adarshdinesh
commented
11 years ago Can you please provide some more information regarding this issue ?
Closed glaslos closed 7 years ago
adarshdinesh
commented
11 years ago Can you please provide some more information regarding this issue ?
glaslos
commented
11 years ago An attack against a web application usually has a path that reveals the application targeted. E.g. if we see something like /wp_admin/index.php?user=<script>alert("foo");</script> we can tell that the attacker is targeting a Wordpress vulnerability.
As I see Glastopf more as a data collection tool, we might also think about implementing this on top of hpfeeds or mnemosyne.
A good starting point would be to look at tools doing web application recognition. They usually crawl the web app and look for known path names.
adarshdinesh
commented
11 years ago My ideas ....
1) glastopf/modules/HTTP has got all the functions to extract contents from request. 2) check whether the request type is GET , parse all the data fields and the headers from GET request. 4) get the url and split it till the '=' . 5) either search the google with some dorks(use urllib2 to automate the search) or make a crawler which check the web apps for the specific urls. 6) suppose we found the attacker is aiming the wordpress app then we use a wordpress login template as honeypot to fool the attacker .
Please correct me if i am on the wrong path :-)
glaslos
commented
11 years ago Hm, I wouldn't reinvent the wheel. Maybe something like this: http://blindelephant.sourceforge.net/
It would be useful to have a request path -> web application mapping at least for the major web applications. E.g. wp-content belongs to WordPress. This way we can customize the honeypots response (server a WordPress template instead of the default one).