Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Honeypot Processors: File Processor

    When developing websites, administrators will often rename files in order to make room for a newer version of the file. They can also archive older files. A common vulnerability is the case where these older files are left in the web accessible directories, and they contain non static resources. For example, consider the case where a developer renames shopping_cart.php to shopping_cart.php.bak. If an attacker looks for php files and tries to access all of them with a .bak extension, they can stumble across the backup file. Because the server is not configured to parse .bak files as php files, it will serve the unexecuted script source code to the client. This technique can yield database credentials, system credentials, as well as expose more serious vulnerabilities in the code itself. The goal of this processor is to detect when a user is attempting to find unreferenced files.

    Table 1: File Processor Configuration Parameters

    Parameter

    Type

    Default Value

    Description

    Basic

    Processor Enabled

    Boolean

    True

    Whether traffic should be passed through this processor.

    Advanced

    Block Response

    Configurable

    HTTP Response

    The response to return when a request is blocked due to a matching suspicious token rule with blocking enabled.

    Suspicious Tokens

    Collection

    Collection

    The configured suspicious extensions.

    Incident: Suspicious File Exposed

    Boolean

    True

    A file which has a suspicious filename is publicly available.

    Incident: Suspicious Filename

    Boolean

    True

    A file with a filename that contains a suspicious token was requested.

    Published: 2014-06-27