Chapter 3

Poisoned Pawns (Hacker Traps)

All warfare is based on deception.

—Sun Tzu in The Art of War

As web application defenders, we have a challenging task. We must try to defend web applications from attackers without the benefit of knowing about the application internals. Without this information, it may be difficult to identify malicious behavior hidden in a flood of legitimate traffic. How do normal users interact with the application resources? If you understand how normal users use the web application, you should be able to figure out when attackers deviate from this usage profile. Unfortunately, many organizations attempt to use a signature-based detection system to identify malicious behavior. This endeavor often includes accidentally blocking legitimate clients and, worse, missing real attackers. How can we change the game so that the odds of identifying malicious users are in our favor?

Rather than searching through “haystacks” of legitimate traffic looking for malicious attack “needles,” we need a way to remove the haystacks. If we could set up a method that removes all normal user traffic, we would be left with abnormal traffic. This brings us to the concept of honeypots, which we will call honeytraps.

Honeytrap Concepts

The honeytrap concept is rather simple: It is essentially a booby trap that is built into the application. Whereas honeypot systems are separate hosts that you deploy within your network to act as targets, honeytraps are planted throughout a web ...