bpmcdevitt/honeypot_applications
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
A collection of containerized vulnerable web applications organized by CVE identifiers for security research and training. Each vulnerability is isolated in Docker containers with comprehensive documentation and centralized logging infrastructure.
10 commits 1 branch 0 tags 106 KiB
Find a file
Exact
bpmcdevitt fb93941bae added postgresql injection vuln cve-2025-1094
2025-08-01 22:32:24 -05:00
AUTHENTICATION_BYPASS/CVE-2024-31210 added cve-2024-31210 2025-07-30 14:43:04 -05:00
LFI/CVE-2025-1661 added CVE-2025-1661 LFI vuln 2025-08-01 10:52:46 -05:00
logging Initial commit: Add honeypot applications repository structure 2025-07-28 13:49:25 -05:00
RCE fix starting of solr for cve-2021-44228 2025-07-29 08:52:58 -05:00
SQL_INJECTION added postgresql injection vuln cve-2025-1094 2025-08-01 22:32:24 -05:00
TEMPLATE Initial commit: Add honeypot applications repository structure 2025-07-28 13:49:25 -05:00
CLAUDE.md Initial commit: Add honeypot applications repository structure 2025-07-28 13:49:25 -05:00
README.md Initial commit: Add honeypot applications repository structure 2025-07-28 13:49:25 -05:00

README.md

Honeypot Applications Repository

A collection of intentionally vulnerable web applications organized by CVE identifier for security research, training, and testing purposes.

Repository Structure

EXPLOITATION_TYPE/CVE-YYYY-NNNNN/
├── README.md              # Vulnerability details and setup instructions
├── Dockerfile            # Container configuration for the vulnerable app
├── docker-compose.yml    # Orchestration configuration
└── [config files]       # Application-specific configuration files

Exploitation Types

  • RCE - Remote Code Execution vulnerabilities
  • SQL_INJECTION - SQL injection vulnerabilities
  • XSS - Cross-Site Scripting vulnerabilities
  • LFI - Local File Inclusion vulnerabilities
  • RFI - Remote File Inclusion vulnerabilities
  • CSRF - Cross-Site Request Forgery vulnerabilities
  • SSRF - Server-Side Request Forgery vulnerabilities
  • XXE - XML External Entity vulnerabilities
  • DESERIALIZATION - Insecure deserialization vulnerabilities
  • AUTHENTICATION_BYPASS - Authentication bypass vulnerabilities
  • PRIVILEGE_ESCALATION - Privilege escalation vulnerabilities

Centralized Logging with ELK Stack

All honeypot containers automatically forward logs to a centralized ELK (Elasticsearch, Logstash, Kibana) stack for security monitoring and analysis.

Quick Setup

# Start the logging infrastructure
cd logging
./setup.sh

# Then start any honeypot container
cd ../RCE/CVE-2025-48492
docker-compose up -d

Access Dashboards

Log Analysis Features

  • Attack Detection: Automatically identifies SQL injection, XSS, RCE attempts
  • GeoIP Analysis: Maps attacker locations
  • CVE Correlation: Links attacks to specific vulnerabilities
  • Timeline Analysis: Track attack patterns over time

Example: GetSimple CMS RCE (CVE-2025-48492)

This example demonstrates a Remote Code Execution vulnerability in GetSimple CMS.

Quick Start

# Start logging infrastructure first
cd logging && ./setup.sh

# Start the vulnerable application
cd ../RCE/CVE-2025-48492
docker-compose up -d

Exploitation

  1. Login to admin panel with credentials above
  2. Navigate to Theme > Edit Theme
  3. Inject PHP code in template files
  4. Execute arbitrary commands on the server
  5. Monitor attacks in Kibana dashboard

Adding Your Own CVE Application

Step 1: Research and Prepare

  1. Identify the CVE - Research the specific vulnerability (CVE-YYYY-NNNNN)
  2. Determine exploitation type - Choose the appropriate category (RCE, SQL_INJECTION, etc.)
  3. Find vulnerable version - Locate the exact software version affected by the CVE
  4. Understand the vulnerability - Study the attack vector and exploitation method

