Scribd
Upload
17 views43 pages

KTLT Eng-1

Uploaded by

thatslife174
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
17 views43 pages

KTLT Eng-1

Uploaded by

thatslife174
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 43

THE GOVERNMENT CIPHER COMMITTEE

ACADEMY OF CRYPTOGRAPHY TECHNIQUES


¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

COURSE REPORT
PROGRAMMING TECHNIQUES

TOPIC

PYTHON IN HTTP REQUEST PACKET ANALYSIS


AND EARLY WARNING OF INJECTION ATTACKS

Hà Nội - 2024
THE GOVERNMENT CIPHER COMMITTEE
ACADEMY OF CRYPTOGRAPHY TECHNIQUES
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

COURSE REPORT
PROGRAMMING TECHNIQUES

TOPIC
PYTHON IN HTTP REQUEST PACKET ANALYSIS
AND EARLY WARNING OF INJECTION ATTACKS

Students perform:
Nguyễn Văn Hiền – AT180416
Nguyễn Xuân Hiếu – AT180417
Bùi Đức Trung – AT180447
Nguyễn Thị Tú Uyên – AT180449

Hà Nội - 2024
TABLE OF CONTENTS
Table of figures ...................................................................................................2
Preface .................................................................................................................3
Chapter 1: Overview..........................................................................................4
1.1. Summary ......................................................................................................4
1.1.1. Project Objectives ..............................................................................4
1.1.2. Summary ............................................................................................4
1.2. Introduction to Python and the libraries used ..............................................4
1.2.1. Python ................................................................................................4
1.2.2. Advantages .........................................................................................4
1.2.3. Characteristic and Applications ........................................................5
1.2.4. Libraries used ....................................................................................6
Chapter 2: Python in HTTP Request packet analysis and early warning of
injection attacks..................................................................................................8
2.1 Overview of HTTP Request Packet .............................................................8
2.1.1 Introduction of HTTP Request Packet .....................................................8
2.1.2 Analyzing HTTP Request packets using Python ........................... 11
2.1.3 Modeling web operations based on Python .................................. 16
2.2 Analyzing and addressing injection attack vulnerabilities in OWASP .... 17
2.2.1 OWASP Top 10 .............................................................................. 17
2.2.2 The concept and principles of injection attacks and related
vulnerabilities ................................................................................ 21
2.2.3 Detecting and addressing injection attack vulnerabilities ............ 23
2.3 Early warning of injection attacks ............................................................ 29
2.3.1 Introduction to Telegram Chat Application and Integration with
Python ............................................................................................ 29
2.3.2 Early warning system development ............................................... 33
2.4 Conclusion ................................................................................................ 36
Chapter 3: Deploying system ......................................................................... 37
Conclusion ....................................................................................................... 38
Reference.......................................................................................................... 41
Appendix .......................................................................................................... 39

1
TABLE OF FIGURES

Figure 2.1: Introdution HTTP Request ................................................................. 9


Figure 2.2: Headers of HTTP Request................................................................ 10
Figure 2.3: Basic HTTP Request methods.......................................................... 11
Figure 2.4: Using of Scapy ................................................................................. 11
Figure 2.5: Scapy works with network ............................................................... 14
Figure 2.6: Searching for "BotFather" ................................................................ 31
Figure 2.7: Create a new bot ............................................................................... 32
Figure 2.8: Store tokens ...................................................................................... 32
Figure 3.1: Enter SQL query ............................................................................... 38
Figure 3.2: Result of SQL detecting ................................................................... 38
Figure 3.3: The result after 10 times ................................................................... 39
Figure 3.4: Notice sent ........................................................................................ 39
Figure 3.5: Result after block.............................................................................. 39
Figure 3.6: Blocked command ............................................................................ 40
Figure 3.7: Unblock_all command ..................................................................... 40

2
Preface

With the increasing sophistication of cyber attacks, the risks of security and
information safety have become increasingly serious for network systems.
Among the common attacks, data injection techniques such as SQL injection,
XSS (Cross-Site Scripting), and CSRF (Cross-Site Request Forgery) are
particularly concerning. These types of attacks can lead to sensitive information
disclosure, system compromise, or even data destruction, causing significant
harm to organizations and individuals.
To address these risks, detecting and preventing them has become a top
priority in the field of network security. Python, with its flexibility and power, is
becoming a popular and effective tool in network security management. Libraries
such as “requests,” “urllib,” “http.client,” and “scapy” provide developers with
powerful tools to analyze and monitor network packets. Through this,
administrators can detect suspicious strings or injection attack patterns early,
thereby providing timely warnings and coping before they cause damage.
However, it is also important to recognize that attackers continuously
evolve their methods and techniques to evade traditional security measures.
Therefore, using modern technology like Python is not only necessary but also
essential in monitoring and protecting network systems. Researching and
applying Python in HTTP packet analysis and early warning of injection attacks
not only enhances detection efficiency but also provides deeper insights and
details about network activities, helping organizations grasp and cope with threats
more effectively
Topic “Python in HTTP Request packet analysis and early warning of
injection attacks” provides a more authentic, clear view of network monitoring
and offers deeper research into Python’s role in analyzing HTTP packets and
early warning of injection attacks.

3
CHAPTER 1. OVERVIEW

1.1. Summary
1.1.1. Project Objectives
Project Objectives “Python in HTTP Request packet analysis and early
warning of injection attacks” is to model the operation of a web-based system
using Python and to address fundamental vulnerabilities outlined in the OWASP
Top 10, particularly focusing on injection attacks. This involves detecting and
mitigating such attacks, providing early warnings to administrators. Through
studying and implementing real-world examples, one can grasp the operational
methods of vulnerabilities caused by injection attacks, such as SQLi, XSS,
command injection,… In addition to prevention, the system also provides alerts
to administrators via the Telegram chat application, enabling administrators to
promptly grasp and respond to incidents.
1.1.2. Summary
1. Researching and analyzing HTTP Request packets using Python
2. Modeling web operations based on Python
3. Analyzing and addressing injection attack vulnerabilities in OWASP
4. Early warning of injection attacks
5. System demonstration with the presented tools

1.2. Introduction to Python and the libraries used


1.2.1. Python
Python is a widely used programming language in web applications,
software development, data science, and machine learning (ML). Developers
choose Python because it's efficient, easy to learn, and can run on multiple
platforms. Python software is freely downloadable, integrates well with all kinds
of systems, and accelerates development speed.
1.2.2. Advantages

 Developers can easily read and understand a Python code chapter


because the language has a basic syntax similar to English.
 Python helps improve the productivity of developers because compared
to other languages, they can use fewer lines of code to write a Python
code chapter.

