Closed glaslos closed 7 years ago
Can you please provide some more information regarding this issue ?
An attack against a web application usually has a path that reveals the application targeted. E.g. if we see something like /wp_admin/index.php?user=<script>alert("foo");</script>
we can tell that the attacker is targeting a Wordpress vulnerability.
As I see Glastopf more as a data collection tool, we might also think about implementing this on top of hpfeeds or mnemosyne.
A good starting point would be to look at tools doing web application recognition. They usually crawl the web app and look for known path names.
My ideas ....
1) glastopf/modules/HTTP has got all the functions to extract contents from request. 2) check whether the request type is GET , parse all the data fields and the headers from GET request. 4) get the url and split it till the '=' . 5) either search the google with some dorks(use urllib2 to automate the search) or make a crawler which check the web apps for the specific urls. 6) suppose we found the attacker is aiming the wordpress app then we use a wordpress login template as honeypot to fool the attacker .
Please correct me if i am on the wrong path :-)
Hm, I wouldn't reinvent the wheel. Maybe something like this: http://blindelephant.sourceforge.net/
It would be useful to have a request path -> web application mapping at least for the major web applications. E.g. wp-content belongs to WordPress. This way we can customize the honeypots response (server a WordPress template instead of the default one).