Web Application Honeypots
Smart applications stay ahead by detecting attacks directed at them. In our March Issue, we discussed several approaches applications use to detect intruders. In this issue, we take a closer look at an interesting technique for intrusion detection—web application honeypots.
Honeypots are sacrificial systems that we use to trap intruders. They were invented in the early 90s to study attackers in the real world. Dummy, unsecured systems were secretly placed on the web, and attackers were not stopped from breaking in. Once attackers broke in, however, their activity was monitored closely. That gave us a wealth of information about black hats during the last decade.
Honeypots are great for intrusion detection. They can be deployed on unused IP addresses in production networks. Since the honeypot has no legitimate purpose, any traffic to the honeypot is suspicious and signals the presence of an attacker. An intruder who triggers the honeypot can be tracked closely. Unlike traditional detection systems that had to spot attacks from the flood of normal traffic, all traffic honeypots receive are illegitimate.
We can adapt honeypots for web applications, lay traps that snare the attacker and give us an advantage. Let’s look at three strategies for web application honeypots:
- Honeytokens: Honeytokens are fake records that are inserted in the database. These fake records are not expected to be used by normal users. If any of these honeytokens are used, they alert us of the database having been compromised. An example of honeytokens are fake username/passwords in the user database. These users do not exist in the real world, and hence are not expected to be logging in to the application. If the application sees these credentials being used, it immediately recognizes that the user database has been compromised.
- Honeypages: These are obscure web pages sprinkled in the web site. They have no legitimate purpose, nay they are not even linked from any valid page. Normal users would never reach these pages. However, we drop hints about these pages by embedding their url as comments or hidden fields in valid pages. While normal users would never see this, an attacker who analyzes the source code, or a vulnerability scanner that spiders the site would see these and follow the link. When the page is accessed, it points us to the intruder.
- Dummy domains: A variant of honeypages use dummy domains that are published in the DNS. These domains do not have legitimate sites hosted on them, nor do they have URLs pointing to them. Any queries for these dummy domains indicate reconnaissance activity of intruders as they hunt for applications we host. This can give us an early warning of activity targeted at our sites.
Web application honeypots have several advantages as an intrusion detection system:
- They have low rate of false positives. Unlike traditional detection systems that flood the administrator with false alarms, honeypots do not make false guesses.
- Honeypots are simple to implement; they do not require major architectural or design changes in the application. Thus it’s possible to integrate a honeypot even at a relatively late stage.
- They are difficult to evade. These silent traps hide their presence well and an attacker who stumbles over them raises an alarm immediately.