4
 Python has a large standard library, containing many lines of code that
can be reused for most tasks. Therefore, developers will not need to
write code from scratch.
 Developers can easily use Python with other popular programming
languages such as Java, C, and C++.
 The Python community is actively engaged, including millions of
enthusiastic developers worldwide. If you encounter a problem, you
will be able to receive quick support from the community.
 There are many useful resources on the Internet if you want to learn
Python. For example, you can easily find videos, tutorials,
documentation, and guides for developers.
 Python can be used on many different computer operating systems,
such as Windows, macOS, Linux, and Unix..
1.2.3. Characteristic and Applications
 Characteristic
- Python is an interpreted language, meaning it runs line by line directly.
If there is an error in the code, it will stop running. Therefore,
programmers can quickly identify errors in the code.
- Python is an easy-to-use language, with syntax similar to English.
Unlike other programming languages, Python does not use curly
braces. Instead, it uses indentation.
- Python is a flexible language; as variable types can be determined at
runtime. Therefore, you can write Python code more quickly.
- Python is a high-level language, more human-readable than other
programming languages. Therefore, programmers do not need to worry
about its basic functions such as architecture and memory management.
- Python is an object-oriented programming language, treating
everything as objects, but it also supports other programming
paradigms such as functional programming and procedural
programming.
 Applications
- Developing server-side web applications, including complex backend
functions that websites perform to display information to users.
- Automation through Python scripts.
- Data science and machine learning.
- Software development.

5
- Automated software testing, checking if the actual results from the
software match the expected results to ensure that the software is bug-
free.
1.2.4. Libraries used

Ordinal
Library Role
number
Allowing users to send, sniff, analyze, and spoof
network packets. This capability enables the
1 Scapy
development of tools that can probe, scan, or attack
networks.
Providing tools for sending and receiving messages,
managing users, groups, channels, handling
multimedia, and integrating Telegram bots, offers
2 Telegram
security and authentication mechanisms, as well as a
user-friendly interface for developing Telegram
applications.
Providing tools for working with URLs, including
3 Urllib sending and receiving HTTP requests, parsing and
constructing URLs, and encoding/decoding URLs
Providing tools to create and manage subprocesses.
Programmers can use it to execute commands or
applications from outside Python, interact with
subprocesses by sending and receiving data, and
4 Subprocess
manage subprocesses by checking their status and
terminating them. This facilitates flexible integration
and interaction with external applications and
processes on the system from within your Python code
Providing tools for writing asynchronous code, aiding
in efficiently handling I/O operations and events. It
5 Asyncio allows creating and scheduling coroutines, perform
tasks concurrently without the need for multiple
threads, and offers a user-friendly interface for

6
integrating concurrent features into Python
applications
Providing powerful tools for searching, matching, and
manipulating text strings based on regular expressions.
Its main functionality includes searching and matching
strings, performing replacements and modifications of
6 Regex
text, splitting and partitioning strings, as well as
verifying and confirming formats. This aids in handling
complex text data and performing flexible and efficient
tasks for transformation and information extraction
Providing tools for working with time, including time
measurement, handling UTC and localtime, controlling
time-based loops, and processing time as tuples.
7 Time Functions like time.time() for current time, time.sleep()
for pausing program execution, and time.localtime() for
converting time into tuple format are common
functionalities of this library
Providing tools for creating and managing threads,
allowing you to perform tasks concurrently within a
program. Its main functionalities include thread
creation and management, synchronization and
workload distribution between threads, communication
8 Threading
and data sharing, and managing the lifecycle of
threads. With threading, you can write multi-threaded
programs flexibly and efficiently, although you need to
be mindful of synchronization issues and resource
managemen

7
CHAPTER 2: PYTHON IN HTTP REQUEST PACKET ANALYSIS
AND EARLY WARNING OF INJECTION ATTACKS

2.1 Overview of HTTP Request Packet

2.1.1 Introduction of HTTP Request Packet


 HTTP
HTTP (Hypertext Transfer Protocol) is a protocol for transmitting
hypertext, serving as the standard protocol for the World Wide Web (WWW) to
transmit data in the form of text, audio, images, video, from the Web Server to
the user’s web browser and vice versa.
HTTP operates on the Client (user's browser) - Server (web server) model.
Accessing websites is carried out based on communication between these two
entities. When you access a website via the HTTP protocol, the browser
establishes connections to the server of that website through the IP address
provided by the Domain Name System (DNS) resolution system. Upon receiving
the request, the server responds with corresponding commands to display the
website, including content such as text, images, videos, and audio…
During the connection and information exchange process, your browser
typically accepts the IP address from the server of the website you're accessing
without any authentication method. Information transmitted via the HTTP
protocol (including IP addresses, information entered on websites, etc.) is not
encrypted and secured. This vulnerability has been exploited by many hackers to
steal user information, commonly known as sniffing attacks.
 HTTP Request
HTTP Request is simply understood as the information sent from the client
to the server. The server's task is to locate and process the types of data and
information that the client desires. HTTP Request can exist in the form of text
files, XML, or JSON. To understand more clearly, below are some details about
the structure of HTTP Request and some commonly used methods

8
Figure 2.1: Introdution HTTP Request
 Structure of HTTP Request
HTTP Request consists of three main parts: the request line, headers, and
message body.
Request Line
This is the first line of the HTTP Request, consisting of three main
types: method, path (or URL), and HTTP version. Specifically:
- Method: There are several types, but the most common are GET
and POST. In particular, the GET method is used to request
resources provided in the URL.
- Path (URL): Identifies the requested resources by the client and
must include a "/".
- HTTP version: This is the version of HTTP being used, with the
most common being HTTP/1.0 or HTTP/1.1
Headers
The second element contributing to the formation of an HTTP Request
is the headers. Additional information is transmitted between the server
and the client, such as cookies, authorization information, user agents, etc.

9
Similar to an HTTP Request, headers are case-sensitive, and follow the
pattern of "header_name: value"

Figure 2.2: Headers of HTTP Request

Message Body
The third element mentioned is the message body. The server utilizes
the content of the message to provide necessary information to the client.
The message body contains lines of requests, information, blank lines,
headers, and content. The content element is optional. Not all requests have
content, but the POST method is often used to transmit data.
 Basic HTTP Request methods:

- GET: This method is used to retrieve data from a specific server.


- HEAD: This method has no message body and is used to evaluate the
availability of the API at the endpoint.
- POST: This method is quite common and is used to send information to
the server, updating resources. Information stored in the body of the HTTP
Request will be utilized.
- PUT: Resources are updated and transmitted; however, PUT requests are
not fixed, and the outcome remains unchanged even if you send multiple
PUT requests.
- DELETE: Users can delete a specific resource on the server.
- PATCH: PATCH updates information from the server, often used to apply
partial fixes.

10
- TRACE: The TRACE method is used to check for loopback along the path
of the destination resource, commonly used for debugging tests and
diagnostic operations on APIs.
- CONNECT: CONNECT is used to establish a connection to the server via
HTTP and a URL parameter.

