"Attacking back" with shock images may be genuinely legally problematic, given the untested new Tennessee law on the subject. http://arstechnica.com/tech-policy/news/2011/06/tenn-law-ban... . Using the included nimp payload is even more legally problematic since it actually does redirect the user to a site that contains malicious code.
I think this project, much like all "offensive security" projects, is fundamentally misguided. At best, this project loudly alerts the hacker every time an attack is detected, providing an easy way to black-box test the service's attack detection criteria. At worst, it provides an easy way for jerks to goatse, Last Measure, etc. third parties using the webmaster's site. While I understand the kind of spiteful thrill that would come from redirecting a (maybe not) attacker to a shocking image, quietly stopping and logging the attack is always the best option.
I think this project, much like all "offensive security" projects, is fundamentally misguided. At best, this project loudly alerts the hacker every time an attack is detected, providing an easy way to black-box test the service's attack detection criteria. At worst, it provides an easy way for jerks to goatse, Last Measure, etc. third parties using the webmaster's site. While I understand the kind of spiteful thrill that would come from redirecting a (maybe not) attacker to a shocking image, quietly stopping and logging the attack is always the best option.