Honeypot Processors: Access Policy Processor

This processor injects fake permission data into the clientaccesspolicy.xml file of the web application's domain. The fake access policy references a fake service and grants a random domain access to call it. If the service is ever called, or any files are ever requested in the directory the service is supposedly contained in, an incident can be created. Under normal conditions, no user will ever see the clientaccesspolicy.xml file, and therefore be unaware of the URL to the fake service or the directory it resides in. In the cases where a Silverlight object is legitimately requesting clientaccesspolicy.xml from the protected domain in order to access a known service, it will not create an incident, because the service being called is defined with real access directives.

Table 12: Access Policy Processor Configuration Parameters

Parameter

Type

Default Value

Description

Basic

Processor Enabled

Boolean

True

Whether or not to enable this process for https traffic.

Advanced

Fake Service

String

Random

The fake service the user requested.

Incident: Malicious Service Call

Boolean

True

The user manually entered the URL into the browser and accessed the service that way. They did not call the function.

Incident: Service Directory Indexing

Boolean

True

The user asked for a file index on the directory that contains the fake service.

Incident: Service Directory Spider

Boolean

True

The user is issuing requests for resources inside the directory that contains the fake service. Since the directory does not exist, all of these types of requests are unintended and malicious.