Endpoints (API Honeypots)

What Are Endpoint Decoys?

An endpoint decoy is a fake API endpoint that captures detailed information about attackers probing your APIs for vulnerabilities. Unlike simple decoy links, endpoints can accept POST, PUT, DELETE, and PATCH requests, capturing request bodies and detecting attack patterns.

Endpoint vs. Link Decoys

Feature	Decoy Link	Endpoint Decoy
HTTP Methods	GET only	GET, POST, PUT, DELETE, PATCH
Body Capture	No	Yes
Attack Signatures	Basic	SQL injection, XSS, XXE, etc.
Content-Type	N/A	Configurable
Use Case	Crawlers, scanners	API attacks, vulnerability probing

How Endpoint Decoys Work

Attacker → POST /api/admin/users
           {"username": "admin", "password": "' OR '1'='1"}
                    │
                    ▼
            Endpoint Decoy receives request
                    │
                    ▼
            Attack signature detected: SQL Injection
                    │
                    ▼
            Detection created with full request details
                    │
                    ▼
            MITRE mapped: TA0001 (Initial Access)

Creating an Endpoint Decoy

Step-by-Step Guide

Navigate to Decoys
- Click Decoys in the sidebar
Click “New Decoy”
- The create decoy dialog opens
Select Decoy Type: Endpoint
- Switch from “Link” to “Endpoint” type

Configure the Endpoint

Field	Description	Example
Name	Internal name	”Admin API Honeypot”
Domain	Your custom domain	`api.yoursite.com`
Path	API endpoint path	`/api/v1/admin/users`
Methods	HTTP methods to accept	POST, PUT, DELETE
Capture Body	Store request bodies	Yes
Content-Type	Expected content type	`application/json`

Click “Create”
- Your endpoint decoy is active immediately

Example: Admin API Honeypot

Name: Admin API Honeypot
Domain: api.yoursite.com
Path: /api/v1/admin/users
Methods: GET, POST, PUT, DELETE
Capture Body: Yes
Content-Type: application/json
Action: Log

This creates a fake admin API that captures any requests to:

GET /api/v1/admin/users - List users attempt
POST /api/v1/admin/users - Create user attempt
PUT /api/v1/admin/users - Update user attempt
DELETE /api/v1/admin/users - Delete user attempt

Configuring Endpoint Options

HTTP Methods

Select which HTTP methods your endpoint should accept:

Method	Typical Attack	Detection Value
GET	Information disclosure	Low - common crawling
POST	Data injection, authentication bypass	High - active attack
PUT	File upload, data modification	High - active attack
DELETE	Data destruction attempts	High - active attack
PATCH	Partial data modification	Medium - targeted attack

Recommendation: Enable POST, PUT, and DELETE for API honeypots to catch actual attack attempts.

Capture Body

When enabled, the full request body is stored in the detection:

{
  "captured_body": {
    "username": "admin",
    "password": "' OR '1'='1",
    "role": "superadmin"
  },
  "body_size": 89,
  "content_type": "application/json"
}

Privacy Note: Body capture may contain sensitive data. Review your data retention policies.

Expected Content-Type

Configure what content type the endpoint expects:

Content-Type	Use Case
`application/json`	REST API honeypot
`application/xml`	XML/SOAP API honeypot
`application/x-www-form-urlencoded`	Form submission honeypot
`multipart/form-data`	File upload honeypot
`text/plain`	Generic text endpoint

Response Configuration

Configure what your endpoint returns:

Setting	Description
Status Code	HTTP response code (default: 200)
Response Body	Custom response content
Headers	Custom response headers

Example Response (Fake API):

{
  "status": "success",
  "message": "User created",
  "user_id": "fake-uuid-12345"
}

Attack Pattern Detection

Endpoint decoys automatically detect common attack patterns in request data.

