first:

Author: steinkirch

Gemfile

@@ -0,0 +1,9 @@
+source "http://rubygems.org"
+
+gem 'nyan-cat-formatter'
+gem 'ruby-debug19'
+gem 'rspec'
+gem 'rdoc'
+gem 'activerecord'
+gem 'colorize'
+gem 'rubyless'

Gemfile.lock

@@ -0,0 +1,65 @@
+GEM
+  remote: http://rubygems.org/
+  specs:
+    activemodel (3.1.3)
+      activesupport (= 3.1.3)
+      builder (~> 3.0.0)
+      i18n (~> 0.6)
+    activerecord (3.1.3)
+      activemodel (= 3.1.3)
+      activesupport (= 3.1.3)
+      arel (~> 2.2.1)
+      tzinfo (~> 0.3.29)
+    activesupport (3.1.3)
+      multi_json (~> 1.0)
+    archive-tar-minitar (0.5.2)
+    arel (2.2.1)
+    builder (3.0.0)
+    colorize (0.5.8)
+    columnize (0.3.6)
+    diff-lcs (1.1.3)
+    i18n (0.6.0)
+    json (1.6.4)
+    linecache19 (0.5.12)
+      ruby_core_source (>= 0.1.4)
+    multi_json (1.0.4)
+    nyan-cat-formatter (0.0.5)
+    rdoc (3.12)
+      json (~> 1.4)
+    rspec (2.7.0)
+      rspec-core (~> 2.7.0)
+      rspec-expectations (~> 2.7.0)
+      rspec-mocks (~> 2.7.0)
+    rspec-core (2.7.1)
+    rspec-expectations (2.7.0)
+      diff-lcs (~> 1.1.2)
+    rspec-mocks (2.7.0)
+    ruby-debug-base19 (0.11.25)
+      columnize (>= 0.3.1)
+      linecache19 (>= 0.5.11)
+      ruby_core_source (>= 0.1.4)
+    ruby-debug19 (0.11.6)
+      columnize (>= 0.3.1)
+      linecache19 (>= 0.5.11)
+      ruby-debug-base19 (>= 0.11.19)
+    ruby_core_source (0.1.5)
+      archive-tar-minitar (>= 0.5.2)
+    ruby_parser (2.3.1)
+      sexp_processor (~> 3.0)
+    rubyless (0.8.6)
+      ruby_parser (>= 2.0.4)
+      sexp_processor (>= 3.0.1)
+    sexp_processor (3.0.10)
+    tzinfo (0.3.31)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  activerecord
+  colorize
+  nyan-cat-formatter
+  rdoc
+  rspec
+  ruby-debug19
+  rubyless

