Giancarlo Pellegrino <gpellegrino[at]cispa.saarland>
- Simon Koch <s9sikoch[at]stud.uni-saarland.de>
- Florian Loch
- Benny Rolle