It would be nice to be able to get into the mind of an attacker before he actually strikes and that is exactly what the Honeynet Project is doing as it created a component for the Glastopf Web application honeypot software that can emulate applications vulnerable to SQL injection attacks in order to trick attackers into revealing their intentions.
In the context of computer security, honeypots are systems intentionally left vulnerable in order to collect technical information about attacks. Knowing that information, it is then possible to strengthen the security of other systems found on the same network or to develop attack signatures for security products like firewalls.
Researchers use honeypots to discover previously unknown attacks and capture previously undetected malware or businesses use them to understand how a hacker would target a system exposed to the Internet with a particular configuration.
One of the several honeypot tools created by people involved in the Honeynet Project is Glastopf and consists of a Web server that dynamically emulates vulnerable Web applications in order to attract attackers.
Glastopf has been in development since 2009 and is currently at version 3. However, until last week, it lacked the capability of emulating SQL injection vulnerabilities, an important class of Web application vulnerabilities commonly targeted by attackers.
That’s no longer the case, because on Saturday the Honeynet Project released an SQL injection “handler” for the Glastopf web application honeypot.
The new component is a part of Cyber Fast Track, a research program funded by the Defense Advanced Research Projects Agency (DARPA), a research arm of the U.S. Department of Defense.
“The main goal of this project was the development of a SQL injection vulnerability emulator that goes beyond the collection of SQL vulnerability probings,” the Honeynet Project said in a blog post Saturday. “It deceives the adversary with crafted responses matching his request into sending us the malicious payload which could include all kinds of malicious code.”
SQL injection vulnerabilities allow attackers to write malicious data into a website’s database or to extract sensitive information from it. Because of this, they can result in serious data breaches.
According to a report released by security firm Imperva in August, the median number of SQL injection attacks experienced by a typical Web application between December 2011 and May 2012 was 17.5 and in the worst case it was 320.
According to a report from the Honeynet Project that describes the implementation of the Glastopf SQL injection emulator in more detail, limited tests performed with the new component revealed an attack rate of 10 SQL injection attacks per day.
That’s probably because the new SQL injection component can emulate multiple vulnerabilities at once, therefore attracting more attackers than a typical Web application does.
It does this by exposing paths indicating the existence of a known vulnerability to search engine crawlers. Glastopf’s developers call these path-based vulnerability signatures “dorks” and they serve as bait for attackers.
“Querying the search engine for the characteristic of a potentially vulnerable web application will return our honeypot dorks in the search results (probably among other results which point to real and vulnerable web applications),” they said in the report.