Detection Source Types

Reference table of all detection sources in WebDecoy.

---

Detection Sources Overview

Source	Code	Icon	Description
Decoy Link	decoy_link	Link	Hidden honeypot link was accessed
Endpoint	endpoint	API	API honeypot received a request
Detection Script	bot_scanner	Robot	JavaScript scanner detected automation
LLM Referral	llm_referral	Link	Visitor arrived from an AI platform (ChatGPT, Perplexity, etc.)
WordPress Plugin	wordpress_plugin	Document	WordPress plugin server-side detection
SDK	sdk	Tool	Server-side SDK submitted detection

---

Decoy Link (decoy_link)

Description

Detections from hidden honeypot URLs that legitimate users cannot see or access.

Typical Data

Field	Example
URL	/admin/backup.zip
Method	GET
Trigger Action	Log, Block, Poison, Redirect
Click Count	Incremented on each access

Common Scenarios

• Bot crawling hidden links
• Scanner probing common admin paths
• Attacker following disallowed robots.txt paths

MITRE Mapping

Usually mapped to:

• TA0043 (Reconnaissance)
• TA0001 (Initial Access)

---

Endpoint (endpoint)

Description

Detections from fake API endpoints that capture detailed request information including POST bodies.

Typical Data

Field	Example
URL	/api/v1/admin/users
Method	POST, PUT, DELETE, PATCH
Body	Captured request body
Content-Type	application/json
Attack Signatures	SQL injection, XSS, etc.

Endpoint-Specific Fields

Field	Description
request_body	Captured POST/PUT body content
body_size	Size in bytes
content_type	Content-Type header value
has_auth_header	Whether Authorization header present
attack_signatures	Array of detected attack patterns

Common Scenarios

• API vulnerability scanning
• SQL injection attempts
• Authentication bypass attempts
• Data exfiltration probing

MITRE Mapping

Usually mapped to:

• TA0001 (Initial Access) - for exploit attempts
• TA0006 (Credential Access) - for auth attacks
• TA0007 (Discovery) - for enumeration

---

Detection Script (bot_scanner)

Description

Detections from the JavaScript-based scanner running in visitors’ browsers.

Typical Data

Field	Example
Detection Type	Headless browser, WebDriver
Bot Score	0-100
Signals	Array of detected anomalies
Browser Fingerprint	Hash of browser characteristics

Scanner-Specific Fields

Field	Description
webdriver_detected	WebDriver API present
headless_detected	Running in headless mode
automation_markers	Puppeteer, Playwright traces
fingerprint_hash	Browser fingerprint
behavioral_score	Behavior analysis score

Detection Signals

Signal	Indicates
webdriver	Selenium/WebDriver automation
headless_chrome	Chrome running headless
puppeteer	Puppeteer automation
playwright	Playwright automation
phantom_js	PhantomJS browser
missing_plugins	No browser plugins (headless indicator)
canvas_anomaly	Unusual canvas fingerprint
webgl_anomaly	Graphics rendering inconsistency
chromedriver_cdc	ChromeDriver cdc_ properties detected
selenium_evaluate	Selenium evaluation artifacts
selenium_unwrapped	Selenium unwrapped objects
firefox_driver	Firefox WebDriver artifacts
puppeteer_eval	Puppeteer evaluation script markers
cdp_script_injection	CDP Runtime.evaluate injection
webdriver_getter_modified	Modified navigator.webdriver getter

Fingerprint Integrity Flags (Pro)

These advanced signals detect stealth plugins and anti-fingerprinting tools:

Signal	Indicates
lie_tampering	Stealth plugin detected (native functions modified)
lie_modified_*	Specific function with modified toString()
lie_webdriver_getter_tampered	WebDriver getter property descriptor modified
lie_webdriver_getter_modified	WebDriver getter toString is not native
lie_toString_tampered	Function.prototype.toString modified
lie_bind_tampered	Function.prototype.bind modified
lie_plugins_spoofed	navigator.plugins object type mismatch
lie_getOwnPropertyDescriptor_tampered	Core Object method modified
lie_defineProperty_tampered	Core Object method modified
lie_chrome_runtime_spoofed	Fake chrome.runtime in non-Chrome browser
worker_mismatch	Main thread/Web Worker navigator mismatch
worker_mismatch_platform	Platform differs between main/worker
worker_mismatch_userAgent	User agent differs between main/worker
worker_mismatch_hardwareConcurrency	CPU cores differ between main/worker
worker_mismatch_language	Language differs between main/worker
canvas_pixel_noise	Anti-fingerprinting noise in canvas output
canvas_text_metrics_anomaly	Text metrics inconsistent across fonts