Step 2: Create Directory Structure

# Create the CVE directory
mkdir -p EXPLOITATION_TYPE/CVE-YYYY-NNNNN

# Copy template files
cp -r TEMPLATE/* EXPLOITATION_TYPE/CVE-YYYY-NNNNN/

# Navigate to your new directory
cd EXPLOITATION_TYPE/CVE-YYYY-NNNNN

Step 3: Configure the Application

Update Dockerfile

FROM php:7.4-apache
# Install the vulnerable software version
COPY vulnerable-app/ /var/www/html/
# Configure weak credentials and permissions
RUN chmod 777 /var/www/html/config/

Update docker-compose.yml

version: '3.8'
services:
  vulnerable-app:
    build: .
    ports:
      - "8080:80"
    labels:
      - "cve=CVE-YYYY-NNNNN"
      - "type=EXPLOITATION_TYPE"
      - "severity=high"

Step 4: Document the Vulnerability

Update README.md with:

# CVE-YYYY-NNNNN - [Vulnerability Name]

## Overview
- **Software**: [Vulnerable Application Name]
- **Version**: [Affected Version]
- **Type**: [Vulnerability Type]
- **Severity**: [CVSS Score/Rating]

## Setup
\```bash
docker-compose up -d
\```

## Access
- **URL**: http://localhost:8080
- **Credentials**: username/password

## Exploitation Steps
1. Step one
2. Step two
3. Execute payload

## Payload Examples
\```bash
# Example exploit commands
\```

## Mitigation
- Upgrade to version X.X.X
- Apply security patches

Step 5: Configure Logging

The TEMPLATE already includes logging configuration. Ensure your labels are properly set:

labels:
  - "cve=CVE-YYYY-NNNNN"
  - "type=EXPLOITATION_TYPE"
  - "software=APPLICATION_NAME"
  - "version=X.X.X"
  - "severity=high|medium|low"

Step 6: Test and Validate

# Start logging infrastructure first
cd ../../logging && ./setup.sh

# Return to your CVE directory
cd ../EXPLOITATION_TYPE/CVE-YYYY-NNNNN

# Build the container
docker-compose build

# Run the application
docker-compose up -d

# Test the vulnerability
curl -X POST http://localhost:8080/vulnerable-endpoint

# Verify exploitation works and logs are captured
# Check Kibana at http://localhost:5601 for log entries

# Clean up
docker-compose down

Step 7: Quality Checklist

  • Container builds without errors
  • Application runs and is accessible
  • Vulnerability is reproducible
  • Logs appear in Kibana dashboard
  • CVE labels are properly set
  • Attack detection works in ELK
  • Documentation is complete and accurate
  • Weak/demo credentials are used (never real ones)
  • Security considerations are documented
  • Exploitation steps are clear and tested

Best Practices

Container Security

  • Use official base images
  • Install exact vulnerable versions
  • Set appropriate file permissions
  • Use ephemeral containers
  • Document all configurations

Documentation Standards

  • Include CVE details and references
  • Provide clear setup instructions
  • Document exploitation steps
  • Include payload examples
  • Specify mitigation strategies

Testing Guidelines

  • Test in isolated environments
  • Verify vulnerability reproduction
  • Document any dependencies
  • Test container lifecycle (build/run/stop)

Common Docker Commands

# List all vulnerability containers
docker images | grep cve

# Run specific vulnerability
docker-compose -f EXPLOITATION_TYPE/CVE-YYYY-NNNNN/docker-compose.yml up -d

# View container logs
docker-compose logs -f

# Clean up all containers
docker-compose down
docker system prune -f

Contributing

  1. Fork the repository
  2. Create a new CVE directory following the structure
  3. Test your implementation thoroughly
  4. Submit a pull request with detailed description

Disclaimer

This repository contains intentionally vulnerable applications for educational and research purposes only. Do not deploy these applications in production environments. Use responsibly and in compliance with applicable laws and regulations.