Figure 2.3: Basic HTTP Request methods

2.1.2 Analyzing HTTP Request packets using Python


The Scapy library in Python can be used to analyze HTTP Request packets
 Scapy library
Scapy is a Python program that enables the user to send, sniff, dissect and
forge network packets. This capability allows construction of tools that can probe,
scan or attack networks.
In other words, Scapy is a powerful interactive packet manipulation
program. It is able to forge or decode packets of a wide number of protocols, send
them on the wire, capture them, match requests and replies, and much more.
Scapy can easily handle most classical tasks like scanning, tracerouting, probing,

Figure 2.4: Using of Scapy

11
unit tests, attacks or network discovery. It can replace hping, arpspoof, arp-sk,
arping, p0f and even some parts of Nmap, tcpdump, and tshark.

Scapy also performs very well on a lot of other specific tasks that most
other tools can’t handle, like sending invalid frames, injecting your own 802.11
frames, combining techniques (VLAN hopping+ARP cache poisoning, VOIP
decoding on WEP encrypted channel, …), etc.
The idea is simple. Scapy mainly does two things: sending packets and
receiving answers. User define a set of packets, it sends them, receives answers,
matches requests with answers and returns a list of packet couples (request,
answer) and a list of unmatched packets. This has the big advantage over tools
like Nmap or hping that an answer is not reduced to open, closed, or filtered, but
is the whole packet.
 What makes Scapy so special
First, with most other networking tools, user won’t build something the
author didn’t imagine. These tools have been built for a specific goal and can’t
deviate much from it. For example, an ARP cache poisoning program won’t allow
using double 802.1q encapsulation. Or try to find a program that can send, say,
an ICMP packet with padding. In fact, user have to build new tools to meet
emerging needs.
Secondly, there is often a confusion between decoding and interpreting in
other network tools. Computers excel at decoding and can assist humans in this
task, but interpreting is best left to humans. Some tools attempt to mimic human
behavior by providing interpretations like "this port is open" instead of simply
stating "a SYN-ACK was received". While this may be helpful for beginners,
experienced users often have to deduce what actually happened from the tool's
interpretation, resulting in information loss. In such cases, users often resort to
tools like tcpdump -xX to decode and interpret missed information.
Thirdly, even programs which only decode often fail to provide users with
all the received information. They typically offer a limited view of the network

12
based on what the author deems sufficient. This can lead to bias. For example, it's
rare to find a tool that reports on the Ethernet padding.
Scapy attempts to address these issues by providing users with the
flexibility to construct packets exactly as desired. Even if certain packet structures
may seem unreasonable to some, Scapy allows for that flexibility. With Scapy's
model, users are free to assign any value to any field and arrange them as they
see fit. In essence, it's like building a new tool every time, but with just a few
lines of Scapy code.
After a probe (scan, traceroute, etc.) Scapy always provides users with fully
decoded packets from the previous scan before any interpretation takes place.
This allows users to scan once and interpret multiple times. For example, users
can request a traceroute and examine the padding.
Fast packet design
Other tools often operate in a "command-line" manner. This leads to
complex syntax for describing packets. To address this issue, these tools use
scripts created by the author. For example, you might just need to provide an IP
address to scan ports with a tool. However, even with slight script modifications,
you still have to follow the port scanning process.
Scapy's approach is to propose a Domain Specific Language (DSL) for the
powerful and quick description of any type of packet. Using Python syntax and a
Python interpreter as the syntax and DSL interpreter has several advantages:
there's no need to write a separate interpreter, users don't need to learn a new
language, and they benefit from a complete, concise, and powerful language.
Scapy allows users to describe a packet or a set of packets like stacked
layers. The fields of each layer have useful default values that can be overloaded.
Scapy doesn't force users to use fixed methods or patterns. This helps reduce the
need to write a new tool every time a different script is needed. In C, it might take
around 60 lines to describe a packet. With Scapy, packets to be sent can be
described in just one line, with another line to print the result. 90% of network
scanning tools can be rewritten in 2 lines of Scapy code.
Probe once, interpret many
Network discovery is blackbox testing. When probing a network, many
stimuli are sent, while only a few of them are answered. If the right stimuli are

13
chosen, the desired information may be obtained by the responses or the lack of
responses. Unlike many tools, Scapy gives all the information, i.e. all the stimuli
sent and all the responses received. Examination of this data will give the user the
desired information. When the dataset is small, the user can just dig for it. In other
cases, the interpretation of the data will depend on the point of view taken. Most
tools choose the viewpoint and discard all the data not related to that point of
view. Because Scapy gives the complete raw data, that data may be used many
times allowing the viewpoint to evolve during analysis. For example, a TCP port
scan may be probed and the data visualized as the result of the port scan. The data
could then also be visualized with respect to the TTL of the response packet. A
new probe need not be initiated to adjust the viewpoint of the data.

Figure 2.5: Scapy works with network

Scapy decodes, it does not interpret


A common problem with network probing tools is they try to interpret the
answers received instead of only decoding and giving facts. Reporting something
like Received a TCP Reset on port 80 is not subject to interpretation errors.
Reporting Port 80 is closed is an interpretation that may be right most of the time
but wrong in some specific contexts the tool’s author did not imagine. For
instance, some scanners tend to report a filtered TCP port when they receive an
ICMP destination unreachable packet. This may be right, but in some cases, it

14
means the packet was not filtered by the firewall, but rather there was no host to
forward the packet to.
Interpreting results can help users that don’t know what a port scan is, but
it can also make more harm than good, as it injects bias into the results. What can
tend to happen is that knowledgeable users will try to reverse engineer the tool’s
interpretation to derive the facts that triggered that interpretation, so that they can
do the interpretation themselves. Unfortunately, much information is lost in this
operation.
 Quick demo
This's a quick demo using Scapy in Python to create a simple packet sniffer that
captures and prints out the details of HTTP requests:

from scapy.all import *

# Function to handle captured packets


def packet_handler(packet):
# Check if the packet has an HTTP layer
if packet.haslayer(HTTP):
# Extract and print HTTP request information
print("HTTP Request:")
print("Source IP:", packet[IP].src)
print("Destination IP:", packet[IP].dst)
print("HTTP Method:",
packet[HTTPRequest].Method.decode())
print("Requested URL:",
packet[HTTPRequest].Host.decode()
+
packet[HTTPRequest].Path.decode())
print()

# Sniff packets on the network interface


print("Sniffing HTTP requests...")
sniff(filter="tcp port 80", prn=packet_handler, store=0)

This script uses Scapy to sniff packets on the network interface, filters out TCP
packets on port 80 (HTTP), and then calls the packet_handler function for each
captured packet. In the packet_handler function, it checks if the packet contains
an HTTP layer, and if so, it extracts and prints out information about the HTTP
request, including the source and destination IP addresses, HTTP method, and
requested URL.

15
2.1.3 Modeling web operations based on Python
Install Django: Install Django using pip, the Python package manager.
Open the terminal and run the following command:
pip install django

Create a new Django project: Create a new directory for your project and
navigate into it. Then, run the following command to create a new Django project:
django-admin startproject Webproject

Create an app: Navigate into the project directory you just created and
create a new app using the following command:
python manage.py startapp myapp

Define models: Open the models.py file in your app's directory and define
your data models using Python classes.
Create the database: Run the following commands to create the database
tables based on the models you've defined:
python manage.py makemigrations
python manage.py migrate

Define views: Define views in the views.py file of your app to handle
HTTP requests and return responses.
Create templates: Create HTML template files in the templates directory
of your app to display content to users.
Define URL patterns: Open the urls.py file in your app's directory and
define URL patterns to map views to specific URLs.
Run the development server: Run the development server using the
following command:
python manage.py runserver

16
2.2 Analyzing and addressing injection attack vulnerabilities in OWASP
2.2.1 OWASP Top 10
The OWASP Top 10 is a regularly-updated report outlining security
concerns for web application security, focusing on the 10 most critical risks. The
report is put together by a team of security experts from all over the world.
OWASP refers to the Top 10 as an ‘awareness document’ and they recommend
that all companies incorporate the report into their processes in order to minimize
and/or mitigate security risks.
 The security risks reported in the OWASP Top 10:
Injection
Injection attacks happen when untrusted data is sent to a code
interpreter through a form input or some other data submission to a web
application. For example, an attacker could enter SQL database code into
a form that expects a plaintext username. If that form input is not properly
secured, this would result in that SQL code being executed. This is known
as an SQL injection attack.
Injection attacks can be prevented by validating and/or sanitizing
user-submitted data. (Validation means rejecting suspicious-looking data,
while sanitization refers to cleaning up the suspicious-looking parts of the
data.) In addition, a database admin can set controls to minimize the
amount of information an injection attack can expose.
Broken Authentication
Vulnerabilities in authentication (login) systems can give attackers
access to user accounts and even the ability to compromise an entire
system using an admin account. For example, an attacker can take a list
containing thousands of known username/password combinations
obtained during a data breach and use a script to try all those combinations
on a login system to see if there are any that work.
Some strategies to mitigate authentication vulnerabilities are
requiring two-factor authentication (2FA) as well as limiting or delaying
repeated login attempts using rate limiting.
Sensitive Data Exposure
If web applications don’t protect sensitive data such as financial
information and passwords, attackers can gain access to that data and

17
sellor utilize it for nefarious purposes. One popular method for stealing
sensitive information is using an on-path attack.
Data exposure risk can be minimized by encrypting all sensitive data
as well as disabling the caching* of any sensitive information.
Additionally, web application developers should take care to ensure that
they are not unnecessarily storing any sensitive data.
*Caching is the practice of temporarily storing data for re-use. For
example, web browsers will often cache webpages so that if a user revisits
thosepages within a fixed time span, the browser does not have to fetch
the pages from the web.
XML External Entities (XEE)
This is an attack against a web application that parses XML* input.
This input can reference an external entity, attempting to exploit a
vulnerability in the parser. An ‘external entity’ in this context refers to a
storage unit, such as a hard drive. An XML parser can be duped into
sending data to an unauthorized external entity, which can pass sensitive
data directly to an attacker.
The best ways to prevent XEE attacks are to have web applications
accept a less complex type of data, such as JSON**, or at the very least
to patch XML parsers and disable the use of external entities in an XML
application.
*XML or Extensible Markup Language is a markup language
intended to be both human-readable and machine-readable. Due to its
complexity and security vulnerabilities, it is now being phased out of use
in many web applications.
**JavaScript Object Notation (JSON) is a type of simple, human-
readable notation often used to transmit data over the internet. Although
it was originally created for JavaScript, JSON is language-agnostic and
can be interpreted by many different programming languages.
Broken Access Control
Access control refers a system that controls access to information or
functionality. Broken access controls allow attackers to bypass
authorization and perform tasks as though they were privileged users such
as administrators. For example, a web application could allow a user to
change which account they are logged in as simply by changing part of a
url, without any other verification.

18
Access controls can be secured by ensuring that a web application
uses authorization tokens* and sets tight controls on them.
*Many services issue authorization tokens when users log in. Every
privileged request that a user makes will require that the authorization
token be present. This is a secure way to ensure that the user is who they
say they are, without having to constantly enter their login credentials.
Security Misconfiguration
Security misconfiguration is the most common vulnerability on the
list, and is often the result of using default configurations or displaying
excessively verbose errors. For instance, an application could show a user
overly-descriptive errors which may reveal vulnerabilities in the
application. This can be mitigated by removing any unused features in the
code and ensuring that error messages are more general.
Cross-Site Scripting
Cross-site scripting vulnerabilities occur when web applications
allow users to add custom code into a url path or onto a website that will
be seen by other users. This vulnerability can be exploited to run
malicious JavaScript code on a victim’s browser. For example, an attacker
could send an email to a victim that appears to be from a trusted bank,
with a link to that bank’s website. This link could have some malicious
JavaScript code tagged onto the end of the url. If the bank’s site is not
properly protected against cross-site scripting, then that malicious code
will be run in the victim’s web browser when they click on the link.
Mitigation strategies for cross-site scripting include escaping
untrusted HTTP requests as well as validating and/or sanitizing user-
generated content. Using modern web development frameworks like
ReactJS and Ruby on Rails also provides some built-in cross-site scripting
protection.
Insecure Deserialization
This threat targets the many web applications which frequently
serialize and deserialize data. Serialization means taking objects from the
application code and converting them into a format that can be used for
another purpose, such as storing the data to disk or streaming it.
Deserialization is just the opposite: converting serialized data back into
objects the application can use. Serialization is sort of like packing
furniture away into boxes before a move, and deserialization is like
unpacking the boxes and assembling the furniture after the move. An

19
insecure deserialization attack is like having the movers tamper with the
contents of the boxes before they are unpacked.
An insecure deserialization exploit is the result of deserializing data
from untrusted sources, and can result in serious consequences like DDoS
attacks and remote code execution attacks. While steps can be taken to try
and catch attackers, such as monitoring deserialization and implementing
type checks, the only sure way to protect against insecure deserialization
attacks is to prohibit the deserialization of data from untrusted sources.
Using Components With Known Vulnerabilities
Many modern web developers use components such as libraries and
frameworks in their web applications. These components are pieces of
software that help developers avoid redundant work and provide needed
functionality; common example include front-end frameworks like React
and smaller libraries that used to add share icons or a/b testing. Some
attackers look for vulnerabilities in these components which they can then
use to orchestrate attacks. Some of the more popular components are used
on hundreds of thousands of websites; an attacker finding a security hole
in one of these components could leave hundreds of thousands of sites
vulnerable to exploit.
Component developers often offer security patches and updates to
plug up known vulnerabilities, but web application developers don’t
always have the patched or most-recent versions of components running
on their applications. To minimize the risk of running components with
known vulnerabilities, developers should remove unused components
from their projects, as well as ensuring that they are receiving components
from a trusted source and ensuring they are up to date.
Insufficient Logging And Monitoring
Many web applications are not taking enough steps to detect data
breaches. The average discovery time for a breach is around 200 days
after it has happened. This gives attackers a lot of time to cause damage
before there is any response. OWASP recommends that web developers
should implement logging and monitoring as well as incident response
plans to ensure that they are made aware of attacks on their applications.

