# Log4Shell Honeypot

This demo application is vulnerable to the [CVE-2021-44228](,
also known as Log4Shell. For example, it can be used to validate a detection or remediation script.

## How to launch

Build the application:

    mvn clean package
Or, alternatively, download the [pre-built JAR](

Run the application (in the `target` subdirectory if you built it locally):

    java -Dlog4shell.all -jar log4shell-honeypot-capsule.jar

> The application is not vulnerable by default. You need to set the `log4shell.all` system property to enable 
> vulnerabilities (or you can use vulnerability-specific options, see below).

### Vulnerability options

* Set `log4shell.userAgent` system property to log the `User-Agent` HTTP header.
* Set `log4shell.authorization` system property to log the `Authorization` HTTP header.
* Set `log4shell.basicAuth` system property to log the user/password pair decoded from basic authentication.
* Set `log4shell.urlPath` system property to log the URL path.
* Set `log4shell.urlQuery` system property to log the URL query string.
* Set `log4shell.all` system property to log all the above.

An empty property value is enough.

### Security options

To enable basic authentication on the application, active the `basicAuth` configuration profile:

    java -Dseedstack.profiles=basicAuth -Dlog4shell.all -jar target/log4shell-honeypot-capsule.jar

* User is `demo`
* Password is also `demo`

> When basic authentication is enabled, the application cannot be vulnerable to the user/password injection.

## How to use

Do a GET or POST request on any path with a malicious payload located in accordance with the options above:

Example with `User-agent` header:

    curl http://localhost:8080 -A "<malicious-user-agent>"

The app will issue a 302 to `/test` which contains the vulnerability.