Simple Web Honeytraps

Johannes Ullrich recently posted an article detailing quick and simple traps you can add to a web site or web app to flag up suspicious and malicious activity on the site. Johannes does a better job of explain than I could so I’d recommend a read of his post, but put simply the traps discussed are:

  • Don’t hand session credentials to automated clients
  • Add fake admin pages to robots.txt
  • Add fake cookies
  • Add ‘Spider loops’
  • Add fake hidden passwords as HTML comments
  • Use ‘hidden’ form fields

All of the ideas are relatively simple to implement to a greater or lesser extent. I’ve spend the last week experimenting with some of the proposals and have seen some success so far. If I gain any unusual or interesting results I share my findings in a future post.

Andrew Waite

P.S. if your not already following the AppSec Street Fighter blog I’d highly recommend it.

Join the conversation


    1. Hi,
      no problem with the comment here, I’m migrating away from the blogspot service, it will be decomissioned once I get all the links edited.
      Thanks for the links the x# modules aren’t something I’d given much of a look at, and wasn’t aware of their usefulness, one more thing to add to my todo list now 🙂
      I’ve had the same problem as you with the sumbit-virustotal module (although admittedly I haven’t spent enough time to determine if it’s a simple pebkac error…)

Leave a comment

Your email address will not be published. Required fields are marked *