Aggressive web application honeypot for exposing attacker's identity

2014 The 1st International Conference on Information Technology, Computer, and Electrical Engineering Pub Date : 2014-10-26 DOI:10.1109/ICITACEE.2014.7065744

S. Djanali, F. X. Arunanto, B. Pratomo, Abdurrazak Baihaqi, H. Studiawan, A. M. Shiddiqi

{"title":"Aggressive web application honeypot for exposing attacker's identity","authors":"S. Djanali, F. X. Arunanto, B. Pratomo, Abdurrazak Baihaqi, H. Studiawan, A. M. Shiddiqi","doi":"10.1109/ICITACEE.2014.7065744","DOIUrl":null,"url":null,"abstract":"Attackers are most likely to exploit invalidated and unsanitized user input with several attacks such as cross-site scripting (XSS) or SQLinjection. Many methods were proposed to prevent those attacks. Some of them were created to learn about pattern and behavior of the attacker. That is honeypot. Honeypot is classified into two types based on the simulation that honeypot can do : low interaction and high interaction. In this paper, we propose a low-interaction honeypot for emulating vulnerabilities that can be exploited using XSS and SQL injection attacks. But this honeypot not only records attacker's request, but also try to expose attacker identity by using some browser exploitation techniques. Some attackers would use techniques to hide their identity, thus they couldn't be tracked. Our proposed honeypot was trying to overcome this problem by giving them malicious JavaScript codes. The malicious JavaScript codes will be run when an attacker open the honeypot's website. We have conducted several test to see how our honeypot's performance. Our honeypot could catch more useful information about the HTTP request than popular web-based honeypot, Glastopf. Moreover, there were attacker's social media accounts caught by using LikeJacking technique although they might have used proxy or TOR to hide their identity.","PeriodicalId":404830,"journal":{"name":"2014 The 1st International Conference on Information Technology, Computer, and Electrical Engineering","volume":"80 8 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2014-10-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"31","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2014 The 1st International Conference on Information Technology, Computer, and Electrical Engineering","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ICITACEE.2014.7065744","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 31

Abstract

Attackers are most likely to exploit invalidated and unsanitized user input with several attacks such as cross-site scripting (XSS) or SQLinjection. Many methods were proposed to prevent those attacks. Some of them were created to learn about pattern and behavior of the attacker. That is honeypot. Honeypot is classified into two types based on the simulation that honeypot can do : low interaction and high interaction. In this paper, we propose a low-interaction honeypot for emulating vulnerabilities that can be exploited using XSS and SQL injection attacks. But this honeypot not only records attacker's request, but also try to expose attacker identity by using some browser exploitation techniques. Some attackers would use techniques to hide their identity, thus they couldn't be tracked. Our proposed honeypot was trying to overcome this problem by giving them malicious JavaScript codes. The malicious JavaScript codes will be run when an attacker open the honeypot's website. We have conducted several test to see how our honeypot's performance. Our honeypot could catch more useful information about the HTTP request than popular web-based honeypot, Glastopf. Moreover, there were attacker's social media accounts caught by using LikeJacking technique although they might have used proxy or TOR to hide their identity.

查看原文本刊更多论文

侵略性的web应用程序蜜罐暴露攻击者的身份

攻击者很可能利用无效和未经处理的用户输入进行多种攻击，例如跨站点脚本(XSS)或SQLinjection。人们提出了许多方法来防止这些攻击。其中一些是为了了解攻击者的模式和行为而创建的。这就是蜜罐。根据蜜罐所能进行的仿真，将蜜罐分为低交互和高交互两种类型。在本文中，我们提出了一个低交互蜜罐来模拟可以被XSS和SQL注入攻击利用的漏洞。但是这个蜜罐不仅记录了攻击者的请求，而且还尝试使用一些浏览器攻击技术来暴露攻击者的身份。一些攻击者会使用技术来隐藏他们的身份，这样他们就无法被跟踪。我们提出的蜜罐试图通过提供恶意JavaScript代码来克服这个问题。恶意JavaScript代码将在攻击者打开蜜罐网站时运行。我们进行了几次测试，看看我们的蜜罐的性能如何。我们的蜜罐可以比流行的基于web的蜜罐Glastopf捕获更多关于HTTP请求的有用信息。此外，尽管攻击者可能使用代理或TOR隐藏了自己的身份，但他们的社交媒体账户还是通过使用LikeJacking技术被发现的。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2014 The 1st International Conference on Information Technology, Computer, and Electrical Engineering

自引率

0.00%

发文量