Home

Awesome

Deemon Project

This is the code base of Deemon, a tool to detect CSRF in web applications. Deemon is an application-agnostic, automated framework designed to be used by developers and security analysts during the security testing phase of the software development life-cycle. The current version of Deemon supports PHP-based web applications that use MySQL databases.

Deemon has been used for the paper Deemon: Detecting CSRF with Dynamic Analysis and Property Graphs by G. Pellegrino, M. Johns, S. Koch, M. Backes, and C. Rossow.

Bibtex:

@inproceedings{deemon2017,
  title={{\textsc{Deemon}: Detecting CSRF with Dynamic Analysis and Property Graphs}},
  author={Pellegrino, Giancarlo and Johns, Martin and Koch, Simon and Backes, Michael and Rossow, Christian},
  booktitle={{Proceedings of the 2017 ACM Conference on Computer and Communications Security}},
  year={2017},
  organization={ACM}
}

Components

This project consists in a number of tools that are chained in a variety of ways. It also uses a number of existing tools:

External components

Deemon relies on two external tools:

License

GPL v3

Installation

Requirements and installation of internal component are here. For the external ones, please refer to the documentation of each project.

Note: A standalone .jar file of the interactive selenese-runner is in our repository.

Tutorials

We prepared a quick tutorial to get into the testing for CSRF vulnerabilities right away here as well as a more extensive documentation of each tool involved here.

Authors