Johannes Ullrich recently posted an article detailing quick and simple traps you can add to a web site or web app to flag up suspicious and malicious activity on the site. Johannes does a better job of explain than I could so I’d recommend a read of his post, but put simply the traps discussed are:
- Don’t hand session credentials to automated clients
- Add fake admin pages to robots.txt
- Add fake cookies
- Add ‘Spider loops’
- Add fake hidden passwords as HTML comments
- Use ‘hidden’ form fields
All of the ideas are relatively simple to implement to a greater or lesser extent. I’ve spend the last week experimenting with some of the proposals and have seen some success so far. If I gain any unusual or interesting results I share my findings in a future post.
P.S. if your not already following the AppSec Street Fighter blog I’d highly recommend it.