README.rdoc

@@ -0,0 +1,207 @@
+===========================================================
+= Monitoring Cross-site Request Forgery Attacks (MonCSRF)
+         Stony Brook University, January/2012.
+===========================================================
+
+
+== Introduction
+
+
+MonCSRF is designed to detect requests in a web server that may result on Cross-site Request Forgery (CSRF) attacks [1] [2] [3] [4] [5].
+
+MonCSRF parses a given log file derived from a web server with DIVA [6] and verifies whether (and how) the requests in this file had the state of the system changed (named potential unsafe requests).
+
+
+MonCSRF is written in Ruby 1.9.2 and Ragel [7][8].
+
+
+
+== Strategies
+
+
+
+MonCSRF contains two different strategies for parsing a log file from DIVA.
+
+
+=== Parsing by Regular Expressions (REGEXP)
+
+
+The class representing this strategy is located at:
+
+/lib/log_parser/strategies/sql/regexp.rb
+
+
+The default running does not use this strategy.
+
+
+=== Parsing into an Abstract Syntact Tree (AST)
+
+The class representing this strategy is located at:
+
+/lib/log_parser/strategies/sql/ragel.rl
+
+
+One can generates the .rb file by:
+
+$ ragel -R ragel.rl
+
+Ragel is a state machine compiler and parse generator. It combines lex and yacc into one and build a full state-machine for the input stream, i.e., one state-machine for the parser and lexer [10] [11].
+
+The machine of states parse the SQL request. In an inital state, it receives a string. If in the of the string, the machine is in a final state, the SQL is valid. The AST is a way th machine use to save the data.
+The machine can get four initial paths: UPDATE, DELETE, SELECT, INSERT. It saves into the AST when executes the parse. Ragel has builting Graphviz [12] support to create state charts:
+$ ragel -R ragel.rl | rlgen-dot > ragel.dot
+
+== Whitelisting
+
+Every time one runs MonCSRF, every the potential unsafe requests will be compared to a whitelist. In the case which the program finds a previous similar whitelisted request (i.e., with same syntactic structure), the new request is automatically marked as safe. If the new request is not in the whitelist, the program will generate an alert and ask about the safety of it.
+
+
+The whitelist file can be inspected at:
+
+
+/white_list
+
+
+
+== Tree Struture of the Files
+
+├── bin
+
+│   └── parser.rb
+
+├── lib
+
+│   ├── log_parser
+
+│   │   ├── log_entry.rb
+
+│   │   ├── log.rb
+
+│   │   ├── sql_info.rb
+
+│   │   ├── strategies
+
+│   │   │   └── sql
+
+│   │   │       ├── base.rb
+
+│   │   │       ├── ragel.dot
+
+│   │   │       ├── ragel.rb
+
+│   │   │       ├── ragel.rl
+
+│   │   │       ├── README_strategies
+
+│   │   │       └── regexp.rb
+
+│   │   └── white_list.rb
+
+│   ├── log_parser.rb
+
+│   └── runtime.rb
+
+
+
+== Testings (For Developers)
+
+MonCSRF was written using testings:
+
+$ gem install bundler
+
+$ bundle
+
+$ rspec spec
+
+
+├── spec
+
+│   ├── fixtures
+
+│   │   ├── log
+
+│   │   ├── white_list
+
+│   ├── integration
+
+│   │   └── runtime_spec.rb
+
+│   ├── spec_helper.rb
+
+│   ├── strategies
+
+│   │   └── sql
+
+│   │       ├── ragel_spec.rb
+
+│   │       └── regext_spec.rb
+
+│   ├── support
+
+│   │   └── shared_example_strategy_sql.rb
+
+│   └── unit
+
+│       ├── log_entry_spec.rb
+
+│       ├── log_spec.rb
+
+│       ├── sql_info.rb
+
+│       └── white_list_spec.rb
+
+
+
+
+== Running MonCSRF
+
+To run MonCSRF, one needs to give the name of the log file:
+
+$ bin/parser.rb PATH_TO_THE_LOG
+
+
+To run monCSRF using the default logs/log file:
+
+$./run.sh
+
+To test benchmark:
+
+$./benchmark.sh
+
+
+
+== Documentation
+The complete documentation of monCSRF in HTML is at:
+
+/doc/README_rdoc.html
+
+
+This documentation was generated using RDoc[9] and can be updated by:
+
+$ bundle
+
+$ rdoc
+
+
+
+=== Developers
+
+Marina von Steinkirch, steinkirch at gmail.com
+
+Riccardo Pelizzi, r.pelizzi at gmail.com
+
+
+
+=== References
+[1] CWE/SANS Top 25 Most Dangerous Software Errors, http://cwe.mitre.org/top25/index.html.
+[2] Jovanovic, N., Kirda, E., & Kruegel, C.,  Preventing cross site request forgery attacks, 2007.
+[3] Barth, A., Jackson, C., &  Mitchell, J.C.,  Robust Defenses for Cross-Site Request Forgery, CCS  2008.
+[4] R. Pelizzi & R. Sekar, A Server- and Browser- Transparent CSRF Defense for Web 2.0., 2011.
+[5] Xu, W., Bhatkar, E. & Sekar, R.,  Taint-enhanced policy enforcement, 2006.
+[6] R. Sekar, An Efficient Black-Box Technique for Defeating Web Application Attacks, 2008.
+[7] RVM Sources, http://beginrescueend.com/.
+[8] Ragel Sources, http://www.complang.org/ragel.
+[9] RDoc Sources, http://rdoc.sourceforge.net/.
+[10] http://jan.kneschke.de/projects/mysql/sql-parser-in-rage-l.
+[11] http://www.devchix.com/2008/01/13/a-hello-world-for-ruby-on-ragel-60/.
+[12] http://www.graphviz.org/.

benchmark.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+if [ $1 ]
+then
+  LINES=$(wc -l $1)
+  echo "LINES: $LINES"
+  time ./bin/parser.rb $1 -b
+else
+  echo "Log File not found or not specified."
+fi

bin/parser.rb

@@ -0,0 +1,12 @@
+#!/usr/bin/env ruby
+
+require File.expand_path('lib/log_parser')
+
+# This is the main file that will run the parser on a log file of our choice..
+# Usage: we can either run it or calculate benchmark. For this second option the argument is -b.
+# The name of the log is the first argument.
+# It calls the class lib/runtime.rb.
+
+benchmark = false
+benchmark = true if ARGV[1] == '-b'
+Runtime.run(ARGV[0], benchmark)