Reference table of all detection sources in WebDecoy.
| Source | Code | Icon | Description |
|---|
| Decoy Link | decoy_link | Link | Hidden honeypot link was accessed |
| Endpoint | endpoint | API | API honeypot received a request |
| Bot Scanner | bot_scanner | Robot | JavaScript scanner detected automation |
| WordPress Plugin | wordpress_plugin | Document | WordPress plugin server-side detection |
| SDK | sdk | Tool | Server-side SDK submitted detection |
Detections from hidden honeypot URLs that legitimate users cannot see or access.
| Field | Example |
|---|
| URL | /admin/backup.zip |
| Method | GET |
| Trigger Action | Log, Block, Poison, Redirect |
| Click Count | Incremented on each access |
- Bot crawling hidden links
- Scanner probing common admin paths
- Attacker following disallowed robots.txt paths
Usually mapped to:
- TA0043 (Reconnaissance)
- TA0001 (Initial Access)
Detections from fake API endpoints that capture detailed request information including POST bodies.
| Field | Example |
|---|
| URL | /api/v1/admin/users |
| Method | POST, PUT, DELETE, PATCH |
| Body | Captured request body |
| Content-Type | application/json |
| Attack Signatures | SQL injection, XSS, etc. |
| Field | Description |
|---|
request_body | Captured POST/PUT body content |
body_size | Size in bytes |
content_type | Content-Type header value |
has_auth_header | Whether Authorization header present |
attack_signatures | Array of detected attack patterns |
- API vulnerability scanning
- SQL injection attempts
- Authentication bypass attempts
- Data exfiltration probing
Usually mapped to:
- TA0001 (Initial Access) - for exploit attempts
- TA0006 (Credential Access) - for auth attacks
- TA0007 (Discovery) - for enumeration
Detections from the JavaScript-based scanner running in visitors’ browsers.
| Field | Example |
|---|
| Detection Type | Headless browser, WebDriver |
| Bot Score | 0-100 |
| Signals | Array of detected anomalies |
| Browser Fingerprint | Hash of browser characteristics |
| Field | Description |
|---|
webdriver_detected | WebDriver API present |
headless_detected | Running in headless mode |
automation_markers | Puppeteer, Playwright traces |
fingerprint_hash | Browser fingerprint |
behavioral_score | Behavior analysis score |
| Signal | Indicates |
|---|
webdriver | Selenium/WebDriver automation |
headless_chrome | Chrome running headless |
puppeteer | Puppeteer automation |
playwright | Playwright automation |
phantom_js | PhantomJS browser |
missing_plugins | No browser plugins (headless indicator) |
canvas_anomaly | Unusual canvas fingerprint |
webgl_anomaly | Graphics rendering inconsistency |
- Headless browser scraping
- Automated testing tools on production
- Bot networks using browser automation
Usually mapped to:
- TA0043 (Reconnaissance) - for scraping
- TA0009 (Collection) - for data theft
Detections from the WebDecoy WordPress plugin’s server-side analysis.
| Field | Example |
|---|
| Detection Type | Rate limit, honeypot field, user agent |
| WordPress Hook | comment_form, login, registration |
| Plugin Version | 1.3.x |
| Field | Description |
|---|
hook_triggered | Which WordPress hook caught this |
honeypot_filled | Hidden form field was filled |
rate_limited | Request exceeded rate limit |
form_type | comment, login, registration |
woocommerce_context | Cart, checkout, etc. |
| Context | Description |
|---|
comment_form | Comment submission |
login | Login attempt |
registration | User registration |
checkout | WooCommerce checkout |
general | General request analysis |
- Comment spam bots
- Login brute force attacks
- Registration spam
- Card testing on WooCommerce
Usually mapped to:
- TA0006 (Credential Access) - for login attacks
- TA0001 (Initial Access) - for form exploits
Detections submitted programmatically via the Node.js or PHP SDK.
| Field | Example |
|---|
| SDK Version | 1.0.0 |
| Framework | Express, Next.js, etc. |
| Custom Fields | Developer-defined metadata |
| Field | Description |
|---|
sdk_version | Version of SDK used |
framework | Web framework (if applicable) |
custom_metadata | Developer-added fields |
submission_timestamp | When SDK submitted |
- Custom server-side bot detection
- Middleware-based protection
- API gateway integration
- Custom threat analysis
Depends on detection context. Typically:
- TA0043 (Reconnaissance)
- TA0001 (Initial Access)
| Source | Server-Side | Client-Side | Body Capture | Attack Signatures |
|---|
| decoy_link | Yes | No | No | Basic |
| endpoint | Yes | No | Yes | Full |
| bot_scanner | No | Yes | No | Automation |
| wordpress_plugin | Yes | Yes | Limited | Full |
| sdk | Yes | No | Custom | Custom |
- Go to Detections
- Click Filters
- Select Source filter
- Check desired sources
GET /api/organizations/{org_id}/detections?source=endpoint
Multiple sources:
GET /api/organizations/{org_id}/detections?source=endpoint,bot_scanner
