Simple Web Honeytraps

Johannes Ullrich recently posted an article detailing quick and simple traps you can add to a web site or web app to flag up suspicious and malicious activity on the site. Johannes does a better job of explain than I could so I’d recommend a read of his post, but put simply the traps discussed are:

  • Don’t hand session credentials to automated clients
  • Add fake admin pages to robots.txt
  • Add fake cookies
  • Add ‘Spider loops’
  • Add fake hidden passwords as HTML comments
  • Use ‘hidden’ form fields

All of the ideas are relatively simple to implement to a greater or lesser extent. I’ve spend the last week experimenting with some of the proposals and have seen some success so far. If I gain any unusual or interesting results I share my findings in a future post.

Andrew Waite

P.S. if your not already following the AppSec Street Fighter blog I’d highly recommend it.

Join the conversation

3 Comments

    1. Hi,
      no problem with the comment here, I’m migrating away from the blogspot service, it will be decomissioned once I get all the links edited.
      Thanks for the links the x# modules aren’t something I’d given much of a look at, and wasn’t aware of their usefulness, one more thing to add to my todo list now 🙂
      I’ve had the same problem as you with the sumbit-virustotal module (although admittedly I haven’t spent enough time to determine if it’s a simple pebkac error…)

Leave a comment

Leave a Reply to Peter Cancel reply

Your email address will not be published. Required fields are marked *