OWASP 2025 Global AppSec EU

The OWASP Web Honeypot Project is an open-source (Proof of Concept PoC) initiative designed to deploy deceptive security mechanisms that lure, detect, and analyze cyber threats targeting web applications. It aims to provide security professionals with actionable intelligence on attack patterns, tools, and techniques used by adversaries.

The goal of the project is to identify emerging attacks against web applications and report them to the community, in order to facilitate protection against such targeted attacks. Within this project, we are leading the collection, storage and analysis of threat intelligence data.

The purpose of this part of the project is to capture intelligence on attacker activity against web applications and utilise this intelligence as ways to protect software against attacks. Honeypots are an established industry technique to provide a realistic target to entice a criminal, whilst encouraging them to divulge the tools and techniques they use during an attack. Like bees to a honeypot. These honeypots are safely designed to contain no information of monetary use to an attacker, and hence provide no risk to the businesses implementing them.

Originally the honeypots were VM, Docker or small computing profile based like Raspberry Pi, employed ModSecurity based Web Application Firewall (WAF) technology using OWASP’s Core Rule Set (CRS) pushing intelligence data back to a console to be converted to STIX/TAXII format for threat intelligence or pushed into ELK for visualisation.

Further enhancement and research-based work has been undertaken this year to enhance the container based approach (Docker) to introduce key features which include 

• Capability of dynamically switching web server profiles to mimic popular platforms like WordPress and Drupal for example.

• Utilise an alternative approach to using mlogc log output pushed into Logstash/ELK for visualisation and threat intelligence formats with MiSP via JSON format.

• Creation of a publicly available dataset within an AWS S3 bucket of JSON to store web threat intelligence in. a searchable JSON format feed, allowing the use of tools like JSON Crack for pattern recognition.

The intention is to be able to deploy these enhanced honeypots within key locations in the Internet community can distribute within their own networks. With enough honeypots globally distributed, we will be in a position to aggregate attack techniques to better understand and protect against the techniques used by attackers. With this information, we will be in a position to create educational information, such as rules and strategies, that application writers can use to ensure that any detected bugs and vulnerabilities are closed.
Overall having an open rich standard format-based quality dataset with real threat intelligence-based information based on the lure for scanning detected “fake” vulnerabilities by industry standard tools (which can easily be dynamically changed or updated) available to the global security community, allows for better web application security and to be able predict evolving cyber threats.