Tested on Fedora Silverblue
This webserver is designed to detect SQL injection attempts in provided queries. It uses a trained Random Forest model to classify queries as malicious or not. The server is built with Quart, a Python ASGI web microframework, and Hypercorn, an ASGI server. Sample data is based on SQL Injection Dataset by SAJID576 on Kaggle.
This endpoint accepts a JSON object with a query field. It returns a JSON object with a is_malicious field indicating whether the provided query is considered malicious.
Request:
{
"query": "SELECT * FROM users"
}Response:
{
"is_malicious": false
}This endpoint accepts a CSV file for retraining the model. The CSV file should be included in the file field of the form data. A password field should also be included in the form data for authentication. The server will return a message indicating whether the file was saved successfully and the model training has started.
Form Data:
file: The CSV filepassword: The password for authentication
Response:
{
"message": "File saved and model training started"
}This endpoint returns the status of the server and the training process. It returns a JSON object with a status field indicating the status of the server and a training field indicating the status of the training process.
Response:
{
"message": "System is operational. Please POST to /detect with 'query' to use the service.",
"status": "ok",
"training": "idle"
}MODEL_URL: Specify a URL to a model file to load. If not specified, the server will train a new model.VECTORIZER_URL: Specify a URL to a vectorizer file to load. If not specified, the server will create vectorizer when training a new model.ALLOW_TRAINING: Specify whether to allow training via the/upload_csvendpoint. If not specified, the default isFalse.SECRET_TRAIN_PASSKEY: Specify a password for the training endpoint. If not specified, the default password is1234.
- Docker
- Docker-compose
- Python 3.8
- python3-pip
- conda
- python3-virtualenv
Please note, the Docker-compose file is required, and this project cannot be ran via docker run due to the need for volume mount and port mapping.
Note
Make sure you have Docker installed
- Save the
docker-compose.yamlfile from this project to your local machine. - Create/edit
.envfile based on the contents in the.env.examplefile.: - Create the container with
sudo docker-compose up, or add-dto run in background.
Note
Make sure you have Docker installed
- Clone the repository with
git clone https://github.com/PhysCorp/SQL-Detect.gitand navigate to the project directory withcd SQL-Detect. - Create/edit
.envfile based on the contents in the.env.examplefile.: - Build the Docker image with
sudo docker-compose build. - Run the Docker image in foreground with
sudo docker-compose up, or add-dto run in background.
- Install python3, python3-pip and anaconda. Anaconda can be retrieved from here. If you are on Windows, you can install anaconda with chocolatey using
choco install anaconda3. - Create a conda environment with
conda create --name SQL-Detect python=3.8. - Activate the conda environment with
conda activate SQL-Detect. - Install the requirements with
python3 -m pip install -r requirements.txt. - (Optional): Reinstall charset-normalizer if experiencing issues with COMMON_SAFE_ASCII_CHARACTERS
python3 -m pip install --force-reinstall charset-normalizer
- Download this project with
git clone https://github.com/PhysCorp/SQL-Detect.gitand navigate to the project directory withcd SQL-Detect. - Activate the conda environment with
conda activate SQL-Detect. - Create/edit
.envfile based on the contents in the.env.examplefile. - Run
python3 main.pyto start the application.
Create a new virtualenv with python3 -m venv .venv.
Activate the virtualenv with source .venv/bin/activate.
Install the requirements with python3 -m pip install -r requirements.txt.
- Deactivate the conda environment with
conda deactivate. - Remove the conda environment with
conda remove --name SQL-Detect --all.
Copyright 2024 | This project is licensed under the MIT License. The full license can be found in the GitHub repository.