Honeypot Processors: Hidden Link Processor: Incident - Malicious Resource Request
Complexity: Suspicious (1.0)
Default Response: 1x = Slow Connection 2-6 seconds and 5 day Block in 6 minutes.
Cause: WebApp Secure injects a hidden link into pages on the protected web application, which is only discoverable through manual source code inspection. If a user discovers the hidden link, and attempts to request the file it references, this incident will be triggered.
Behavior: When scoping the attack surface of a website, hackers commonly spider the site and collect the locations of all pages. Spidering can be performed with the assistance of simple scripts that look for URLs in the returned HTML of the home page, then request those pages and check for URLs in their source, and so forth. Legitimate search engine spiders will do this as well — but the difference between legitimate spiders and malicious users lies in how aggressively they will use the newly discovered URL to derive other URLs. This incident triggers when the user simply requests the hidden link URL. Because this can also be triggered by a legitimate search engine spider, this type of incident is not considered malicious on its own.
