Glastopf Web Application Honeypot

edited by Lukas Rist on April 2. 2012

Many of today's most advanced attacks now happen at the web application layer. This tool is designed to capture information on the latest web application attacks using a scalable and easy to deploy low-interaction server honeypot.

Glastopf is a minimalistic web server written in Python. The Honeypot tool collects information about web application-based attacks like remote file inclusion, SQL injection, and local file inclusion attacks. Glastopf scans the incoming request for strings like "=http://" or "CAST(0x". If this matches, we try to download and analyze the file and respond as close as possible to the attacker's expectations. If we fulfill them, the attacker sends us the next stage e.g. a bot, shell or spreader. Those files could for example be analyzed for IRC information to infiltrate the botnet behind this kind of attacks. The collected data is stored in a database.

Current we are working on the 3rd version of Glastopf (aka Glaspot v3) which is the successor of GlastopfNG v2 and Glastopf v1.
Glastopf is open source and is available from our repository.
Documents
Know Your Tool: Glastopf
CFT Final Report
Media Coverage
darkREADING: New Honeypot Mimics The Web Vulnerabilities Attackers Want
SECURITYWEEK: HoneyNet Project Releases SQL Injection Emulator
PCWorld: Glastopf Web application honeypot gets SQL injection emulation capability
Current Project
At the moment we are working on the dynamic dork list and the SQL injection handler for Glaspot v3
Future Plans
We are looking forward to have a web threat analysis platform in the next months. Including a sandbox and botnet monitoring
Contact
See the team page
Miscellaneous
QR code for this page
Legal Notice