An experiement inspired by Bing/Google
A few months ago, Google created a honeypot trap for their competitor. While that’s not quite what I’m doing, i would be wrong not to recognize Google’s efforts as an inspiration in this.
I migrated brown(e)learning to a hosting company’s server last month. Buried somewhere in the sign-up form was an offer for an additional service that supposedly would scan the site for vulnerabilities. If none are found, the firm behind the service would allow me to display their badge on my site. I didn’t want the service, didn’t even notice that I had signed up for it, but now I’m getting semi-daily emails letting me know 1) there are no vulnerabilities on my site, 2) how I can complete the registration process, and 3) how to display their badge on my site.
So, I’ve had enough. I created a page that contains an obvious SQL injection vulnerability. I’ll link to it from several of the pages on my site to make sure the scanning service can see it, and then determine the legitimacy of the service based on whether they notice it.
BTW, the MySQL user for that page only has SELECT privileges to an otherwise unused database, so you can’t do this…
Oh, and that page can be found at: http://brownelearning.org/test/vulnerable.php… 