Skip to content

GeneralDecoyStructure

TarradeMarc edited this page Jul 10, 2024 · 3 revisions

General decoy structure

Decoys are made of five different parts: decoy, inject, detect, alert and respond.

  • When the proxy receives a request, it tries to detect the decoy. If the decoy is detected, it triggers the related alert and response.
  • When the proxy receives a response, it checks if it needs to inject the decoy. Prior to that it also tries to detect the decoy.

Injection and detection are both optional. A decoy without detection is just an element which is added to the page. Such a decoy can be used to mislead an attacker, for example by returning a fake server version. A decoy without injection is what we call a 'detection rule'. It can be used to detect malicious behavior performed directly on the application itself, such as trying to login as 'admin/admin'. Responding is also optional. Response will be applied to subsequent requests.

The typical usage flow is as follows:

  1. a user sends a request
  2. upon response, a decoy is injected
  3. on a follow-up request, tampering with the decoy is detected. An alert is raised as well as possible response(s).
  4. on further request(s), if the request matches with an applied response, then that response is triggered prior to further processing.

The main decoy structure is the following one. Notice how 'alert' and 'respond' are embedded into 'detect'.

    {
      "decoy": {
      },
      "inject": {
      },
      "detect": {
        "alert": {
        },
        "respond": {
        }
      }
    }

You can have as many decoys as you'd like in a single config file. Just put them after one another inside the filters array:

{
  "filters": [
    {
      "decoy": {
      },
      ...
    },
    {
      "decoy": {
      },
      ...
    },
    {
      "decoy": {
      },
      ...
    }
  ]
}
03-structure.mp4
Clone this wiki locally