feat: implement candidate security honeypots and redesign authenticated layout

2026-05-08 11:13:29 +02:00
parent d076fd7d7a
commit 29c274b23b
18 changed files with 789 additions and 200 deletions
--- a/app/Http/Controllers/Api/CandidateHoneypotController.php
+++ b/app/Http/Controllers/Api/CandidateHoneypotController.php
@@ -0,0 +1,55 @@
+<?php
+
+namespace App\Http\Controllers\Api;
+
+use App\Http\Controllers\Controller;
+use Illuminate\Http\Request;
+
+class CandidateHoneypotController extends Controller
+{
+    public function logDirectoryTraversal(Request $request)
+    {
+        $this->logSecurityAlert('directory_traversal', $request);
+        
+        // Fausse réponse pour faire croire que le serveur est vulnérable
+        return response(
+            "<html><body><h1>Index of /documents/private</h1><ul><li><a href='../'>../</a></li><li><a href='reponses_tests_2026.pdf'>reponses_tests_2026.pdf</a></li><li><a href='backup_db.sql'>backup_db.sql</a></li></ul></body></html>", 
+            200
+        )->header('Content-Type', 'text/html');
+    }
+
+    public function logMassAssignment(Request $request)
+    {
+        $this->logSecurityAlert('mass_assignment', $request);
+
+        // Faire croire que l'opération a réussi mais renvoyer une erreur 403 discrètement
+        return response()->json([
+            'status' => 'success',
+            'message' => 'Profil mis à jour.',
+            'debug' => 'Attempt logged.'
+        ], 403);
+    }
+
+    public function downloadFakeFile(Request $request, $filename)
+    {
+        $this->logSecurityAlert('file_exfiltration', $request, ['filename' => $filename]);
+
+        // Faux contenu
+        $content = "Ceci est un honeypot de sécurité. Votre action a été journalisée.";
+        return response($content, 200)
+            ->header('Content-Type', 'text/plain')
+            ->header('Content-Disposition', 'attachment; filename="' . $filename . '"');
+    }
+
+    private function logSecurityAlert(string $type, Request $request, array $extraPayload = [])
+    {
+        \App\Models\SecurityAlert::create([
+            'user_id' => auth()->id(),
+            'type' => $type,
+            'endpoint' => $request->path(),
+            'payload' => array_merge($request->all(), $extraPayload),
+            'ip_address' => $request->ip(),
+            'user_agent' => $request->userAgent(),
+        ]);
+    }
+}