2014 : Aggressive web application honeypot for exposing attacker's identity

Prof.Ir. Supeno Djanali M.Sc Ph.D
Ir. F.X. Arunanto M.Sc.


Attackers are most likely to exploit invalidated and unsanitized user input with several attacks such as cross-site scripting (XSS) or SQL injection. Many methods were proposed to prevent those attacks. Some of them were created to learn about pattern and behavior of the attacker. That is honeypot. Honeypot is classified into two types based on the simulation that honeypot can do: low interaction and high interaction. In this paper, we propose a low-interaction honeypot for emulating vulnerabilities that can be exploited using XSS and SQL injection attacks. But this honeypot not only records attacker’s request, but also try to expose attacker identity by using some browser exploitation techniques. Some attackers would use techniques to hide their identity, thus they couldn’t be tracked. Our proposed honeypot was trying to overcome this problem by giving them malicious JavaScript codes. The malicious JavaScript codes will be run when an attacker open the honeypot’s website.We have conducted several test to see how our honeypot’s performance. Our honeypot could catch more useful information about the HTTP request than popular web-based honeypot, Glastopf. Moreover, there were attacker’s social media accounts caught by using LikeJacking technique although they might have used proxy or TOR to hide their identity.