December 2012
Intermediate to advanced
552 pages
13h 16m
English
Content preview from Web Application Defender's CookbookBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
Chapter 3
Poisoned Pawns (Hacker Traps)
All warfare is based on deception.
—Sun Tzu in The Art of War
As web application defenders, we have a challenging task. We must try to defend web applications from attackers without the benefit of knowing about the application internals. Without this information, it may be difficult to identify malicious behavior hidden in a flood of legitimate traffic. How do normal users interact with the application resources? If you understand how normal users use the web application, you should be able to figure out when attackers deviate from this usage profile. Unfortunately, many organizations attempt to use a signature-based detection system to identify malicious behavior. This endeavor often includes accidentally blocking legitimate clients and, worse, missing real attackers. How can we change the game so that the odds of identifying malicious users are in our favor?
Rather than searching through “haystacks” of legitimate traffic looking for malicious attack “needles,” we need a way to remove the haystacks. If we could set up a method that removes all normal user traffic, we would be left with abnormal traffic. This brings us to the concept of honeypots, which we will call honeytraps.