20
2.2.2 The concept and principles of injection attacks and related vulnerabilities
 Injection attacks
Injection attacks allow an attacker to inject code into a program or query
or inject malware onto a computer to execute remote commands that can read or
modify a database, or change data on a website.
 Operating principles
Based on attackers injecting malicious code segments or executable
commands into systems, applications, or databases through vulnerabilities or
weaknesses in the data processing process. Injection attacks involve the following
basic steps:
- Identifying vulnerabilities: Attackers search for weaknesses in the
system or applications that they can exploit to inject malicious code.
This could be web forms, URL parameters, database queries, or any
other point where applications use user input data without properly
validating or sanitizing it.
- Injecting malicious code: Once vulnerabilities are identified, attackers
insert malicious code segments or executable commands into the
input data sent to the system or applications. This could be harmful
SQL commands, JavaScript code, or system commands.
- Executing malicious code: When the input data contains injected
malicious code, the system or applications will unintentionally
execute it. For SQL Injection, harmful SQL commands may execute
on the database, while for XSS, malicious JavaScript code may
execute on the user's browser.
- Causing consequences: After the malicious code is executed, the
attacker may achieve their goals, including exploiting databases,
retrieving sensitive information, gaining control of the system, or
accessing unauthorized data.
- Concealing activities: To avoid detection, attackers may conceal their
activities by using error analysis techniques or making their activities
less recognizable. This can make detecting and preventing attacks
more challenging.
 Related vulnerabilities
Blind SQL Injection: A type of SQL injection attack queries the database
using statements to guess. This attack method is often used when an application
(web, apps) is configured to only display general error messages, without

21
revealing SQL errors. Blind SQL Injection sometimes called SQL Inferential
SQL.
XPath Injection: A type of injection attack is carried out through web
applications or web services using XPath (XML Path Language) to query and
process XML data. In this attack, the attacker inserts malicious code into XPath
expressions used to retrieve data from XML documents.
Blind XPath Injection: A type of XPath injection attack, similar to XPath
Injection, but the difference lies in the fact that the attacker doesn't need to know
the exact structure of the XML document to carry out the attack. Instead, they use
trial and error methods and error analysis to determine the document structure,
then insert malicious XPath expressions into queries.
Format String Attack: A type of attack commonly performed in
applications using the C or C++ programming languages. In this attack, the
attacker utilizes features of the string formatting library to access other memory
spaces.
Typically, string formatting functions in C/C++, such as printf, sprintf,
fprintf, and similar functions, allow users to provide format strings to format
output data. However, without careful control, users may inject unsafe format
strings that can lead to accessing or altering data in unintended memory spaces.
LDAP Injection: A type of injection attack carried out through web
applications or web services using LDAP (Lightweight Directory Access
Protocol). In this attack, the attacker injects malicious LDAP commands into
LDAP queries generated from user-provided data.
LDAP is commonly used for searching and authenticating information in
directory systems, such as Microsoft's Active Directory. When a web application
or web service uses LDAP to perform queries, it often uses user-provided data
without properly validating or sanitizing it.
An attacker can use LDAP Injection to perform actions such as executing
unwanted LDAP queries, gathering sensitive information from the directory
system, altering the structure or content of the directory, or even gaining full
control over the directory system.
OS Commanding: also called OS Command Injection, a type of injection
attack commonly carried out in web applications is Command Injection. In this
attack, the attacker injects system commands or command-line commands into
the HTTP request sent to the web application.
When web applications fail to properly validate or sanitize user inputs,
users can inject system commands such as ls, cat, or rm into HTTP requests. If

22
the application fails to block or handle these commands correctly, they can be
executed on the web server, leading to unintended consequences such as
executing malicious code, collecting sensitive information, or even gaining full
control of the system.
SQL injection: A technique where attackers exploit vulnerabilities in input
validation within web applications and utilize error messages returned by the
database management system to inject and execute unauthorized SQL commands.
Through SQL Injection, attackers can manipulate the database operations
of applications, even on the server where the applications are running. This
includes gathering, modifying, or deleting data from the database, and even
gaining full control of the system.
SSI Injection: SSI (Server-Side Include) injection vulnerabilities occur
when an application integrates user-controllable data into a response and then
parses it for Server-Side Include directives. If the data is not rigorously validated,
an attacker can modify or insert directives to perform malicious actions.
SSI injection vulnerabilities can often be exploited to insert arbitrary
content, including JavaScript, into the application's response, with the same
impact as cross-site scripting. Depending on the server configuration, there may
also be the potential to read protected files or execute arbitrary code on the server,
with the same impact as OS command injection.
XSS: Cross-Site Scripting, or XSS for short (to avoid confusion with CSS
- Cascading Style Sheets in HTML), is a technique for injecting malicious HTML
tags or script code into dynamic web pages (such as ASP, PHP, CGI, JSP, etc.),
which can pose a threat to other users. These malicious code snippets are often
inserted using client-side scripting languages such as JavaScript, JScript,
DHTML, and sometimes even HTML tags.
2.2.3 Detecting and addressing injection attack vulnerabilities
a. Detecting and addressing SQL injection
SQL Injection is a technique that exploits vulnerabilities in a website's
input channels. It is performed by injecting additional SQL code to manipulate
the original query. This can be used to extract data from the database. SQL
Injection attacks allow hackers to impersonate identities, tamper with data, or
cause issues such as transaction invalidation, balance alteration, data disclosure,
or destruction on the system. It can even render data unavailable or take control
of the database server as an admin.
 Types of SQL Injection attacks:
In-band SQLi

23
This is one of the most common attack methods today, partly because
it is relatively easy to execute and quite effective. Intruders typically use
one communication channel to access data in two ways:
Error-based SQLi: Intruders will create significant impacts on the
database, triggering error messages and exploiting them to extract
information.
Union-based SQLi: Intruders exploit the UNION SQL operator,
simultaneously using multiple statements to receive an HTTP response.
Information contained therein can be easily exploited.
Inferential (Blind) SQLi
This is a subtle intrusion method, albeit slower in impact, yet highly
effective. Intruders typically send payload data to the server and then
analyze the server's mechanism and structure based on that. This makes it
easy to find an appropriate intrusion method.
Out-of-band SQLi
When the server is unstable or too slow, intruders will exploit
asynchronous triggers to conduct attacks. This method involves
generating DNS requests or HTTP requests to trigger automatic data
transfer by the server. Intruders can take advantage of this opportunity to
steal information.
 Danger of SQL Injection
SQL Injection attacks have serious consequences. They are
considered extremely dangerous because:
- SQL Injection can compromise individual accounts.
- It can copy or steal data from the system as well as the website.
- SQL Injection can alter or manipulate integrated data within the
system.
- It can delete important data and render the web system inoperable.
- Intruders can easily log into applications as different users or even as
administrators.
- SQL Injection enables intruders to view personal information
belonging to others, such as details of their profiles, transactions, or
accesses.
- When a SQL Injection error occurs, all users can easily modify the
structure of the data. They can even delete tables from the
application's database.

