56 lines
2.0 KiB
PHP
56 lines
2.0 KiB
PHP
<?php
|
|
|
|
namespace App\Http\Controllers\Api;
|
|
|
|
use App\Http\Controllers\Controller;
|
|
use Illuminate\Http\Request;
|
|
|
|
class CandidateHoneypotController extends Controller
|
|
{
|
|
public function logDirectoryTraversal(Request $request)
|
|
{
|
|
$this->logSecurityAlert('directory_traversal', $request);
|
|
|
|
// Fausse réponse pour faire croire que le serveur est vulnérable
|
|
return response(
|
|
"<html><body><h1>Index of /documents/private</h1><ul><li><a href='../'>../</a></li><li><a href='reponses_tests_2026.pdf'>reponses_tests_2026.pdf</a></li><li><a href='backup_db.sql'>backup_db.sql</a></li></ul></body></html>",
|
|
200
|
|
)->header('Content-Type', 'text/html');
|
|
}
|
|
|
|
public function logMassAssignment(Request $request)
|
|
{
|
|
$this->logSecurityAlert('mass_assignment', $request);
|
|
|
|
// Faire croire que l'opération a réussi mais renvoyer une erreur 403 discrètement
|
|
return response()->json([
|
|
'status' => 'success',
|
|
'message' => 'Profil mis à jour.',
|
|
'debug' => 'Attempt logged.'
|
|
], 403);
|
|
}
|
|
|
|
public function downloadFakeFile(Request $request, $filename)
|
|
{
|
|
$this->logSecurityAlert('file_exfiltration', $request, ['filename' => $filename]);
|
|
|
|
// Faux contenu
|
|
$content = "Ceci est un honeypot de sécurité. Votre action a été journalisée.";
|
|
return response($content, 200)
|
|
->header('Content-Type', 'text/plain')
|
|
->header('Content-Disposition', 'attachment; filename="' . $filename . '"');
|
|
}
|
|
|
|
private function logSecurityAlert(string $type, Request $request, array $extraPayload = [])
|
|
{
|
|
\App\Models\SecurityAlert::create([
|
|
'user_id' => auth()->id(),
|
|
'type' => $type,
|
|
'endpoint' => $request->path(),
|
|
'payload' => array_merge($request->all(), $extraPayload),
|
|
'ip_address' => $request->ip(),
|
|
'user_agent' => $request->userAgent(),
|
|
]);
|
|
}
|
|
}
|