Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time

bap - http Basic Authentication honeyPot


bap is a webservice honeypot that logs HTTP basic authentication credentials in a "parser friendly format"™.

The webservice handles HEAD and GET requests, to which it always responds with 401 WWW-Authenticate: Basic realm="ADMIN".
HTTP request methods other than HEAD or GET will result in an error response generated by BaseHTTPServer.
There is no valid username / password for the service. Credentials are only decoded and logged.


Configure HTTP_ADDR and HTTP_PORT in
Leaving HTTP_ADDR as empty string binds to all interfaces and addresses.
Default is to bind to *:8080

Running starts bap in the foreground. uses start-stop-daemon to start bap in the background. stops the background service.

Do not run bap as root.
To listen on a privileged port (80), use port redirection.


Logfiles are written to the same directory as

pot.log - Authentication honeypot log

Format: [Date Time] Client_address:Client_port Auth_method Decoded_auth_string
Ex: [2015-01-09 19:59:43,516] Basic user:pass
Client_address and Client_port: Source of the request.
Auth_method: Parameter 1 from the authenticate request header. Is always Basic.
Decoded_auth_string: Base64 decoded version of parameter 2 from the authenticate request header.

access.log - Server access log

Format: [Date Time] Client_address:Client_port "Request_string" Response_code "User-Agent_string"
Ex: [2015-01-09 19:59:43,508] "GET / HTTP/1.1" 401 "curl/7.38.0"
Client_address and Client_port: Source of the request.
Request_string: Request received from the client, enclosed by ".
Response_code: Response code sent to the client.
User-agent_string: User-agent header received from the client, enclosed by ".
Note: Double quotes received from clients are escaped with \.

error.log - Server error log

Format: [Date Time] Client_address:Client_port Error_message
Ex 1: [2015-01-09 19:59:45,406] code 501, message Unsupported method ('TRACE')
Ex 2: [2015-01-09 19:59:46,350] DecodeFailure abc123
Client_address and Client_port: Source of the request.
Error_message: Description of the error.
Unsupported method occurs when the client request method is anything else than GET or HEAD.
DecodeFailure occurs when the client send basic authenticate and parameter 2 is not valid base64 encoded data.

bap.log - Program output log

stdout and stderr ends up here.


  • A Request that trigger an error will receive the error code + message in the response header, for example "501 Unsupported method ('TRACE')".
    It would be sufficent to send the code + a generic message, or just the code without any message.
  • The value user:pass in pot.log can contain multiple ':' chars. This could lead to parsing issues when trying to separate user and pass.
  • Logs can contain escaped double quotes. Double quotes received from clients are escaped with \ before being logged.
  • bap.log has no time of log events. Logging of exceptions make timestamping a bit complicated. Use traceback class to fix this?
  • Logfiles are not rotated.


bap - http Basic Authentication honeyPot






No releases published


No packages published