One way to deal with web application security threats is to prevent them (IPS), one way is to detect them (IDS/HIDS) and then there’s another way that I came up with called the Matrix. It’s loosely based on the same concept of a honeynet where you show something as vulnerable but in reality you are watching what they are doing. The difference between a honeynet and the Matrix is that in a honeynet you are actually allowing them to hack a network device (which is being heavily monitored) and in the Matrix you are giving them erroneous information upon detection of a possible threat. Let me preface this post by saying this is not completely thought out and comments/flames are welcome.
So how would the Matrix work? Basically you would have to have the equivalent of Snort signatures that looked for specific known strings that were used by automated vulnerabiliy scanners and all other known malicious strings. Once they were detected you could provide an alternate environment for the duration of that user’s session that gave erroneous information, including erroneous vulnerabilities. Of course, Cross Site Scripting is easier to deal with than most as all you are doing is reflecting what the user typed. Remote shell inclusion is tricky, but could potentially work, where you give someone the information back that they would expect. SQL injection is the hardest, where you have to allow the user to get fake information out of a database - maybe returing fake credit card information/passwords, etc… is a possibility. The possibilies are there, it would just take work to refine.
The biggest advantage with this security model is that it assumes that you are already vulnerable and that you have vested interest in finding the bad guys. It also assumes that bad guys will go for the lowest common denominator, in terms of vulnerabilies (IE: go for the easiest vunerabilities first). Making the hacker’s life seem easier by allowing them to find fake vulnerabilities quicker can help reduce the overall threat by giving you time to see what they are doing and where they are coming from, etc…. It does not actually reduce the threat unless you monitor the users who are caught in the Matrix cosely and attempt to locate and patch what they either did find or would find before they can go public with the information or exploit it for their own means, as they still will have access to the same system and the vulnerabilities will still be there. The advantage over IPSs and Firewalls is that the hackers aren’t aware of the fact that they have been stopped from their activities.
Ultimately, I think there is something to this security model, even if it is seriously flawed in the incarnation that I have described it. Also it could potentially be extremely cost prohibitive and there may be more vulnerabilities introduced by allowing a user to find vulnerabilities solely for the purpose of tracking adversary movements around the website in question. For instance, let’s say that once a vulnerability test has been detected, the website switches into Matrix mode, giving them an alternate environment. It could still be used against the website, where the hacker simply sends two requests to the server and gets the same result as if they only sent one, and the Matrix would actually cause the vector in question. As I said, this is a seriously flawed implimentation, but there may be something to it.