API Honeypots

Endpoint Decoys

Simulated APIs that capture attacker interactions. Support for all HTTP methods, request body capture, and automatic attack pattern detection.

Deploy API Honeypots Opens in a new tab View Documentation
Captured Attack Request
POST /api/v1/users/login HTTP/1.1
Content-Type: application/json

{
  "username": "admin' OR '1'='1",
  "password": "' UNION SELECT * FROM--"
}

// WebDecoy Detection:
{
  "signatures": ["sql_injection"],
  "score_impact": "+35",
  "method": "POST",
  "body_captured": true
}

Attack Signatures Detected

Endpoint decoys automatically identify attack patterns and increase the threat score accordingly.

SQL Injection

+30-40

SELECT, UNION, DROP statements in parameters

Command Injection

+35-45

Shell commands, pipes, backticks in input

XXE Attacks

+30-40

XML external entity injection attempts

Path Traversal

+20-30

../ sequences and encoded variants

XSS Attempts

+25-35

Script tags and event handlers in input

NoSQL Injection

+25-35

MongoDB operators and JSON injection

Endpoint Features

Multiple HTTP Methods

Unlike link decoys, endpoints support GET, POST, PUT, DELETE, and PATCH methods simultaneously.

Request Body Capture

Full request body storage when enabled. Capture exactly what attackers are sending.

Attack Pattern Detection

Automatic identification of SQL injection, XSS, command injection, path traversal, XXE, LDAP injection, and NoSQL injection.

Custom Responses

Configure response codes, bodies, and headers. Return believable fake data to keep attackers engaged.

Content-Type Handling

Set expected content types: JSON, XML, form data, and more. Match your real API patterns.

Detection Metrics

Track request volume, unique IPs, attack type distribution, and HTTP method usage.

Strategic Placement

Common Target Paths

Deploy endpoints at paths attackers commonly probe. These don't exist in your real application, so only malicious traffic triggers them.

/api/auth/login Credential stuffing detection
/api/admin/* Admin route enumeration
/graphql GraphQL introspection probes
/api/debug/vars Debug endpoint access
/.env Environment file exposure
/api/internal/config Internal config access
Endpoint Configuration
{
  "name": "Admin API Trap",
  "domain": "api.yourdomain.com",
  "path": "/api/admin/users",
  "methods": ["GET", "POST", "PUT", "DELETE"],
  "capture_body": true,
  "expected_content_type": "application/json",
  "response": {
    "status": 401,
    "body": {"error": "Unauthorized"},
    "headers": {
      "Content-Type": "application/json"
    }
  }
}

Deployment Strategies

Three approaches to maximize endpoint effectiveness.

Mirror Real Endpoints

Create decoys that look like your actual API structure. Attackers probing your API will hit both real and fake endpoints.

Known Vulnerability Targets

Deploy endpoints at paths commonly targeted by automated scanners: /.env, /debug, /admin, /graphql introspection.

Undocumented "Internal" APIs

Create fake internal endpoints alongside your public documentation. Only attackers fuzzing for hidden APIs will find them.

Endpoints vs Decoy Links

Use both for comprehensive coverage.

Decoy Links

  • GET requests only
  • Best for catching crawlers and scrapers
  • Deploy via hidden HTML, robots.txt
  • Simple trigger actions

Endpoint Decoys

  • All HTTP methods (GET, POST, PUT, DELETE, PATCH)
  • Best for catching API attacks
  • Request body capture and analysis
  • Automatic attack signature detection

API Honeypot Use Cases

Endpoint decoys protect against the most common API attack vectors.

Credential Stuffing Detection

Deploy fake login endpoints that capture username/password combinations attackers are testing. Every login attempt to a honeypot is a confirmed attack.

Injection Attack Capture

Automatically detect SQL injection, command injection, and NoSQL injection payloads in request bodies. Full forensic data for security analysis.

API Enumeration Detection

Catch attackers probing for hidden endpoints, admin panels, and internal APIs. Any access to undocumented endpoints reveals reconnaissance activity.

Learn More About API Security

Explore our guides on API protection and honeypot strategies.

API Honeypots: Complete Guide

Deep dive into how endpoint decoys catch attackers before they reach your real APIs.

Stop Carding Attacks at Checkout

How fake payment endpoints detect card testing bots before they validate stolen cards.

WebDecoy & WAAP Integration

How honeypot intelligence integrates with Web Application and API Protection platforms.

See also: Decoy Links for crawler detection, Threat Scoring for automated responses, and Node.js SDK for server-side integration.

Frequently Asked Questions

Common questions about API honeypots and endpoint security.

What is an API honeypot and how does it protect my application?

An API honeypot (or endpoint decoy) is a fake API endpoint that mimics real authentication, admin, or data endpoints. Legitimate applications never access these endpoints because they do not exist in your real API. Any request to a honeypot endpoint is definitively malicious, enabling zero false positive detection of attackers probing your API surface.

What types of attacks can endpoint decoys detect?

Endpoint decoys automatically detect SQL injection, command injection, XSS attempts, XML External Entity (XXE) attacks, path traversal, NoSQL injection, and LDAP injection. Each attack signature adds points to the threat score, and the full request body is captured for forensic analysis.

How do endpoint decoys differ from regular honeypot links?

While honeypot links only catch GET requests from crawlers, endpoint decoys support all HTTP methods (GET, POST, PUT, DELETE, PATCH) and capture full request bodies. This makes them ideal for detecting API attacks, credential stuffing, and injection attempts rather than just web scraping.

Where should I deploy API honeypot endpoints?

Deploy endpoint decoys at paths commonly targeted by attackers: authentication routes like /api/login, admin endpoints like /api/admin/users, debug paths like /api/debug, internal APIs like /api/internal/config, and environment files like /.env. These paths exist on many real applications, so attackers routinely probe them.

Can endpoint decoys capture and analyze POST request bodies?

Yes, endpoint decoys fully capture request bodies when enabled. This includes JSON payloads, form data, and XML content. The captured data is analyzed for attack patterns in real-time, allowing you to see exactly what attackers are sending to your fake endpoints.

Ready to deploy API honeypots?

Catch credential stuffing and injection attacks with fake endpoints. Full request body capture included.

Get Started Free