How to Create Vulnerable-Looking Endpoints to Detect and Mislead Attackers
BaitRoute is a web honeypot project that serves realistic, vulnerable-looking endpoints to detect vulnerability scans and mislead attackers by providing false positive results.
A few months ago, I created a small web platform. Since I have many security engineer followers, I knew they would actively search for vulnerabilities. So, I decided to plant some realistic-looking fake vulnerabilities for fun. I added an endpoint for “/.git” and “/.aws/credentials” since I know that they will be revealed during Nuclei scans.
It was fun. But after then I realized that it can be actually very useful in other projects as well. We could monitor how many people were probing our platform while having them waste time on decoy vulnerabilities. I reviewed several honeypot projects, but none provided rules for common vulnerability exposures or supported a wide range of web frameworks.
Therefore, I decided to create a new honeypot framework that contains common vulnerability rules, lets you write custom rules easily, and supports a wide range of programming languages and frameworks.
I created BaitRoute: https://github.com/utkusen/baitroute
A library that easily integrates with web applications and APIs written in Go, Python, or JavaScript (supporting multiple frameworks). It registers endpoints that appear vulnerable. When a scanner hits these endpoints, BaitRoute responds with hardcoded values designed to make the scanner believe it has discovered real vulnerabilities.
For example, this is the rule for the "/.aws/credentials" endpoint:
- method: GET
path: "/.aws/credentials"
status: 200
content-type: text/plain
headers:
Server: nginx/1.18.0
body: |
[default]
aws_access_key_id = AKIAIOSFODNN7UTK13
aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCY
region = us-east-1
[prod]
aws_access_key_id = AKIAXN6ZVSGE4SEN37
aws_secret_access_key = Zt4Xt9qBzYHAUSz2JkDPmvUFeqF3m5
region = us-west-2
[dev]
aws_access_key_id = AKIAQWERTYUIOPTN2
aws_secret_access_key = Ab9ztXUtnFEMI8K7MDENG9bPxRfiCY
region = eu-west-1 Another example: "springboot-h2-db-rce.yaml”
- method: POST
path: "/actuator/env"
status: 200
content-type: application/json
headers:
Server: Apache-Tomcat/9.0.54
Content-Type: application/json
body: |
{
"name": "spring.datasource.hikari.connection-test-query",
"properties": {
"spring.datasource.hikari.connection-test-query": {
"value": "CREATE ALIAS EXEC AS CONCAT('void e(String cmd) throws java.io.IOException { Runtime.getRuntime().exec(cmd); }');",
"origin": "System Environment Property"
}
}
} When a scanner sends a POST request to the "/actuator/env" endpoint, it responds as if it's vulnerable. The following screenshot is taken from a Nuclei scan against BaitRoute where all rules are enabled:
The framework includes nearly 100 ready-to-use rules. You can import all of them or select individual ones as needed. Creating your own custom rules is also very easy. pro
Potential Benefits
Early Warning System: You will get an alert when an attacker tries to exploit a decoy vulnerability that Baitroute serves. You will get notified about that attempt. You can view attacker information (IP, headers, request body etc.).
Waste Attacker's Time: When you enable all rules, attackers' vulnerability scans become a mess with false-positive results. They'll waste considerable time trying to determine which vulnerabilities are genuine. Following screenshot is taken from a Nuclei scan:
Real Life Suggestions
Let's say you own a high-traffic retail.com website. Implementing BaitRoute there wouldn't be very useful since the site will be constantly scanned anyway. However, if you have a smaller application or service accessible through a subdomain like customer-service.retail.com, you can implement BaitRoute with a few rules to track how many dedicated hackers are deeply investigating your organization. Just remember to forward alerts to a service like Sentry or Splunk.
You can also implement BaitRoute in internal applications to detect potential insider threats within your company.
If you don't manage a high-traffic website, you can implement BaitRoute with all rules to waste potential attackers' time (and have some fun)