Common Scenarios

• Headless browser scraping
• Automated testing tools on production
• Bot networks using browser automation

MITRE Mapping

Usually mapped to:

• TA0043 (Reconnaissance) - for scraping
• TA0009 (Collection) - for data theft

---

WordPress Plugin (wordpress_plugin)

Description

Detections from the WebDecoy WordPress plugin’s server-side analysis.

Typical Data

Field	Example
Detection Type	Rate limit, honeypot field, user agent
WordPress Hook	comment_form, login, registration
Plugin Version	1.3.x

Plugin-Specific Fields

Field	Description
hook_triggered	Which WordPress hook caught this
honeypot_filled	Hidden form field was filled
rate_limited	Request exceeded rate limit
form_type	comment, login, registration
woocommerce_context	Cart, checkout, etc.

Detection Contexts

Context	Description
comment_form	Comment submission
login	Login attempt
registration	User registration
checkout	WooCommerce checkout
general	General request analysis

Common Scenarios

• Comment spam bots
• Login brute force attacks
• Registration spam
• Card testing on WooCommerce

MITRE Mapping

Usually mapped to:

• TA0006 (Credential Access) - for login attacks
• TA0001 (Initial Access) - for form exploits

---

SDK (sdk)

Description

Detections submitted programmatically via the Node.js or PHP SDK.

Typical Data

Field	Example
SDK Version	1.0.0
Framework	Express, Next.js, etc.
Custom Fields	Developer-defined metadata

SDK-Specific Fields

Field	Description
sdk_version	Version of SDK used
framework	Web framework (if applicable)
custom_metadata	Developer-added fields
submission_timestamp	When SDK submitted

Common Scenarios

• Custom server-side bot detection
• Middleware-based protection
• API gateway integration
• Custom threat analysis

MITRE Mapping

Depends on detection context. Typically:

• TA0043 (Reconnaissance)
• TA0001 (Initial Access)

---

LLM Referral (llm_referral)

Description

Detections from the client-side detection script when a visitor arrives from an AI platform. These represent human visitors who clicked a link shared by an AI chatbot (e.g., ChatGPT, Perplexity, Claude).

Typical Data

Field	Example
Score	0 (always)
Referrer	https://chatgpt.com/c/abc123
LLM Platform	ChatGPT, Perplexity, Claude, etc.
Page URL	The landing page URL

Tracked Platforms

Platform	Domains
ChatGPT	chat.openai.com, chatgpt.com
Perplexity	perplexity.ai, www.perplexity.ai
Google Gemini	gemini.google.com
Claude	claude.ai
DeepSeek	deepseek.com, www.deepseek.com, chat.deepseek.com
Microsoft Copilot	copilot.microsoft.com
You.com	you.com, www.you.com
Phind	phind.com, www.phind.com
Kagi	kagi.com, www.kagi.com
Meta AI	meta.ai, www.meta.ai
Grok	grok.com, www.grok.com

Common Scenarios

• User asks ChatGPT a question, ChatGPT links to your site, user clicks the link
• Perplexity search results include your page as a source
• AI assistant recommends your product/service with a link

Key Difference from Other Sources

LLM referral detections are not threats. They have a score of 0 and are used for analytics purposes — understanding how AI platforms drive traffic to your site.

---

Source Comparison Table

Source	Server-Side	Client-Side	Body Capture	Attack Signatures
decoy_link	Yes	No	No	Basic
endpoint	Yes	No	Yes	Full
bot_scanner	No	Yes	No	Automation
llm_referral	No	Yes	No	None
wordpress_plugin	Yes	Yes	Limited	Full
sdk	Yes	No	Custom	Custom

---

Filtering by Source

In the Dashboard

1. Go to Detections
2. Click Filters
3. Select Source filter
4. Check desired sources

Via API

GET /api/organizations/{org_id}/detections?source=endpoint

Multiple sources:

GET /api/organizations/{org_id}/detections?source=endpoint,bot_scanner