Detected Attack Signatures

Attack Type	Pattern	MITRE Tactic
SQL Injection	`' OR '1'='1`, `UNION SELECT`, `DROP TABLE`	T1190
XSS	`<script>`, `javascript:`, `onerror=`	T1059
Command Injection	`; ls`, `	cat, `` whoami` “
Path Traversal	`../`, `..\\`, `/etc/passwd`	T1083
XXE	`<!ENTITY`, `SYSTEM`, `file://`	T1059
LDAP Injection	`)(`, `*)(uid=`, `admin)(`	T1190
NoSQL Injection	`$gt`, `$ne`, `$where`	T1190

Detection Details

When an attack is detected, your detection includes:

{
  "attack_signatures": [
    {
      "type": "sql_injection",
      "pattern": "' OR '1'='1",
      "location": "body.password",
      "confidence": "high"
    }
  ],
  "threat_score": 85,
  "mitre_tactic": {
    "id": "TA0001",
    "name": "Initial Access",
    "confidence": "high"
  }
}

Signature Scoring

Attack signatures increase the threat score:

Signature	Score Impact
SQL Injection	+30-40 points
XSS	+25-35 points
Command Injection	+35-45 points
Path Traversal	+20-30 points
XXE	+30-40 points

Multiple attack types compound the score.

Best Practices for Endpoint Placement

High-Value Endpoint Paths

These paths are commonly targeted by API attackers:

Category	Example Paths
Authentication	`/api/auth/login`, `/api/token`, `/oauth/token`
Admin	`/api/admin/`, `/api/v1/admin/`, `/admin/api/*`
User Management	`/api/users`, `/api/users/admin`, `/api/users/delete`
GraphQL	`/graphql`, `/api/graphql`, `/v1/graphql`
Debug	`/api/debug`, `/api/health/debug`, `/api/config`
File Operations	`/api/upload`, `/api/files`, `/api/download`
Database	`/api/query`, `/api/sql`, `/api/export`

Placement Strategies

Strategy 1: Shadow Real Endpoints

Create decoys that mirror your real API structure:

Real API: /api/v1/users
Decoy:    /api/v1/admin/users     ← Looks like admin version
Decoy:    /api/v2/users           ← Looks like new version
Decoy:    /api/users/export       ← Looks like data export

Strategy 2: Common Vulnerability Targets

Create endpoints attackers commonly probe:

/api/graphql        ← GraphQL introspection attacks
/api/debug          ← Debug information leakage
/api/config         ← Configuration exposure
/api/admin/sql      ← Direct database access
/.well-known/admin  ← Admin discovery

Strategy 3: Documentation Honeypot

If you have API documentation, add undocumented “internal” endpoints:

Documented:   /api/v1/products (real)
Documented:   /api/v1/orders (real)
Undocumented: /api/v1/internal/audit (decoy)
Undocumented: /api/v1/admin/impersonate (decoy)

Response Realism

Make your endpoint responses look realistic:

Bad (obvious fake):

{"error": "honeypot"}

Good (realistic API response):

{
  "status": "error",
  "code": "AUTH_REQUIRED",
  "message": "Authentication required for this endpoint"
}

Even Better (enticing response):

{
  "status": "success",
  "data": {
    "users": [
      {"id": 1, "email": "admin@example.com", "role": "admin"},
      {"id": 2, "email": "user@example.com", "role": "user"}
    ]
  },
  "total": 2,
  "page": 1
}

Endpoint Monitoring

Viewing Endpoint Detections

Go to Detections in the sidebar
Filter by Source: Endpoint
View endpoint-specific details:
- Request method (POST, PUT, DELETE)
- Request body content
- Attack signatures detected
- Content-Type header

Key Metrics

Metric	Description
Trigger Count	Total requests to the endpoint
Unique IPs	Number of distinct attackers
Attack Types	Breakdown by attack signature
Methods	Distribution of HTTP methods

Alert Configuration

Set up alerts for endpoint detections:

Go to Integrations → Webhooks or Slack
Configure notifications for:
- High-severity attack signatures
- Multiple attempts from same IP
- Specific endpoint triggers

Example: Complete API Honeypot Setup

Scenario: E-commerce API Protection

Create a suite of endpoint decoys:

Endpoint	Path	Methods	Purpose
Auth Honeypot	`/api/auth/admin`	POST	Catch credential stuffing
User Export	`/api/users/export`	GET	Catch data exfiltration
Bulk Delete	`/api/orders/bulk-delete`	DELETE	Catch destructive attacks
GraphQL Admin	`/graphql/admin`	POST	Catch GraphQL attacks
SQL Query	`/api/internal/query`	POST	Catch SQL injection

Implementation

Create each endpoint in WebDecoy
Add realistic responses
Monitor for:
- Authentication bypass attempts
- SQL injection in query endpoint
- GraphQL introspection
- Bulk data operations

Next Steps

Add client-side bot detection:

Bot Scanners - JavaScript-based detection