I am a big fan of cheating if it comes to security. Giving wrong answers to questions may be misleading and will direct attackers into the wrong direction. This will cost time and, at the same time, rise the risk of being caught red-handed.
If someone attacks a website, he has to be discrete and fast. Discrete to not get trapped, quick to be long gone in case the owner learns about the attack. So getting misleading information make things more risky for an attacker.
Sometimes we want to hide information from some or all of the users. This might be done using a simple responder policies.
The action for that kind of policy could be something like a drop, a reset, or “respond with …”. While both, drop and reset give clear information to the hacker (“the owner does not want you to see the content”), a respond with 404 not found would be misleading, as long as it looks like a “real” 404.
Of course you could use any other 4xx staus code, like 402 Payment Required (together with a request for money) or even 418 I’m a teapot as well, but this will not hide the structure of the website, but instead expose some details about your sense of humour.
So, a 404 seems to be a perfect reply!
Get the real 404
There is no point in cheating, if you don’t do it really good. So it has to look like a real 404, and if it does not, it’s just waste of time. So, why not use the real 404? I have written a guide on how to do this, but that one had been to complex, even though it’s even better. It really comes from the “real” web server, all headers are exactly the right ones. The method described here is a bit more simple, a bit less advanced.
So we have to download the real 404 page first
Let’s say, my web-server is myserver.local. So I will surf to https://myserver.local/File_does_not_exist.html. As file does not exist, so the server will respond with it’s original 404 page. I will download it (save as HTML page). We don’t need to store pictures, these pictures are on the server and the client will be able to request all of them at any time.
Responder action: Respond with …
Next, I open the GUI of my Citrix ADC (NetScaler) and go to App Expert → Responder → HTTP Page Imports to import this file.
The responder action
That’s what the responder action looks like:
add responder action res_act_respond_with_404 respondwithhtmlpage 404-page -responseStatusCode 404
We could specify some headers as well. If you do, be careful to use exactly the same headers as the original page does. It has to fake the original page!
I hope, that helps! As always: Feedback is highly welcome, any kind of corrections, suggestions or just: “Hey, well done” is highly appreciated.