Glastopf – A dynamic, low-interaction web application honeypot



Currently, attacks against web applications make up more than 60% of the total number of attempted attacks on the Internet. Organizations cannot afford to allow their websites be compromised, as this can result in serving malicious content to customers, or leaking customer’s data. Whether the particular web application is part of a company’s website, or a personal web page, there are certain characteristics common to all web applications. Most people trust in the reliability of web applications and they are often hosted on powerful servers with high bandwidth connections to the Internet. Considering the large number of attacks and knowing the potential consequences of successful break-ins, we decided to put a bit more effort into the development of honeypots to better understand these attacks.

In this paper, we introduce Glastopf, a low-interaction web application honeypot capable of emulating thousands of vulnerabilities to gather data from attacks that target web applications. The principle behind it is very simple: reply to the attack using the response the attacker is expecting from his attempt to exploit the web application. We provide an overview of the attacks on web applications, describe examples collected with Glastopf, and discuss possible usages of data collected.

Glastopf can be downloaded from and a mailing list for help/suggestions and advice is available at



  • Lukas Rist
  • Sven Vetsch
  • Marcel Kossin
  • Michael Mauer.