Open in app

Sign in

Write

Sign in

Honeypots and Rails Forms

Making things a little less vulnerable

Madeleine Rose
4 min readJan 12, 2016

What’s a Honeypot?

In espionage, a “honeypot” is a staggeringly attractive agent tasked with recruiting or coercing their counterpart using irresistible seduction techniques.

See Sterling Archer, Tatiana Romanova, && Vesper Lynd.

But in information systems, a honeypot is a security mechanism set to detect, deflect, or counteract attempts at any unauthorized use of systems. Usually, a honeypot consists of data that appears to be a legitimate part of the site but is actually isolated and monitored and used to identify and subsequently block hackers.

It’s like a sting.

Er…

Those of us behind the scenes for a system or application write honeypots to catch the bad guys by luring them in with easy (but not too easy) and attractive traps.

What do honeypots trap?

Beez.
  • Malware

Small amounts of data are used as bait to detect the attack methods of malware. Example: using small amounts of bitcoin to monitor a possible malware infection.

  • Spam

Spammers abuse vulnerable resources such as open mail relays and open proxies. Some system administrators have created honeypot programs that masquerade as these abusable resources to discover spammer activity.

  • Database intruders

SQL injection — the intruder runs against a trap database while the web application remains functional.

These are the three categories you generally have to worry about. #hackerz

Guys like this.

How can I use a Honeypot?

Honeypot in Rails Forms:

Spambots LOVE forms. All those beautiful, fluid, functional forms we’ve been building in our apps are just waiting to be filled in by malicious hackerz. Honeypots are great for mitigating this problem, as they’re less invasive to your program than other anti-hacker options. And, with just the Rails skills we have right now, we can start writing our own honeypots into projects as needed.

Let’s look at writing our own honeypots.

Forms

A typical form honeypot is a field that only bots can see. We hide these fields to human users, but a bot will spam information into every field it can find without the confines of visible formatting. So basically, we will know a form submission is spammy if our hidden field has a value.

In your form, just add the extra field(s) that you’ll use to detect unauthorized submissions. Make sure to name it something normal so spam bots will populate it.

fdsa <%= form_tag form_submit_path do %>  
<fieldset>    
<legend>Contact Info</legend>
     
<div class="form-group">      
<%= label_tag :name %>      
<%= text_field_tag :name %>    
</div>     <div class="form-group">      
<%= label_tag :email %>      
<%= text_field_tag :email %>    
</div>     <div class="form-group">      
<%= label_tag :phone %>      
<%= text_field_tag :phone %>    
</div>     <div class="form-group honeypot">      
<%= label_tag :content %>      
<%= text_field_tag :content, nil%>      
<span class="help">Do not fill in this field. It is an anti-spam measure.</span> 
   
</div>  
</fieldset>  
 
<button type="submit">Submit</button><%- end -%>

Again, this adds a field that a bot will automatically fill in, but a human will know to disregard.

Add to controller:

class FormController < ApplicationController

def submit
 SiteMailer.notify(params).deliver unless params[:content].present? 
   
 flash[:success] = "Your message has been submitted. Thank you!"
    
 redirect_to root_url
 end

end

But what if I don’t like writing forms?

There’s a gem for that.

Honeypot Captcha

“The simplest way to add honeypot captchas in your Rails forms.”

Install and require:

// ♥ gem install honeypot-captchaFetching: honeypot-captcha-0.0.3.gem (100%)Successfully installed honeypot-captcha-0.0.31 gem installed

Add to your Gemfile:

gem 'honeypot-captcha'

Use form_for:

Simply specify that the form has a honeypot in the HTML options hash:

<%= form_for Comment.new, :html => { :honeypot => true } do |form| -%>
  ...
<% end -%>

Optional: Customize the honeypot fields:

You can override the honeypot_fields method within ApplicationController to add your own custom field names and values. For example:

def honeypot_fields
  {
    :my_custom_comment_body => 'Do not fill in this field, sucka!',
    :another_thingy => 'Really... do not fill out!'
  }
end

Then override the honeypot_string method within ApplicationController to disguise the string that will be included in the honeypot name. For example:

def honeypot_string
  'im-not-a-honeypot-at-all'
end

While honeypots in and of themselves can’t protect your form against being filled in, they can help you identify and later block malicious users.

Resources:

curtis/honeypot-captcha

honeypot-captcha - A simple way to add honeypot captchas in your Rails forms.

github.com

Ned Batchelder: Stopping spambots with hashes and honeypots

A playback bot can be stopped by varying the hidden data on the form so that it will not be valid forever. A timestamp…

nedbatchelder.com

You've Been Haacked

You've been Haacked and you like it

haacked.com

Web Development
Ruby On Rails

--

--

Madeleine Rose

Written by Madeleine Rose

54 Followers

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams