Glastopf Web application honeypot gets SQL injection emulation capability

The Honeynet Project, a non-profit organization that develops open-source security research tools, has created a component for the Glastopf Web application honeypot software that can emulate applications vulnerable to SQL injection attacks in order to trick attackers into revealing their intentions.

In the context of computer security, honeypots are systems that are intentionally left vulnerable in order to collect technical information about attacks. That information can be used to strengthen the security of other systems found on the same network or to develop attack signatures for security products like firewalls.

Honeypots can be used by researchers to discover previously unknown attacks and capture previously undetected malware or can be used by businesses to understand how a system exposed to the Internet with a particular configuration would be targeted by hackers.

One of the several honeypot tools created by people involved in the Honeynet Project is called Glastopf and consists of a Web server that dynamically emulates vulnerable Web applications in order to attract attackers.

Glastopf has been in development since 2009 and is currently at version 3. However, until last week, it lacked the capability of emulating SQL injection vulnerabilities, an important class of Web application vulnerabilities that are commonly targeted by attackers.

That’s no longer the case, because on Saturday the Honeynet Project released an SQL injection “handler” for the Glastopf web application honeypot.

The new component was developed as part of Cyber Fast Track, a research program funded by the Defense Advanced Research Projects Agency (DARPA), a research arm of the U.S. Department of Defense.

“The main goal of this project was the development of a SQL injection vulnerability emulator that goes beyond the collection of SQL vulnerability probings,” the Honeynet Project said in a blog post on Saturday. “It deceives the adversary with crafted responses matching his request into sending us the malicious payload which could include all kinds of malicious code.”

SQL injection vulnerabilities allow attackers to write malicious data into a website’s database or to extract sensitive information from it. Because of this, they can result in serious data breaches.

According to a semi-annual report released by security firm Imperva in August, the median number of SQLi attacks experienced by a typical Web application between December 2011 and May 2012 was 17.5 and in the worst case it was 320.

According to a report from the Honeynet Project that describes the implementation of the Glastopf SQL injection emulator in more detail, limited tests performed with the new component revealed an attack rate of 10 SQL injection attacks per day.

That’s probably because the new SQL injection component can emulate multiple vulnerabilities at once, therefore attracting more attackers than a typical Web application does.

It does this by exposing paths indicating the existence of a known vulnerability to search engine crawlers. Glastopf’s developers call these path-based vulnerability signatures “dorks” and they serve as bait for attackers.

“Querying the search engine for the characteristic of a potentially vulnerable web application will return our honeypot dorks in the search results (probably among other results which point to real and vulnerable web applications),” they explained in the report.

Glastopf can use predefined SQL injection dorks built for known vulnerabilities, but can also build new dorks from the attacks it sees by automatically adding the paths attackers try to access to the database.

“The attack surface general approach is successful and future data analysis will reveal if the new features, like data clustering for dork selection and external dork sources, will increase the amount of malicious requests per day,” the developers said in the report.