/log4shell-honeypot

Java application vulnerable to the CVE-2021-44228 (a.k.a log4shell) vulnerability

Primary LanguageJavaMIT LicenseMIT

Log4Shell Honeypot

This demo application is vulnerable to the CVE-2021-44228, also known as Log4Shell. For example, it can be used to validate a detection or remediation script.

How to launch

Build the application:

mvn clean package

Or, alternatively, download the pre-built JAR.

Run the application (in the target subdirectory if you built it locally):

java -Dlog4shell.all -jar log4shell-honeypot-capsule.jar

The application is not vulnerable by default. You need to set the log4shell.all system property to enable vulnerabilities (or you can use vulnerability-specific options, see below).

Vulnerability options

  • Set log4shell.userAgent system property to log the User-Agent HTTP header.
  • Set log4shell.authorization system property to log the Authorization HTTP header.
  • Set log4shell.basicAuth system property to log the user/password pair decoded from basic authentication.
  • Set log4shell.urlPath system property to log the URL path.
  • Set log4shell.urlQuery system property to log the URL query string.
  • Set log4shell.all system property to log all the above.

An empty property value is enough.

Security options

To enable basic authentication on the application, active the basicAuth configuration profile:

java -Dseedstack.profiles=basicAuth -Dlog4shell.all -jar target/log4shell-honeypot-capsule.jar
  • User is demo
  • Password is also demo

When basic authentication is enabled, the application cannot be vulnerable to the user/password injection.

How to use

Do a GET or POST request on any path with a malicious payload located in accordance with the options above:

Example with User-agent header:

curl http://localhost:8080 -A "<malicious-user-agent>"

The app will issue a 302 to /test which contains the vulnerability.