Chapter 14

Active Response Actions

The general who is skilled in defense hides in the most secret recesses of the earth; he who is skilled in attack flashes forth from the topmost heights of heaven. Thus on the one hand we have ability to protect ourselves; on the other, a victory that is complete.

—Sun Tzu in The Art of War

What is the best way to respond to suspicious transactions within your web application? The reality is that most external web application defensive tools, such as web application firewalls (WAFs), use a very limited set of response actions. Whether due to a technical limitation of the tool or the web application defender’s specific desire, most WAFs simply terminate malicious transactions with an abrupt HTTP deny response such as a 403 Forbidden response status code.

This single-response action approach is not very flexible and is undesirable from a detectability perspective because attackers may be able to identify the existence of a separate security system. It is highly recommended that you thoroughly review and ideally tightly integrate your response actions with how the application itself responds to attacks. For example, perhaps basic malicious requests should be met with 302 redirections to the home page, and more advanced attacks should be quarantined by transparently proxying the attack traffic to a separate web honeypot system. The recipes in this chapter outline a wide variety of response actions.