Honeypot Processors: Basic Authentication Processor: Incidents - Protected Resource Requested

Complexity: Low (2.0)

Default Response: 1x = Slow Connection 2-6 seconds for 1 day.

Cause: Apache is a webserver used by many websites on the Internet. As a result, hackers will often look for vulnerabilities specific to apache, because there is a good chance any given website is probably running apache. One such vulnerability involves the use of an .htaccess file to provide directory level configuration (such as default 404 messages, password protected resources, directory indexing options, and so on), while not sufficiently protecting the .htaccess file itself. By convention, any resource that provides directory level configuration should not be exposed to the public. This means that if a user requests .htaccess or a related resource, they should get either a 404 or a 403 error. Unfortunately, not all webservers are configured correctly to block requests for these resources. In such a scenario, a hacker could gain valuable intelligence on the way the server is configured. WebApp Secure will automatically block any requests for the .htaccess resource, and return a fake version of the file. The fake version of the file will contain the directives necessary to password protect a fake resource. Should the user request the password protected resource, WebApp Secure will simulate the correct authentication method defined in .htaccess, and simulate the existence of the fake resource. The "Protected Resource Requested" incident will trigger in the event that the user requests the fake password protected file and does not supply a username and password (as would be the case if they requested the file in a browser and canceled the login prompt).

Behavior: Hackers will often attempt to get the .htaccess file from various directories on a website in an effort to find valuable information about how the server is configured. This is usually done to find a "Server Misconfiguration" weakness that might expose a "Credential/Session Prediction", "OS Commanding", "Path Traversal", or "URL Redirector Abuse" vulnerability among others. The fact that an .htaccess file is even exposed is a "Server Misconfiguration" vulnerability in itself. In this specific case, the attacker is asking for a different resource that is referenced only from .htaccess. The resource is password protected, but the user has not yet tried to supply credentials. This is most likely in an attempt to see if the password protected file actually exists.

Note: For information on the attack types mentioned here, go to The Web Application Security Consortium Web Site and search for the attack name to learn more about it.