capturing web application threats using virtual cms honeypot
TRANSCRIPT
![Page 1: Capturing Web Application Threats Using virtual CMS Honeypot](https://reader034.vdocuments.us/reader034/viewer/2022051709/587534ae1a28abe7728b5eb1/html5/thumbnails/1.jpg)
Krakow, April 24-25, 2010
Capturing Web Application Threats Using virtual CMS Honeypot
Saharudin Saat
![Page 2: Capturing Web Application Threats Using virtual CMS Honeypot](https://reader034.vdocuments.us/reader034/viewer/2022051709/587534ae1a28abe7728b5eb1/html5/thumbnails/2.jpg)
Krakow, April 24-25, 2010
Why We Do It?Which is the BEST CMS?
UiTM currently uses JOOMLA but too many exploits
• Current trends:• PHP• Ruby• JSP• ASP
?
![Page 3: Capturing Web Application Threats Using virtual CMS Honeypot](https://reader034.vdocuments.us/reader034/viewer/2022051709/587534ae1a28abe7728b5eb1/html5/thumbnails/3.jpg)
Krakow, April 24-25, 2010
Why Honeypot?
• Capture live attacks• Find solution for 0 day • Hackers view the virtual honeypots as a real
server (playground)• Honeypots cannot be used as a stepping stone to
do any harm (permit in, block out)
![Page 4: Capturing Web Application Threats Using virtual CMS Honeypot](https://reader034.vdocuments.us/reader034/viewer/2022051709/587534ae1a28abe7728b5eb1/html5/thumbnails/4.jpg)
Krakow, April 24-25, 2010
The Architecture
![Page 5: Capturing Web Application Threats Using virtual CMS Honeypot](https://reader034.vdocuments.us/reader034/viewer/2022051709/587534ae1a28abe7728b5eb1/html5/thumbnails/5.jpg)
Krakow, April 24-25, 2010
Tools• Raw Honeypot (virtualbox)• Proxy (pound – apache log format)• Awstats (log analysis)• Snort (signatures)• ACID BASE (report )• Tcpdump (record packets)• Tcpreplay (crash - replay packets )
![Page 6: Capturing Web Application Threats Using virtual CMS Honeypot](https://reader034.vdocuments.us/reader034/viewer/2022051709/587534ae1a28abe7728b5eb1/html5/thumbnails/6.jpg)
Krakow, April 24-25, 2010
What’s Different?• Enhanced awstats error logs• Detailed error message based on W3C• Custom virus and worm signature• Better report
![Page 7: Capturing Web Application Threats Using virtual CMS Honeypot](https://reader034.vdocuments.us/reader034/viewer/2022051709/587534ae1a28abe7728b5eb1/html5/thumbnails/7.jpg)
Krakow, April 24-25, 2010
Results and FindingsPercentages of attack
![Page 8: Capturing Web Application Threats Using virtual CMS Honeypot](https://reader034.vdocuments.us/reader034/viewer/2022051709/587534ae1a28abe7728b5eb1/html5/thumbnails/8.jpg)
Krakow, April 24-25, 2010
PHP CMS
• Default (welcome intruder)• Cliché (admin)
![Page 9: Capturing Web Application Threats Using virtual CMS Honeypot](https://reader034.vdocuments.us/reader034/viewer/2022051709/587534ae1a28abe7728b5eb1/html5/thumbnails/9.jpg)
Krakow, April 24-25, 2010
ASP CMS
• Windows virus and worm• Not work on Linux (mod mono - .NET environment)
![Page 10: Capturing Web Application Threats Using virtual CMS Honeypot](https://reader034.vdocuments.us/reader034/viewer/2022051709/587534ae1a28abe7728b5eb1/html5/thumbnails/10.jpg)
Krakow, April 24-25, 2010
JSP CMS
• unauthorized access (servlet manager)
![Page 11: Capturing Web Application Threats Using virtual CMS Honeypot](https://reader034.vdocuments.us/reader034/viewer/2022051709/587534ae1a28abe7728b5eb1/html5/thumbnails/11.jpg)
Krakow, April 24-25, 2010
RUBY CMS
• Normal access
![Page 12: Capturing Web Application Threats Using virtual CMS Honeypot](https://reader034.vdocuments.us/reader034/viewer/2022051709/587534ae1a28abe7728b5eb1/html5/thumbnails/12.jpg)
Krakow, April 24-25, 2010
Conclusion
Future plan JSP/Ruby
• PHP most threats • ASP high threats but less significant impact• JSP less threats but high impact• Ruby low impact
![Page 13: Capturing Web Application Threats Using virtual CMS Honeypot](https://reader034.vdocuments.us/reader034/viewer/2022051709/587534ae1a28abe7728b5eb1/html5/thumbnails/13.jpg)
Krakow, April 24-25, 2010
Future Works• Compiled attacks can be utilised for IDS/IPS• Implement database monitoring
![Page 14: Capturing Web Application Threats Using virtual CMS Honeypot](https://reader034.vdocuments.us/reader034/viewer/2022051709/587534ae1a28abe7728b5eb1/html5/thumbnails/14.jpg)
Krakow, April 24-25, 2010
Thank you!Questions?