Honeypot Processors: Basic Authentication Processor: Incidents - Invalid Credentials

Complexity: Medium (3.0)

Default Response: 1x = Slow Connection 2-6 seconds. 15x = Basic Authentication Bruteforce Incident.

Cause: Apache is a webserver used by many websites on the Internet. As a result, hackers will often look for vulnerabilities specific to apache, because there is a good chance any given website is probably running apache. One such vulnerability involves the use of an .htaccess34 file to provide directory level configuration (such as default 404 messages, password protected resources, directory indexing options, and so on), while not sufficiently protecting the .htaccess file itself. By convention, any resource that provides directory level configuration should not be exposed to the public. This means that if a user requests .htaccess or a related resource, they should get either a 404 or a 403 error. Unfortunately, not all webservers are configured correctly to block requests for these resources. In such a scenario, a hacker could gain valuable intelligence on the way the server is configured. WebApp Secure will automatically block any requests for the .htaccess resource, and return a fake version of the file. The fake version of the file will contain the directives necessary to password protect a fake resource. Should the user request the password protected resource, WebApp Secure will simulate the correct authentication method defined in .htaccess, and simulate the existence of the fake resource. The "Invalid Credentials" incident will trigger in the event that the user requests the fake password protected file and supplies an invalid username and password (as would be the case if they requested the file in a browser and guessed a username and password at the login prompt).

Behavior: Hackers will often attempt to get the .htaccess file from various directories on a website in an effort to find valuable information about how the server is configured. This is usually done to find a "Server Misconfiguration" weakness that might expose a "Credential/Session Prediction", "OS Commanding", "Path Traversal", or "URL Redirector Abuse" vulnerability among others. The fact that an .htaccess file is even exposed is a "Server Misconfiguration" vulnerability in itself. In this specific case, the attacker is asking for a different resource that is referenced only from .htaccess. The fake resource is password protected, and the user has attempted to authenticate with bad credentials. This is most likely in an effort to guess a valid username and password combination, such as "admin:admin", or "guest:guest". It can also be part of a larger brute force attempt, where the attacker tries a long list of possible combinations. This is a poor method for locating valid usernames and passwords, because the user database file .htpasswd is actually exposed (albeit fake). So a brute force attack (represented by a large quantity of this incident type) generally means the attacker is less sophisticated.

Note: For information on the attack types mentioned here, go to The Web Application Security Consortium Web Site and search for the attack name to learn more about it.