24
The exposure of information can have a significant impact on the
reputation of a business. When customer information is leaked, they can
be seriously affected. Loss of trust can lead them to stop using the
company's services altogether. This can cause severe damage to the
business and may even lead to the risk of bankruptcy. Therefore,
preventing and mitigating SQL Injection errors is extremely crucial and
important.
 Detecting SQL Injection vulnerabilities
Most SQL Injection vulnerabilities are quickly found using readily
available web vulnerability scanners. Alternatively, they can be detected
by thoroughly testing the entire system within the application:
- Utilize character analysis tools.
- Submit some syntax specifically for SQL to evaluate the base value
of the input point and to another value, then look for system
differences in the responses of the Applications.
- Check log files: Review log files to identify any abnormal or
malformed SQL queries.
- Validate input data: Verify input data to ensure it does not contain
special characters or unwanted SQL commands.
- Use input filters: Employ input filters to block invalid requests from
users and minimize the risk of SQL Injection vulnerabilities.
 SQL Injection error prevention
- Before using SQL statements, validate input data to ensure data
integrity.
- Utilize ORM (Object-Relational Mapping) libraries: Interact with the
database using ORM libraries instead of direct SQL queries. ORM
automatically generates safe SQL queries and minimizes the risk of
SQL Injection vulnerabilities.
- Use stored procedures: Reduce direct interaction with the database by
leveraging stored procedures, thus minimizing the risk of SQL
Injection.
- When receiving user input, values from cookies, or parameters from
URLs, remove extended and meta characters such as NULL, /, CR,
LF, etc., from the string.
- Employ database security features: Implement security functionalities
like controlled access, data encryption, and access restrictions to
mitigate the risk of SQL Injection vulnerabilities.

25
- Before querying SQL, ensure that numeric values are converted to
integers or use ISNUMERIC to verify that they are integer numbers.
- Delete unused stored procedures such as sp_makewebtask,
xp_startmail, xp_cmdshell, xp_sendmail in the master database.
b. Detecting and addressing XSS
Cross-Site Scripting (also called XSS) is a web security vulnerability that
allows an attacker to compromise interactions a user has with a vulnerable
Applications. Instead of targeting the Applications server itself, XSS attacks
typically target users of Applications directly. XSS attacks are usually classified
by scope, implementation, and exploitation…
 Types of XSS attacks:
- Stored XSS (Persistent XSS)
Stored XSS (or Persistent XSS or Second-order XSS) works when
the application receives data from an untrusted source and has an insecure
HTTP response. Accordingly, malicious code will permanently penetrate
databases, forum messages, comment places and server systems. When the
victim retrieves that malicious code from the server, the hacker will have
control over all their activities.
Stored XSS will permanently infiltrate the server system when the
victim retrieves malicious code to his browser.
- Reflected XSS
Reflected XSS (or Non-persistent XSS) is a type of XSS that attacks
a network by inserting malicious scripts into responses that web browsers
send to the server. Such as error messages or search results on a user's
website,...
When Web Applications are infected with malicious scripts, it sends
the hacker's malicious code to the victim's browser for processing as
normal code. Soon, hackers will have control over all user information.
Reflected XSS will use the victim as bait to insert malicious code into the
browser and steal information.
- DOM-based XSS
DOM-based XSS will spread when the application contains
JavaScript that processes data from untrusted sources. Accordingly,
hackers will control Data from the Input field and build malicious code.
DOM-based XSS will install malicious code into the DOM to spread
out.
- Self-XSS Attacks

26
Self-XSS Attacks is more about social engineering, tricking users
into letting people script themselves to get malicious code. Currently, this
attack method is no longer popular because browsers have applied
advanced measures to warn users. If an attacker tries to paste a piece of
JavaScript into the address bar of Chrome or Firefox, the browser warns of
possible dangers immediately.
 Danger of XSS:
- Impersonate or disguise the victim's user identity.
- Perform any actions that a user can perform.
- Read any data accessible to the user.
- Capture user login information.
- Modify the appearance of the website.
- Inject malicious trojans into the website.
 Detecting XSS Vulnerabilities:
To test for vulnerability to XSS attacks, programmers need to observe
how the entered scripts are responded to and whether those scripts are
executed or not.
For example, if a user intentionally enters the script
<script>alert(‘hacked’)</script> into an input form and it gets executed
after submission, it signifies that a security incident has occurred due to
XSS exploitation. Although it may not result in significant consequences,
the tester can assess the method of operation and the security level of the
website.
In general, when testing for XSS attack potential, testers need to check
input validation and be cautious of cases where the output of the website
could be affected.
 XSS error prevention:
The best way to limit the damage of attacks is to prevent them from
the start. To prevent this vulnerability, the following measures can be used:
- Data validation: Ensuring that input data provided is accurate. Input
values must be checked for validity, ensuring they do not contain
special characters and adhere to the desired format.
- Filtering: This measure helps to search for dangerous keywords in
user input to promptly replace or remove them. Developers can use
some built-in JavaScript functions such as htmlentities(),
htmlspecialchars(), strip_tags() to encode special characters into
HTML entities.

27
- Output encoding: Helps prevent browsers from executing malicious
code inserted into the output of the application. Functions like
json_encode(), base64_encode() can be used to encode output
strings into different formats.
- Content Security Policy (CSP): This measure helps specify which
content sources are allowed to run on the website. HTTP headers
such as X-Content-Security-Policy, X-WebKit-CSP, Content-
Security-Policy can be used to set rules for different content sources
such as script, style, image, media, etc.
c. OS command injection
OS Command Injection (also called shell injection) This is an
vulnerability in web security that allows attackers to execute arbitrary operating
system (OS) commands on a server running a particular service. Attackers can
exploit this vulnerability to conduct reconnaissance, gather information, or pivot
the attack to other systems within the organization.
 Danger of OS command injection
- Unauthorized access.
- Privilege escalation.
- Remote code execution.
- Distributed Denial-of-Service (DDoS) attack.
- Violation of privacy rights.
- System disruption.
- Unauthorized resource utilization.
 Detecting OS command injection Vulnerabilities
- Application Analysis: Understand how the application processes
user inputs such as URL parameters, HTML forms, headers, cookies,
file uploads, etc., and identify the functions/features of the
application that could lead to OS command execution (e.g., search,
filtering, parsing, etc.).
- Input Testing: Inject OS commands into various input fields and
observe the application's response.
Use simple commands like whoami, id, pwd, ls, cat /etc/passwd,
ping for testing.
Try injecting special characters such as double quotes ", single
quotes ', backslashes , dollar signs $, and observe the response.
Use techniques like putting strings into comments, bypassing,
Unicode value injection, etc., to bypass input filtering.

