Glastopf Web application honeypot gets SQL injection emulation capability

The Honeynet Project releases SQL injection emulator for the open-source Glastopf web application honeypot

The Honeynet Project, a non-profit organization that develops open-source security research tools, has created a component for the Glastopf Web application honeypot software that can emulate applications vulnerable to SQL injection attacks in order to trick attackers into revealing their intentions.

In the context of computer security, honeypots are systems that are intentionally left vulnerable in order to collect technical information about attacks. That information can be used to strengthen the security of other systems found on the same network or to develop attack signatures for security products like firewalls.

Honeypots can be used by researchers to discover previously unknown attacks and capture previously undetected malware or can be used by businesses to understand how a system exposed to the Internet with a particular configuration would be targeted by hackers.

One of the several honeypot tools created by people involved in the Honeynet Project is called Glastopf and consists of a Web server that dynamically emulates vulnerable Web applications in order to attract attackers.

Glastopf has been in development since 2009 and is currently at version 3. However, until last week, it lacked the capability of emulating SQL injection vulnerabilities, an important class of Web application vulnerabilities that are commonly targeted by attackers.

That's no longer the case, because on Saturday the Honeynet Project released an SQL injection "handler" for the Glastopf web application honeypot.

The new component was developed as part of Cyber Fast Track, a research program funded by the Defense Advanced Research Projects Agency (DARPA), a research arm of the U.S. Department of Defense.

"The main goal of this project was the development of a SQL injection vulnerability emulator that goes beyond the collection of SQL vulnerability probings," the Honeynet Project said in a blog post on Saturday. "It deceives the adversary with crafted responses matching his request into sending us the malicious payload which could include all kinds of malicious code."

SQL injection vulnerabilities allow attackers to write malicious data into a website's database or to extract sensitive information from it. Because of this, they can result in serious data breaches.

According to a semi-annual report released by security firm Imperva in August, the median number of SQLi attacks experienced by a typical Web application between December 2011 and May 2012 was 17.5 and in the worst case it was 320.

According to a report from the Honeynet Project that describes the implementation of the Glastopf SQL injection emulator in more detail, limited tests performed with the new component revealed an attack rate of 10 SQL injection attacks per day.

That's probably because the new SQL injection component can emulate multiple vulnerabilities at once, therefore attracting more attackers than a typical Web application does.

It does this by exposing paths indicating the existence of a known vulnerability to search engine crawlers. Glastopf's developers call these path-based vulnerability signatures "dorks" and they serve as bait for attackers.

"Querying the search engine for the characteristic of a potentially vulnerable web application will return our honeypot dorks in the search results (probably among other results which point to real and vulnerable web applications)," they explained in the report.

Glastopf can use predefined SQL injection dorks built for known vulnerabilities, but can also build new dorks from the attacks it sees by automatically adding the paths attackers try to access to the database.

"The attack surface general approach is successful and future data analysis will reveal if the new features, like data clustering for dork selection and external dork sources, will increase the amount of malicious requests per day," the developers said in the report.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service

Comments

Comments are now closed.

Latest News Articles

Most Popular Articles

Follow Us

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Resources

Best Deals on GoodGearGuide

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?