Add honeypot-path collector to detect exposed sensitive endpoints #1

New issue

Closed

opened 2026-06-13 06:44:15 +00:00 by nemunaire · 0 comments

nemunaire commented 2026-06-13 06:44:15 +00:00

Owner

Copy link

When a new TLS certificate is issued and appears in Certificate Transparency logs, scanners immediately probe the new host for commonly-exploitable paths. The log excerpt below was observed within minutes of a new host coming online:

GET /wp-json/
GET /xmlrpc.php?rsd
GET /console/
GET /server-status
GET /.env
GET /.git/config
GET /config.json
GET /actuator/env
GET /@vite/env
GET /.vscode/sftp.json
POST /graphql
POST /api/graphql
GET /v2/_catalog
GET /debug/default/view?panel=config
...

These paths are well-known attack surfaces: leaked credentials (.env, .git/config, sftp.json), admin panels (/console/, /server-status), framework debug endpoints (/actuator/env, /telescope/requests, /@vite/env), and CMS entry points (/xmlrpc.php, /wp-json/).

Proposed feature

Add a honeypot-path collector (similar to wellknownCollector) that probes a curated list of these paths and reports any that return a non-404/non-410 response.

Collector

A new HoneypotData collector probes a fixed list of paths on the first HTTPS IP (same pattern as wellknownCollector). It records status code and response size for each path.

Rules

One or more rules evaluate the collected data:

• http.honeypot.sensitive_exposed: StatusWarn or StatusCritical for any path returning 2xx or 3xx
• http.honeypot.info_leak: flag paths that return 200 with a non-trivial body (> N bytes), since even an empty shell could be a misconfiguration
• Paths returning 401/403 could be reported as StatusInfo ("endpoint exists but is protected")

Path list (initial)

Derived from real CT-scanner traffic; grouped by category for maintainability:

Category	Paths
Credentials / source	/.env, /.git/config, /.vscode/sftp.json, /.DS_Store
Debug / metrics	/actuator/env, /server-status, /debug/default/view, /trace.axd, /@vite/env, /info.php
Admin panels	/console/, /server, /login.action, /telescope/requests
APIs / registries	/v2/_catalog, /graphql, /api/graphql, /api/gql
CMS	/xmlrpc.php, /wp-json/, /?rest_route=/wp/v2/users/
Config dumps	/config.json, /version, /api/v1/health

The list should live in a dedicated slice (easy to extend) rather than be inlined in the collector logic.

When a new TLS certificate is issued and appears in Certificate Transparency logs, scanners immediately probe the new host for commonly-exploitable paths. The log excerpt below was observed within minutes of a new host coming online: ``` GET /wp-json/ GET /xmlrpc.php?rsd GET /console/ GET /server-status GET /.env GET /.git/config GET /config.json GET /actuator/env GET /@vite/env GET /.vscode/sftp.json POST /graphql POST /api/graphql GET /v2/_catalog GET /debug/default/view?panel=config ... ``` These paths are well-known attack surfaces: leaked credentials (`.env`, `.git/config`, `sftp.json`), admin panels (`/console/`, `/server-status`), framework debug endpoints (`/actuator/env`, `/telescope/requests`, `/@vite/env`), and CMS entry points (`/xmlrpc.php`, `/wp-json/`). ## Proposed feature Add a **honeypot-path collector** (similar to `wellknownCollector`) that probes a curated list of these paths and reports any that return a non-404/non-410 response. ### Collector A new `HoneypotData` collector probes a fixed list of paths on the first HTTPS IP (same pattern as `wellknownCollector`). It records status code and response size for each path. ### Rules One or more rules evaluate the collected data: - **`http.honeypot.sensitive_exposed`:** `StatusWarn` or `StatusCritical` for any path returning `2xx` or `3xx` - **`http.honeypot.info_leak`:** flag paths that return `200` with a non-trivial body (> N bytes), since even an empty shell could be a misconfiguration - Paths returning `401`/`403` could be reported as `StatusInfo` ("endpoint exists but is protected") ### Path list (initial) Derived from real CT-scanner traffic; grouped by category for maintainability: | Category | Paths | |---|---| | Credentials / source | `/.env`, `/.git/config`, `/.vscode/sftp.json`, `/.DS_Store` | | Debug / metrics | `/actuator/env`, `/server-status`, `/debug/default/view`, `/trace.axd`, `/@vite/env`, `/info.php` | | Admin panels | `/console/`, `/server`, `/login.action`, `/telescope/requests` | | APIs / registries | `/v2/_catalog`, `/graphql`, `/api/graphql`, `/api/gql` | | CMS | `/xmlrpc.php`, `/wp-json/`, `/?rest_route=/wp/v2/users/` | | Config dumps | `/config.json`, `/version`, `/api/v1/health` | The list should live in a dedicated slice (easy to extend) rather than be inlined in the collector logic.

nemunaire referenced this issue from a commit 2026-06-13 07:25:30 +00:00

checker: add honeypot-path collector and rules

nemunaire closed this issue 2026-06-13 07:25:30 +00:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

v0.3.0

v0.2.0

v0.1.0

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

happyDomain/checker-http#1

No description provided.