Chapter 3
Poisoned Pawns (Hacker Traps)
All warfare is based on deception.
—Sun Tzu in The Art of War
As web application defenders, we have a challenging task. We must try to defend web applications from attackers without the benefit of knowing about the application internals. Without this information, it may be difficult to identify malicious behavior hidden in a flood of legitimate traffic. How do normal users interact with the application resources? If you understand how normal users use the web application, you should be able to figure out when attackers deviate from this usage profile. Unfortunately, many organizations attempt to use a signature-based detection system to identify malicious behavior. This endeavor often includes accidentally blocking legitimate clients and, worse, missing real attackers. How can we change the game so that the odds of identifying malicious users are in our favor?
Rather than searching through “haystacks” of legitimate traffic looking for malicious attack “needles,” we need a way to remove the haystacks. If we could set up a method that removes all normal user traffic, we would be left with abnormal traffic. This brings us to the concept of honeypots, which we will call honeytraps.
Get Web Application Defender's Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.