Honeypot Processors: File Processor

When developing websites, administrators will often rename files in order to make room for a newer version of the file. They can also archive older files. A common vulnerability is the case where these older files are left in the web accessible directories, and they contain non static resources. For example, consider the case where a developer renames shopping_cart.php to shopping_cart.php.bak. If an attacker looks for php files and tries to access all of them with a .bak extension, they can stumble across the backup file. Because the server is not configured to parse .bak files as php files, it will serve the unexecuted script source code to the client. This technique can yield database credentials, system credentials, as well as expose more serious vulnerabilities in the code itself. The goal of this processor is to detect when a user is attempting to find unreferenced files.

Table 16: File Processor Configuration Parameters

Parameter

Type

Default Value

Description

Basic

Processor Enabled

Boolean

True

Whether traffic should be passed through this processor.

Advanced

Block Response

Configurable

HTTP Response

The response to return when a request is blocked due to a matching suspicious token rule with blocking enabled.

Suspicious Tokens

Collection

Collection

The configured suspicious extensions.

Incident: Suspicious File Exposed

Boolean

True

A file which has a suspicious filename is publicly available.

Incident: Suspicious Filename

Boolean

True

A file with a filename that contains a suspicious token was requested.