"Know Your Enemy: Web Application Threats"

Sunday, February 25. 2007
The Honeynet Project & Research Alliance is pleased to announce the release of a new paper "Know Your Enemy: Web Application Threats". This technical white paper provides behind the scenes information on various HTTP-based attacks against web applications, including remote file inclusion and exploitation of the PHPShell application. The paper is based on the research and data collected from the Chicago Honeynet Project, the New Zealand Honeynet Project and the German Honeynet Project during multiple honeypot compromises.

The paper is available at Know Your Enemy: Web Application Threats.

Along with the release of this paper, comes new functionality to the "Google Hack" Honeypot (GHH), used extensively in the paper. GHH now includes an automated malware collection function, as well as remote XML-RPC logging for SSL support. GHH is available at http://ghh.sourceforge.net/
Posted by Thorsten Holz in honeynets at 10:47 | Comments (0) | Trackbacks (0)

Web Exploit Finder

Friday, February 16. 2007
Web Exploit Finder (WEF) is an implementation of an automatic drive-by-download – detection in a virtualized environment. It is another implementation of a client-side honeypot framework. With this kind of honeypots, you can detect attacks against client-application like web browsers. There is also an overview paper available

Abstract:
Much has been written about security vulnerabilities in Microsoft Internet Explorer and Mozilla Firefox. Some of these security threats are designed to execute malicious code in the browser. Known as Remote-Code-Execution-Attacks, these threats typically exploit a specific utilization of buffer overflows in an application. They are not only limited to browsers but almost all services and applications that are part of the internet or that use it as a communication platform.

We focus on internet browsers here because of two key problems. First of all, browsers are the primary user interfaces to the World Wide Web. As the rendering engine transforms hypertext into a visual presentation for human, all parts of a webpage have to be interpreted and processed further by the browser—which leads to a complex and error-prone architecture, especially in regard to mobile code (JavaScript, Java, ActiveX, XUL etc.). Secondly, the browser is arguably the most frequently used program in the family of potentially vulnerable software. In contrast to server-based software, a browser is often used by non-technical users, many of whom neither understand the risks or know possible counteractive measures. And even experts are often exposed to the risk of an attack.

In view of this, our goal was to develop a system that automatically detects and identifies malicious websites.

In addition, this system would also be able to serve as a platform for other security and sandbox-tests. One use-case is to automatically analyze various kinds of malware in a secure and easy maintainable virtualized environment.
Posted by Thorsten Holz in honeynets at 12:33 | Comments (0) | Trackbacks (0)
(Page 1 of 1, totaling 2 entries)