capturing web application threats using virtual cms honeypot

Krakow, April 24-25, 2010

Capturing Web Application Threats Using virtual CMS Honeypot

Saharudin Saat


Why We Do It?Which is the BEST CMS?

UiTM currently uses JOOMLA but too many exploits

• Current trends:• PHP• Ruby• JSP• ASP

?

http://www.google.com.my/imgres?imgurl=http://www.bletchley-park.com/wp-content/uploads/2009/05/php.png&imgrefurl=http://www.bletchley-park.com/&usg=__ld8lHaH0WP9wQFE5EY84Zw1Wv-4=&h=376&w=576&sz=82&hl=en&start=1&itbs=1&tbnid=6k7fLwXklbmkPM:&tbnh=87&tbnw=134&prev=/images?q=php&hl=en&gbv=2&tbs=isch:1

http://www.google.com.my/imgres?imgurl=http://1.bp.blogspot.com/_KKz-LF71ZkA/SWI2bfs_ccI/AAAAAAAAAKM/aNL6gH0BCtc/s320/ruby-logo-34.png&imgrefurl=http://beingathreya.blogspot.com/2009_01_01_archive.html&usg=__qIL6NIu1CC_n7civhGbDsXmgpBE=&h=300&w=300&sz=38&hl=en&start=6&itbs=1&tbnid=0NfyLy2npCGqfM:&tbnh=116&tbnw=116&prev=/images?q=ruby+logo&hl=en&gbv=2&tbs=isch:1

http://www.google.com.my/imgres?imgurl=http://www.socialbc.com/files/active/1/JSP_LOGO_RGB.jpg&imgrefurl=http://www.socialbc.com/en/node/48813&usg=__M2BPxb7Q8aIkXClU26VUmTIEy9w=&h=650&w=650&sz=119&hl=en&start=1&itbs=1&tbnid=rqIAOGm1SKGOjM:&tbnh=137&tbnw=137&prev=/images?q=jsp&hl=en&sa=N&gbv=2&ndsp=18&tbs=isch:1


Why Honeypot?

• Capture live attacks• Find solution for 0 day • Hackers view the virtual honeypots as a real

server (playground)• Honeypots cannot be used as a stepping stone to

do any harm (permit in, block out)


The Architecture


Tools• Raw Honeypot (virtualbox)• Proxy (pound – apache log format)• Awstats (log analysis)• Snort (signatures)• ACID BASE (report )• Tcpdump (record packets)• Tcpreplay (crash - replay packets )


What’s Different?• Enhanced awstats error logs• Detailed error message based on W3C• Custom virus and worm signature• Better report


Results and FindingsPercentages of attack


PHP CMS

• Default (welcome intruder)• Cliché (admin)


ASP CMS

• Windows virus and worm• Not work on Linux (mod mono - .NET environment)


JSP CMS

• unauthorized access (servlet manager)


RUBY CMS

• Normal access


Conclusion

Future plan JSP/Ruby

• PHP most threats • ASP high threats but less significant impact• JSP less threats but high impact• Ruby low impact


Future Works• Compiled attacks can be utilised for IDS/IPS• Implement database monitoring


Thank you!Questions?

http://www.google.com.my/imgres?imgurl=http://school.discoveryeducation.com/clipart/images/question.gif&imgrefurl=http://school.discoveryeducation.com/clipart/clip/question.html&usg=__2AbYfTlDnUkov63gXoqNBlYuGPA=&h=755&w=360&sz=6&hl=en&start=4&itbs=1&tbnid=fajyauFap8DIWM:&tbnh=142&tbnw=68&prev=/images?q=question&hl=en&safe=active&gbv=2&tbs=isch:1

capturing web application threats using virtual cms honeypot

Technology