-
Notifications
You must be signed in to change notification settings - Fork 6
GeneralDecoyStructure
Decoys are made of five different parts: decoy, inject, detect, alert and respond.
- When the proxy receives a request, it tries to
detectthedecoy. If the decoy is detected, it triggers the relatedalertandresponse. - When the proxy receives a response, it checks if it needs to
injectthedecoy. Prior to that it also tries todetectthedecoy.
Injection and detection are both optional. A decoy without detection is just an element which is added to the page. Such a decoy can be used to mislead an attacker, for example by returning a fake server version. A decoy without injection is what we call a 'detection rule'. It can be used to detect malicious behavior performed directly on the application itself, such as trying to login as 'admin/admin'. Responding is also optional. Response will be applied to subsequent requests.
The typical usage flow is as follows:
- a user sends a request
- upon response, a decoy is injected
- on a follow-up request, tampering with the decoy is detected. An alert is raised as well as possible response(s).
- on further request(s), if the request matches with an applied response, then that response is triggered prior to further processing.
The main decoy structure is the following one. Notice how 'alert' and 'respond' are embedded into 'detect'.
{
"decoy": {
},
"inject": {
},
"detect": {
"alert": {
},
"respond": {
}
}
}
You can have as many decoys as you'd like in a single config file. Just put them after one another inside the filters array:
{
"filters": [
{
"decoy": {
},
...
},
{
"decoy": {
},
...
},
{
"decoy": {
},
...
}
]
}