As long as you develop on your local machine, the world is nice and you are probably the only client asking for something which is probably most of the time a correct request. If you are releasing your code to the internet, you will face a lot of bots and wrong requests and automated tools to find bugs in your app. See some logs of our CartoX API running in the Internet:
INFO:werkzeug:104.152.52.61 - - [31/Dec/2018 08:33:06] "GET / HTTP/1.0" 200 - ERROR:werkzeug:104.152.52.61 - - [31/Dec/2018 08:33:06] code 400, message Bad request syntax ('HELP') INFO:werkzeug:104.152.52.61 - - [31/Dec/2018 08:33:06] "HELP" HTTPStatus.BAD_REQUEST - ERROR:werkzeug:104.152.52.61 - - [31/Dec/2018 08:33:11] code 400, message Bad request syntax ('DmdT\x00\x00\x00\x17\x00\x00\x00\x01\x00\x00\x00\x00\x11\x11\x00ÿ\x01ÿ\x13') INFO:werkzeug:104.152.52.61 - - [31/Dec/2018 08:33:11] "DmdTÿÿ" HTTPStatus.BAD_REQUEST - INFO:werkzeug:104.152.52.61 - - [31/Dec/2018 08:33:11] "OPTIONS / HTTP/1.0" 200 - ERROR:werkzeug:104.152.52.61 - - [31/Dec/2018 08:33:11] code 400, message Bad request version ('RTSP/1.0') INFO:werkzeug:104.152.52.61 - - [31/Dec/2018 08:33:11] "OPTIONS / RTSP/1.0" HTTPStatus.BAD_REQUEST - ERROR:werkzeug:104.152.52.61 - - [31/Dec/2018 08:33:17] code 400, message Bad request version ('\x00\x01\x97|\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00') INFO:werkzeug:104.152.52.61 - - [31/Dec/2018 08:33:17] "(rþ |" HTTPStatus.BAD_REQUEST - ERROR:werkzeug:104.152.52.61 - - [31/Dec/2018 08:33:22] code 400, message Bad HTTP/0.9 request type ('\x00') INFO:werkzeug:104.152.52.61 - - [31/Dec/2018 08:33:22] "versionbind" HTTPStatus.BAD_REQUEST - ERROR:werkzeug:104.152.52.61 - - [31/Dec/2018 08:33:27] code 400, message Bad HTTP/0.9 request type ('\x00') INFO:werkzeug:104.152.52.61 - - [31/Dec/2018 08:33:27] " " HTTPStatus.BAD_REQUEST - ERROR:werkzeug:104.152.52.61 - - [31/Dec/2018 08:33:27] code 400, message Bad request syntax ('\x16\x03\x00\x00S\x01\x00\x00O\x03\x00?G×÷º,îê²`~ó\x00ý\x82{¹Õ\x96Èw\x9bæÄÛ<=Ûoï\x10n\x00\x00(\x00\x16\x00\x13\x00') INFO:werkzeug:104.152.52.61 - - [31/Dec/2018 08:33:27] "SO?G×÷º,îê²`~óý{¹ÕÈwæÄÛ<=Ûoïn(" HTTPStatus.BAD_REQUEST - ERROR:werkzeug:104.152.52.61 - - [31/Dec/2018 08:33:32] code 400, message Bad request syntax ('\x00\x00\x00¤ÿSMBr\x00\x00\x00\x00\x08\x01@\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00@\x06\x00\x00\x01\x00\x00\x81\x00\x02PC NETWORK PROGRAM 1.0\x00\x02MICROSOFT NETWORKS 1.03\x00\x02MICROSOFT NETWORKS 3.0\x00\x02LANMAN1.0\x00\x02LM1.2X002\x00\x02Samba\x00\x02NT LANMAN 1.0\x00\x02NT LM 0.12\x00') INFO:werkzeug:104.152.52.61 - - [31/Dec/2018 08:33:32] "¤ÿSMB@@PC NETWORK PROGRAM 1.0MICROSOFT NETWORKS 1.03MICROSOFT NETWORKS 3.0LANMAN1.0LM1.2X002SambaNT LANMAN 1.0NT LM 0.12" HTTPStatus.BAD_REQUEST - ERROR:werkzeug:104.152.52.61 - - [31/Dec/2018 08:33:37] code 400, message Bad HTTP/0.9 request type ('l\x00') INFO:werkzeug:104.152.52.61 - - [31/Dec/2018 08:33:37] "l " HTTPStatus.BAD_REQUEST - ERROR:werkzeug:5.101.40.179 - - [31/Dec/2018 16:04:07] code 400, message Bad HTTP/0.9 request type ('\x03\x00\x00/*à\x00\x00\x00\x00\x00Cookie:') INFO:werkzeug:5.101.40.179 - - [31/Dec/2018 16:04:07] "/*àCookie: mstshash=Administr" HTTPStatus.BAD_REQUEST - INFO:werkzeug:125.212.217.215 - - [01/Jan/2019 17:09:09] "GET / HTTP/1.1" 200 - INFO:werkzeug:125.212.217.215 - - [01/Jan/2019 17:09:10] "GET /favicon.ico HTTP/1.1" 404 - INFO:werkzeug:196.52.43.88 - - [01/Jan/2019 19:50:10] "GET / HTTP/1.0" 200 - INFO:werkzeug:91.49.58.193 - - [02/Jan/2019 09:01:22] "GET / HTTP/1.1" 200 - INFO:werkzeug:91.49.58.193 - - [02/Jan/2019 09:01:22] "GET /swaggerui/droid-sans.css HTTP/1.1" 304 - INFO:werkzeug:91.49.58.193 - - [02/Jan/2019 09:01:22] "GET /swaggerui/swagger-ui.css HTTP/1.1" 304 - INFO:werkzeug:91.49.58.193 - - [02/Jan/2019 09:01:22] "GET /swaggerui/swagger-ui-standalone-preset.js HTTP/1.1" 304 - INFO:werkzeug:91.49.58.193 - - [02/Jan/2019 09:01:22] "GET /swaggerui/swagger-ui-bundle.js HTTP/1.1" 304 - INFO:werkzeug:91.49.58.193 - - [02/Jan/2019 09:01:22] "GET /swagger.json HTTP/1.1" 200 - ERROR:werkzeug:91.49.58.193 - - [02/Jan/2019 09:01:27] code 400, message Bad request version ('3ÅuÇQÜ\x05k\x95*\x00\x00.À,À+À$À#À') INFO:werkzeug:91.49.58.193 - - [02/Jan/2019 09:01:27] "ýùìB]ß{ÿÃd¥,E¯èg 3ÅuÇQÜk*.À,À+À$À#À" HTTPStatus.BAD_REQUEST - ERROR:werkzeug:91.49.58.193 - - [02/Jan/2019 09:01:27] code 400, message Bad HTTP/0.9 request type ('\x16\x03\x01\x02\x00\x01\x00\x01ü\x03\x03\x07\x05\x90\x99i/\x88[') INFO:werkzeug:91.49.58.193 - - [02/Jan/2019 09:01:27] "üi/[§," HTTPStatus.BAD_REQUEST - ERROR:werkzeug:91.49.58.193 - - [02/Jan/2019 09:01:27] code 400, message Bad HTTP/0.9 request type ('\x16\x03\x01\x00Ç\x01\x00\x00Ã\x03\x01=µ\x14§ô\x15ã\x8f¶\x8a¯¨YÍ\x088Vî\x81Ì\x94½!') INFO:werkzeug:91.49.58.193 - - [02/Jan/2019 09:01:27] "ÇÃ=µ§ô㶯¨Y8Vî̽! b=¶l»¡UÀ" HTTPStatus.BAD_REQUEST - INFO:werkzeug:91.49.58.193 - - [02/Jan/2019 09:01:30] "GET / HTTP/1.1" 200 - INFO:werkzeug:91.49.58.193 - - [02/Jan/2019 09:01:31] "GET /swagger.json HTTP/1.1" 200 - ERROR:werkzeug:163.172.94.153 - - [03/Jan/2019 03:12:21] code 400, message Bad request syntax ('\x16\x03\x01\x00\x8a\x01\x00\x00\x86\x03\x03çX¥LÝÐ[ú\x90Ü¿\x08Ë\x10`A¨èÃþÞvÞ¦Wõ7\x1euÿ\x1c\x00\x00\x1aÀ/À+À\x11À\x07À\x13À\tÀ\x14À') INFO:werkzeug:163.172.94.153 - - [03/Jan/2019 03:12:21] "çX¥LÝÐ[úÜË`A¨èÃþÞvÞ¦Wõ7uÿÀ/À+ÀÀÀÀ ÀÀ" HTTPStatus.BAD_REQUEST - ERROR:werkzeug:185.156.177.156 - - [03/Jan/2019 03:48:48] code 400, message Bad HTTP/0.9 request type ('\x03\x00\x00/*à\x00\x00\x00\x00\x00Cookie:') INFO:werkzeug:185.156.177.156 - - [03/Jan/2019 03:48:48] "/*àCookie: mstshash=Administr" HTTPStatus.BAD_REQUEST - INFO:werkzeug:163.172.94.153 - - [03/Jan/2019 15:31:20] "GET / HTTP/1.1" 200 - INFO:werkzeug:71.6.199.23 - - [03/Jan/2019 16:28:50] "GET / HTTP/1.1" 200 - INFO:werkzeug:71.6.199.23 - - [03/Jan/2019 16:28:51] "GET /favicon.ico HTTP/1.1" 404 -
As one can see, not very nice what happens there!
