The attack abusing web application vulnerabilities are currently classified into traditional attack threats. However, security breaches by web application attacks are still reported via mass media. Although the vulnerabilities in popular products such as Microsoft IIS or Apache are quickly discovered by security researchers around the world, it is hard to identify the vulnerabilities in customized web applications developed by each organization. On top of that, in the case of large corporations, it is hard to manage all web applications since their business domains are diversified, and each division has various web applications. In this paper, we propose web application deception proxy as a defense approach, and we show that it is very helpful to prevent and detect web application attacks.