Payback on Web Attackers: Web Honeypots

Presented at AppSec USA 2012, Oct. 26, 2012, 10 a.m. (45 minutes)

Honeypots have played a key role as a defensive technology for a long time in IT security with the first public work by Clifford Stoll's The Cuckoo's Egg on 1990 and later Bill Cheswick's "An Evening With Berferd" on the 1991 [2]. For a detailed honeypot history we recommend the book Honeypots: Tracking Hackers. Wikipedia defines a honeypot as a "trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems. Generally it consists of a computer, data, or a network site that appears to be part of a network, but is actually isolated and monitored, and which seems to contain information or a resource of value to attackers". Web attacks are the most common form of attack these days due to that it is easy to automatize attacks and web apps suffer from multiple attack vectors. For a detailed web attack landscape report we recommend Imperva's Web Application Attack Report, Edition #2 - January 2012 [5]. Besides the use of honeypots for system and network security for a long time and the increase of web attacks per year, especially on the Web 2.0, web honeypots are still in infancy stage of research and development or usage as a security defense in corporate networks. In this presentation, we explore the design and uses of a web honeypot with offensive and defensive capabilities called Carmen Rogue Web Server. Carmen Web Server v1.0 was developed around 2005 while the development of Carmen Web Server v2.0 has picked up on 2012 backed by VULNEX to address today threats focused on web attacks. By developing a generic but highly customizable and easy to deploy web honeypot we try to make this technology accessible to security teams across the world to help them protect their networks by adding an extra layer of security. Carmen can be used as a defensive tool to collect data from the attack like the password list from a brute force attack, all kind of attack patterns such as Cross-Site Scripting (XSS) and SQL Injection (iSQL) or even try to confuse attack tools using multiple methods such as Mix Server Simulation (Apache, IIS, etc.) or Fake Session ID Generation among others capabilities. On the opposite side Carmen can also be used as an offensive platform to test application security using fuzzing or to develop exploits by using its plugin and CGI capabilities. This presentation will dig into web honeypot landscape and related work, the design approach taken for Carmen Web Server, use cases with demos and how to improve this technology.


  • Simon Roses Femerling - CEO - VULNEX
    Simon Roses holds a B.S. from Suffolk University (Boston), Postgraduate in E-Commerce from Harvard University (Boston) and Executive MBA from IE Business School (IE, Madrid). Currently is the CEO at VULNEX, driving security innovation. Former Microsoft, PriceWaterhouseCoopers and @Stake. Simon has authored and cooperated in several security Open Source projects like OWASP Pantera and LibExploit. He has also published security advisories in commercial products. Frequent speaker at security industry events including BLACKHAT, RSA, OWASP, SOURCE. DeepSec and Microsoft Security Technets. CISSP, CEH & CSSLP