Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Honeypot Processors: AJAX Processor

    A mistake commonly made by web developers is to consolidate every JavaScript file used by their website into a single file. They then reference that one file from every page on the site, regardless of whether it needs all of the code defined in the file. This is an optimization trick that works, but exposes potential vulnerabilities. The goal is to get the browser to cache all of the external JavaScript, so that you don't need to keep downloading additional code as you navigate the site. Consider the case where one of the pages on the site contains an administrative console written with AJAX technology. In the administrative page, there is a JavaScript file that contains code for managing users of the site (creating user, deleting users, getting user details, and so on). Normally only administrators would visit this page, and they would be the only ones who can see this code. Once all JavaScript on the site is consolidated however, these types of sensitive functions tend to get mixed into the rest of the safer functions. Hackers look for these types of functions in order to find both the administrative page that uses them, as well as exploit the function itself. The goal of this trap is to emulate this common mistake and entice hackers into attempting to exploit the "sensitive looking" function.

    Table 1: AJAX Processor Configuration Parameters



    Default Value



    Processor Enabled



    Whether traffic should be passed through this processor.


    Inject Script Enabled



    Whether to inject the fake Javascript code into HTML responses.



    AJAX Service

    The fake service to expose.

    Incident: Malicious Script Execution



    The user executed the fake JavaScript function.

    Incident: Malicious Script Introspection



    The user manually entered the URL into the browser and accessed the service that way. They did not call the function.

    Published: 2014-06-27