28
- Use Vulnerability Scanning Tools: Utilize tools like OWASP ZAP,
Burp Suite, Acunetix for automated scanning and OS command
injection detection.
 OS command injection error prevention
The most effective way to prevent command injection is to avoid
using system commands altogether. This means never invoking OS
commands from the application layer. In cases where OS commands are
necessary, there are various alternative methods to achieve the required
functionality using safer platform APIs. If it's unavoidable to use OS
commands, strong input validation must be implemented:
- Only accept values that are allowed.
- Only accept input as a number.
- Only accept input consisting of alphanumeric characters, without
any special characters, spaces, etc.

2.3 Early warning of injection attacks


2.3.1 Introduction to Telegram Chat Application and Integration with Python
 Telegram:
Telegram is a versatile application that allows users to send text messages,
voice messages, animated GIFs, make high-quality voice and video calls, and
share an unlimited number of images, documents (up to 2GB per file), locations,
contacts, and music, all completely free of charge. One of the standout features
of Telegram is its utilization of a powerful global server system, ensuring stable
service and fast speeds.
Telegram is available on popular operating systems such as Android, iOS,
Windows, macOS, and Linux, making it easily accessible and usable on most
mobile devices and computers today.
Initially released in August 2013, Telegram quickly became one of the
most popular messaging applications worldwide. By January 2021, Telegram had
attracted over 500 million monthly active users globally and became the most
downloaded application worldwide for that month.
 Some of the features of Telegram
Private and convenient chats: Telegram allows you to create private one-
on-one chats or groups, with the ability to join conversations with hundreds, or
even thousands of people. This feature has made the app suitable for both private
messaging and creating large group chats.

29
File and image sharing: You can easily send and receive files, images, and
videos on Telegram. Notably, Telegram does not limit the size of files you can
send, making it simple to share large files.
Voice and video calls: In addition to messaging, Telegram provides high-
quality voice and video calling features, allowing you to quickly connect with
friends and colleagues.
Chat bots and third-party applications: Telegram supports chat bots and
third-party applications, enabling developers to create custom applications to
extend Telegram's functionality. Bots can provide information, entertainment, or
utility services, creating a diverse and rich environment.
High security and privacy: Telegram is known for its focus on security and
privacy. With features like Secret Chats, all messages and files are end-to-end
encrypted, preventing anyone, including Telegram, from accessing the content.
When using Telegram, you can feel confident sharing information, even
sensitive information. Telegram also regularly updates and introduces new
features, providing users with a diverse and convenient user experience.
 Telegram Bot
A Telegram bot is a program designed to automatically perform tasks on
the Telegram platform. Similar to a robot, a Telegram bot can interact with users
through text messages or commands. Additionally, it can execute various tasks,
ranging from answering questions to providing information, updating weather
forecasts, conducting surveys, creating games, and solving puzzles...
Advantages of Bot Telegram
Easy to use with many fun experiences
The Telegram bot is very user-friendly and capable of performing various
automated tasks to assist users. Bots can handle many different tasks such as
providing information, entertainment, schedule management, sending
notifications, and many other functions. Therefore, you are sure to have many
enjoyable experiences on the Telegram platform.
Flexible interaction capability
Bots on Telegram feature flexible interaction capabilities and can be
customized to meet specific needs. They respond and take actions based on
specific commands you send. For example, you can play games by sending
commands like "/play" or "/start." Additionally, the Bot system supports various
languages, providing a rich and diverse experience.
High security level

30
Telegram is renowned for its high-security platform, and its Bot tool is
designed to adhere to strict security standards. The system employs end-to-end
encryption (E2E) for private conversations between users and bots. Therefore,
you can rest assured when issuing commands and engaging in automated chats
on this platform.
Integrating artificial intelligence
Telegram bot have the capability to integrate artificial intelligence (AI) to
provide a smarter and more efficient interactive experience for users. Chatbots
can learn from previous conversations, thereby improving their communication
skills to better suit your needs..
 Integrating a Telegram bot into Python
Receive the token of the Telegram Bot:
Step 1: Open Telegram and search for the "BotFather" user

Figure 2.6: Searching for "BotFather"

Step 2: Start a conversation with BotFather and use the ‘/newbot’ command
to create a new bot. Follow the instructions to set up your bot and obtain the bot
token. BotFather will provide you with a token that you will use to authenticate
your bot and grant access to the Telegram API.

31
Figure 2.7: Create a new bot
Implementing a Telegram Bot in python:
Step 3: Use pip to set up pyTelegramBotAPI library and dotenv
pip install pyTelegramBotAPI
pip install python-dotenv
Step 4: Create an .env file to store tokens:

Figure 2.8: Store tokens

Step 5: Create a chatbot.py file and paste the code below:

import os
import telebot
from dotenv import load_dotenv
load_dotenv()
BOT_TOKEN = os.environ.get('BOT_TOKEN')
bot = telebot. TeleBot (BOT_TOKEN)

In the above code snippet:


The os library is used to read environment variables stored in the system.
The dotenv library in Python is used to load environment variables from the .env
file into the Python application's environment.
The load_dotenv() function is a method provided by the dotenv library.
When called, this function loads environment variables from the .env file into the
Python application's environment.

32
os.environ.get('BOT_TOKEN') retrieves the value of the environment
variable named 'BOT_TOKEN' and assigns it to the variable BOT_TOKEN.
bot = telebot.TeleBot(BOT_TOKEN) creates a Telegram Bot object using
the TeleBot class from the telebot library in Python

Step 6: Define the message handlers to handle the commands:

@bot.message_handler(commands=['start', 'hello'])
def send_welcome (message):
bot.reply_to (message, "Howdy, how are you doing?")

If the administrator executes the command /start or /hello in the telebot,


the
function send_welcome will be called with the content "Howdy, how are you
doing?"
//The decorator allows users to receive an input parameter as another
function and extends the functionality for that function without changing its
content.
Finally, add this line to the end of the file to run the bot:

bot.infinity_polling()

When running the above code, the bot will continuously check for new
messages from Telegram and automatically call the message handlers when a new
message is received.
2.3.2 Early warning system development
 Collecting input data with the Scapy library
Scapy is a powerful Python library used for sending, receiving, analyzing,
and forging network packets. It provides a simple yet feature-rich interface that
allows users to interact with packets at a low-level layer.
Below is the code snippet describing the packet_handler function:

def packet_handler(packet):
if packet[TCP].dport == 80 and packet.haslayer (Raw):
try:
data = str((packet [Raw].load).decode('utf-8'))
ip_src = str(packet[IP].src)
except:
pass

