New Tool: WebLabyrinth

Now, as the previous post stated, I love me some honeypots. So I got introduced to a fun tool on PaulDotCom Security Weekly Episode 225. During the show's technical segment, John profiled a simple python script called SpiderTrap. John is a big fan of honeypots and what he calls "offensive countermeasures", rather than simply blocking attackers that probe your network, John enjoys messing with them and keeping them busy until they give up and frustrated. SpiderTrap, written by his intern than Robish, reflects that methodology, it is a small web server that serves up a never ending maze of random links. When a web scanner encouters this, it attempts to map out the entire web application, which, theoretically, will never happen with SpiderTrap.

SpiderTrap is cool, however, I instantly thought of some shortcomings: First, it needs a dedicated host to run on, and second, it doesn't help your existing web applications. The gears started turning and it occured to me that the script would be fairly trivial to implement in PHP and that Apache's mod_rewrite could handle spoofing a never ending maze links. Thankfully, I had a few free nights coming up during the next weekend, so I coded something simple up.

What came out of my coding sessions was WebLabyrinth. WebLabyrinth, like SpiderTrap, is designed to create a maze of bogus web pages to confuse web scanners. However, unlike SpiderTrap, it can be run on any Apache server with mod_rewrite and PHP. This allows users to embed it within existing websites. Also, I added a feature which allows the web pages to consist of more then just a few links: It uses a Dissociated Press function to randomly generate text (courtesy of David Pascoe-Deslauriers' BSD licensed code). Included in the code is the first chapter of "Alice's Adventures in Wonderland" (which just seemed so right to use for this purpose), but any text can be used.

So, a few words of warning, while v0.2.0 does try to detect Google's spider and block it, it current detects no other search engines. Also, if an overly agressive scanner gets trapped, it may be a drain on system resources. I will try to address both these issues in future versions.

Now, partially for the above reasons and partially because I don't want to pay for some idiot scanning my server, there is no demo site available. However, Mr. Strand was very nice and created a video for PaulDotComTV showcasing the tool

It's a fairly simple idea and there isn't much to do from here, however, I am mulling some additional ideas for future versions. I am always open to suggestions, so please feel free to contact me.