ASP.NET Security Consultant

I'm an author, speaker, and generally a the-way-we've-always-done-it-sucks security guy who specializes in web technologies and ASP.NET.

I'm a bit of a health nut too, having lost 50 pounds in 2019 and 2020. Check out my blog for weight loss tips!

Honeypots in Websites

Published on: 2018-07-05

The first question many of you might be asking is: what is a honeypot? In a nutshell, a honeypot refers to something that is set up for the sole purpose of detecting people performing (likely) nefarious activities. Here are two examples:

  • One can set up a server (possibly with email or web services turned on) that doesn't do anything other than report to the system administrators who tried to access it.
  • Email providers will often set up fake email accounts on their domain. Anyone who sends an email to this (fake) address should be under suspicion of sending illegitimate emails.

Honeypots in Websites

How do we apply this concept to websites? Most websites have a page called robots.txt, which tells search engines which pages to crawl, but also tells them which pages not to crawl. This page is visible to anyone who looks for it, including hackers. One could easily set up a page (or pages) that monitor requests, add a line in the robots.txt telling legitimate search engines to ignore these pages, then wait to see who starts poking around where they shouldn't.

Another option would be to move the default location of pages and monitor the old locations. For example, Microsoft's default templates for MVC websites host the login functionality under the Account controller. So by default, the login page is in "/Account/Login", the forgot password page is in "/Account/ForgotPassword", and so on. This makes it easy for hackers to create scripts that attack these pages. Instead, you should move the functionality to a different page (such as "/MyAccount/Login"), then monitor requests at the original locations.

Honeypots in the ASP.NET Security Enhancer

Setting up honeypots with the ASP.NET Security Enhancer is easy. All you need to do is put the [Honeypot] attribute (in the NCG.Core.MVC.ControllerAttributes namespace) on any class or method which you're using to monitor intruders. And if you want to lock them out after it's clear that they're doing more than just poking around, add the [BlockIfLockedOut] attribute from the NCG.Core.MVC.UserLockout namespace. As long as you've set up the framework beforehand, yes, adding honeypots to your system is that simple.

Enticement vs. Entrapment

Creating something that potential hackers can discover and try to exploit on their own is called enticement, and is a perfectly normal and legal thing to do. Deliberately seeking out potential hackers inviting them to break into your system with the intent of catching and punishing them is called entrapment, and it is neither typical nor legal. Please don't use your honeypots to cross the line into entrapment. If you have any questions, please consult a lawyer.