A next-generation Web server honeypot project is under way that poses as Web servers with thousands of vulnerabilities in order to gather firsthand data from real attacks targeting Websites.
Unlike other Web honeypots, the new open-source Glastopf tool dynamically emulates vulnerabilities attackers are looking for, so it's more realistic and can gather more detailed attack information, according to its developers. "Many attackers are checking the vulnerability of the application before they inject malicious code. My project is the first Web application honeypot with a working vulnerability emulator able to respond properly to attacker requests," says Lukas Rist, who created Glastopf.
Rist, a student, built Glastopf through the Google Summer of Code (Gsoc) 2009 program, where student developers write code for open-source projects. His Web honeypot was one of the Honeynet Project's Gsoc projects.
Unlike other Web honeypots that use templates posing as real Web apps, Glastopf basically adapts to the attack and can automatically detect and allow an unknown attack. Glastopf uses a combination of known signatures of vulnerabilities and also records the keywords an attacker uses when visiting the honeypot to ensure it gets indexed in search engines, which attackers often use to find new targets. The project uses a central database to gather the Web attack data from the Glastopf honeypot sensors installed by participants who want to share their data with the database.