33
The packet_handler function is used to process network packets captured
by Scapy. The conditions packet[TCP].dport == 80 and packet.haslayer(Raw)
check whether the packet is an HTTP packet (destination port 80) and contains
payload data (Raw layer) or not.
If the condition is met, the code will extract the payload data from the Raw
layer of the packet using packet[Raw].load. This data is then decoded into a UTF-
8 string and stored in the variable data. Additionally, the source IP address of the
packet is extracted and stored in the variable ip_src.
 Analyzing input data
Analyzing input data to detect patterns and character strings related to XSS
and SQL Injection attacks is a crucial step in building an Early Warning System
for injection attacks.
Below is an example of using the detectSQLi(inputString) function to
analyze data and detect SQL Injection in a string:

import re
def detectSQLi (inputString):
sqli_patterns = [
r'\b(SELECT INSERT UPDATE | DELETE
|DROP|TRUNCATE|OR|AND|UNION|JOIN)\b',
r'\b(OR\s+\d+\s*\=\s*\d+)\b',
r'\b(AND\s+\d+\s*\=\s*\d+)\b',
r'\b(UNION\s+SELECT\s+\d+)\b',
r'\b(SELECT\s+.*?\s+FROM\s+.*?WHERE\s+.*?=.*?\b)',
]
for pattern in sqli_patterns:
if re.search(pattern, inputString, re.
IGNORECASE):
return True
return False

import re: This line imports the re library of Python, which is used to
perform operations with regular expressions.
def detectSQLi(inputString): The definition of the detectSQLi function
with one parameter inputString, representing the input string to be analyzed.
sqli_patterns: A list of regular expressions is stored in a list, with each
regular expression representing a pattern of different SQL Injection attacks.
for pattern in sqli_patterns: Iterating through each regular expression in
the sql_injection_patterns list.
if re.search(pattern, inputString, re.IGNORECASE): Use the re.search()
function to search for a match between the regular expression and the input string.

34
re.IGNORECASE: Perform a case-insensitive search. If a match is found,
indicating a pattern of SQL Injection attack, the function will return True.
return False: If no match is found after checking all the regular
expressions, the function will return False, indicating that no SQL Injection attack
has been detected in the input string.

 Send notifications and block IP


After detecting an attack from an IP address more than 5 times, the system
will send a warning notification and block that IP address to prevent further attack
activities.

def send_message(ip):
url =
f"https://api.telegram.org/bot{TOKEN}/sendMessage"
data = "Detected suspicious activity from IP address:
+ ip
command = f'curl -X POST "{url}" -d "chat_id={chatid}"
-d "text={data}"'
args = shlex.split(command)
subprocess.run(args)

The function send_message(ip) is defined in Python with the purpose of


sending a warning message to a channel. cURL stands for "Client for URLs" and
is a powerful command-line tool for sending and receiving data from the network.
In the mentioned Python code, cURL is used to send an HTTP POST request to
the Telegram Bot API to send the warning message. Instead of using a Python
library to handle the HTTP request directly, the code constructs a cURL
command and executes that command using subprocess.run().
Define a function named write_to_File(ip) tasked with writing suspicious
IP addresses to the file blocked.txt:
def write_to_File(ip):
with open('blocked.txt', 'r') as f:
if ip in f.read():
return
with open ('blocked.txt', 'w') as f:
f.write(ip + '\n')

35
2.4 Conclusion
In summary, Chapter 2 has covered the fundamental aspects of analyzing
HTTP Request packets and Early Warning of Injection Attacks using the Python
programming language. The main topics presented include:
- Overview of HTTP Request packets
- Analysis of HTTP Request packets using Python
- Analysis and handling of injection attack vulnerabilities in OWASP
- Methods for detecting and handling vulnerabilities related to
injection attacks (SQL Injection, XSS, OS Command Injection)
- Early Warning of Injection Attacks through Telegram Bot
Through research and implementation, it was possible to identify HTTP
Request packets and extract important information such as source IP address,
destination IP address, HTTP method, and URL request. This provides a clearer
understanding of network activity and identifies signs of injection attacks.

Additionally, using Python to automatically alert on suspicious HTTP


requests can lead to early detection of injection attacks and enhance system
security. This is an important step in protecting data and network systems from
threats posed by cyber attacks.

36
CHAPTER 3. DEPLOYING SYSTEM
3.1 Experimental implementation model
Using Telegram to send notifications to the administrator upon detecting
injection attacks.
3.2 Testing scenario
Detect injection attacks and send notice to admin administrator via Telegram
3.3 Implement
3.3.1 Setting up and configuring a system
Step 1:
Move to config folder, run file set.sh
Content in set.sh:
read -p "Enter password: " password
echo $password | sudo -S python restart.py
echo $password | sudo mv index.html "/var/www/html/index.html"

Step 2:
Setup libraries for python:
Read the readme.txt
Content in readme.txt
Instruction file:
before start:
pip install -r requirement.txt
add Telegram bot token to the token.txt:
run:
sudo python start.py
python system_control.py
Requirement file content:
scapy==2.4.4
python-telegram-bot

3.3.2 Testing
On another device, get to the IP of the server in your browser:

37
Figure 3.1: Enter SQL query
In the input field, try entering a SQL query
Get back to server and check the result.

Figure 3.2: Result of SQL detecting

Set the maximum number of allowed attempts, and if exceeded, the IP will be
blocked.For example, set for10 times.

38
Figure 3.3: The result after 10 times

This figure shows.


The grammar in the sentence is incorrect. Here's the corrected version:

It called a `curl`
command, and
this command
sent a notice to
admin’s
Telegram.

Because this IP
has been
blocked, It can
no longer send
request to this
server.

Figure 3.4: Notice sent Figure 3.5: Result after block

39
The `/blocked` command shows all of the IPs that have been blocked by this
program.
To unblock all of the IPs that have been blocked by iptables, just type
/unblock_all

Figure 3.6: Blocked command Figure 3.7: Unblock_all command

CONCLUSION
This report is about Python and its powerful tools for analyzing HTTP requests
and detecting early warning signs of injection attacks. By leveraging libraries like
Requests and analyzing request parameters, headers, and payloads, developers
can build robust detection mechanisms. However, continual vigilance and
updates are crucial to stay ahead of evolving injection attack techniques.
Integrating Python-based analysis into web application security frameworks can
enhance overall defense strategies against such threats.

40
REFERENCE

[1]. Scapy’s documentation (Scapy library):


https://scapy.readthedocs.io/en/latest/introduction.html
[2]. Injection attack:
https://www.ibm.com/docs/en/snips/4.6.2?topic=categories-injection-
attacks
[3]. XSS: http://thuvienso.actvn.edu.vn/tailieuvn/doc/lo-hong-cross-site-
scripting-xss-tan-cong-va-cac-bien-phap-khac-phuc-2721485.html
[4]. OWASP Top 10:
https://www.cloudflare.com/learning/security/threats/owasp-top10/

APPENDIX
Duty Chart
Name - ID Work
Chapter 2: Python in HTTP Request
Nguyễn Văn Hiền – AT180416 packet analysis and early warning of
injection attacks
Nguyễn Xuân Hiếu – AT180417 Chapter 3: Deploying system

Bùi Đức Trung – AT180447 Chapter 1: Overview


Chapter 2: Python in HTTP Request
Nguyễn Thị Tú Uyên – AT180449 packet analysis and early warning of
injection attacks

41

You might also like