The second problem comes from heavy and parallel user requests. This can happen, if a customer is using a multithreaded tool or client to query from your API. Flask is not able to handle this. Lets try to fix all the problems and going from development to production.
Flask is not battle safe!
We will see, how we can investigate the problems and fix them.
How to test a Flask App for Production
Using ApacheBench for Penetration Test
ApacheBench is shipped out of the box with a lot of Unix/Linux systems, if not, you will get it with
apt-get install apache2-utils
After that, you can request your API 100 times while 10 in parallel with
ab -n 100 -c 10 http://127.0.0.1:5000/ping
The Status report looks like this:
This is ApacheBench, Version 2.3 <$Revision: 1826891 $> Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/ Licensed to The Apache Software Foundation, http://www.apache.org/ Benchmarking 127.0.0.1 (be patient).....done Server Software: Server Hostname: 127.0.0.1 Server Port: 5000 Document Path: /ping Document Length: 26 bytes Concurrency Level: 10 Time taken for tests: 0.073 seconds Complete requests: 100 Failed requests: 0 Total transferred: 40600 bytes HTML transferred: 2600 bytes Requests per second: 1364.72 [#/sec] (mean) Time per request: 7.327 [ms] (mean) Time per request: 0.733 [ms] (mean, across all concurrent requests) Transfer rate: 541.09 [Kbytes/sec] received
Depending on your request, if one response will take longer than the time per request and the next concurring is coming in, the request will fail. This tool helps to penetrate the API and look what happens.
Using Astra for API Security and Vulnerability Tests
Astra is a tool for Automated Security Testing for REST API’s released under Apache 2.0 License from Flipkart. It needs Python 2.7 (Python 3 support is already a Merge Request, just a matter of time) and a running MongoDB.
Running MongoDB on a system is pretty straight forward. The easiest way is to use a Docker, e.g.:
docker run --name astra-mongo -d -p 27017:27017 mongo
Now with a running MongoDB on your system, you can start using Astra like this:
python astra.py -u http://localhost:5000/ping
Now you will see a lot of API attacks like the following in your Server Logs. They are similar to what you will get, when you have your Flask API open for everybody in the internet:
INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:05] "GET /ping HTTP/1.1" 200 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping HTTP/1.1" 200 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /3629 HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%22%28%27%28%28.%29%29.%29 HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%27tIgHTZ%3C%27%22%3EoFovvo HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%29%20AND%209971%3D5238%20AND%20%283688%3D3688 HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%29%20AND%207746%3D7746%20AND%20%289778%3D9778 HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%20AND%201673%3D5871 HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%20AND%207746%3D7746 HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%27%29%20AND%204696%3D1840%20AND%20%28%27ElSV%27%3D%27ElSV HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%27%29%20AND%207746%3D7746%20AND%20%28%27TVKE%27%3D%27TVKE HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%27%20AND%202632%3D7446%20AND%20%27IChB%27%3D%27IChB HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%27%20AND%207746%3D7746%20AND%20%27vARD%27%3D%27vARD HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%20AND%205538%3D1313--%20JCiK HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%20AND%207746%3D7746--%20UKOO HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /%28SELECT%20%28CASE%20WHEN%20%288948%3D3222%29%20THEN%20%27ping%27%20ELSE%20%28SELECT%203222%20UNION%20SELECT%203865%29%20END%29%29 HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /%28SELECT%20%28CASE%20WHEN%20%283813%3D3813%29%20THEN%20%27ping%27%20ELSE%20%28SELECT%204965%20UNION%20SELECT%207546%29%20END%29%29 HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%29%20AND%20%28SELECT%207591%20FROM%28SELECT%20COUNT%28%2A%29%2CCONCAT%280x71706a6b71%2C%28SELECT%20%28ELT%287591%3D7591%2C1%29%29%29%2C0x716b6b7a71%2CFLOOR%28RAND%280%29%2A2%29%29x%20FROM%20INFORMATION_SCHEMA.PLUGINS%20GROUP%20BY%20x%29a%29%20AND%20%288741%3D8741 HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%20AND%20%28SELECT%207591%20FROM%28SELECT%20COUNT%28%2A%29%2CCONCAT%280x71706a6b71%2C%28SELECT%20%28ELT%287591%3D7591%2C1%29%29%29%2C0x716b6b7a71%2CFLOOR%28RAND%280%29%2A2%29%29x%20FROM%20INFORMATION_SCHEMA.PLUGINS%20GROUP%20BY%20x%29a%29 HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%27%29%20AND%20%28SELECT%207591%20FROM%28SELECT%20COUNT%28%2A%29%2CCONCAT%280x71706a6b71%2C%28SELECT%20%28ELT%287591%3D7591%2C1%29%29%29%2C0x716b6b7a71%2CFLOOR%28RAND%280%29%2A2%29%29x%20FROM%20INFORMATION_SCHEMA.PLUGINS%20GROUP%20BY%20x%29a%29%20AND%20%28%27dtRV%27%3D%27dtRV HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%27%20AND%20%28SELECT%207591%20FROM%28SELECT%20COUNT%28%2A%29%2CCONCAT%280x71706a6b71%2C%28SELECT%20%28ELT%287591%3D7591%2C1%29%29%29%2C0x716b6b7a71%2CFLOOR%28RAND%280%29%2A2%29%29x%20FROM%20INFORMATION_SCHEMA.PLUGINS%20GROUP%20BY%20x%29a%29%20AND%20%27ecrp%27%3D%27ecrp HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%20AND%20%28SELECT%207591%20FROM%28SELECT%20COUNT%28%2A%29%2CCONCAT%280x71706a6b71%2C%28SELECT%20%28ELT%287591%3D7591%2C1%29%29%29%2C0x716b6b7a71%2CFLOOR%28RAND%280%29%2A2%29%29x%20FROM%20INFORMATION_SCHEMA.PLUGINS%20GROUP%20BY%20x%29a%29--%20ZGda HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%29%20AND%207796%3DCAST%28%28CHR%28113%29%7C%7CCHR%28112%29%7C%7CCHR%28106%29%7C%7CCHR%28107%29%7C%7CCHR%28113%29%29%7C%7C%28SELECT%20%28CASE%20WHEN%20%287796%3D7796%29%20THEN%201%20ELSE%200%20END%29%29%3A%3Atext%7C%7C%28CHR%28113%29%7C%7CCHR%28107%29%7C%7CCHR%28107%29%7C%7CCHR%28122%29%7C%7CCHR%28113%29%29%20AS%20NUMERIC%29%20AND%20%283223%3D3223 HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%20AND%207796%3DCAST%28%28CHR%28113%29%7C%7CCHR%28112%29%7C%7CCHR%28106%29%7C%7CCHR%28107%29%7C%7CCHR%28113%29%29%7C%7C%28SELECT%20%28CASE%20WHEN%20%287796%3D7796%29%20THEN%201%20ELSE%200%20END%29%29%3A%3Atext%7C%7C%28CHR%28113%29%7C%7CCHR%28107%29%7C%7CCHR%28107%29%7C%7CCHR%28122%29%7C%7CCHR%28113%29%29%20AS%20NUMERIC%29 HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%27%29%20AND%207796%3DCAST%28%28CHR%28113%29%7C%7CCHR%28112%29%7C%7CCHR%28106%29%7C%7CCHR%28107%29%7C%7CCHR%28113%29%29%7C%7C%28SELECT%20%28CASE%20WHEN%20%287796%3D7796%29%20THEN%201%20ELSE%200%20END%29%29%3A%3Atext%7C%7C%28CHR%28113%29%7C%7CCHR%28107%29%7C%7CCHR%28107%29%7C%7CCHR%28122%29%7C%7CCHR%28113%29%29%20AS%20NUMERIC%29%20AND%20%28%27Rnea%27%3D%27Rnea HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%27%20AND%207796%3DCAST%28%28CHR%28113%29%7C%7CCHR%28112%29%7C%7CCHR%28106%29%7C%7CCHR%28107%29%7C%7CCHR%28113%29%29%7C%7C%28SELECT%20%28CASE%20WHEN%20%287796%3D7796%29%20THEN%201%20ELSE%200%20END%29%29%3A%3Atext%7C%7C%28CHR%28113%29%7C%7CCHR%28107%29%7C%7CCHR%28107%29%7C%7CCHR%28122%29%7C%7CCHR%28113%29%29%20AS%20NUMERIC%29%20AND%20%27yOxx%27%3D%27yOxx HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%20AND%207796%3DCAST%28%28CHR%28113%29%7C%7CCHR%28112%29%7C%7CCHR%28106%29%7C%7CCHR%28107%29%7C%7CCHR%28113%29%29%7C%7C%28SELECT%20%28CASE%20WHEN%20%287796%3D7796%29%20THEN%201%20ELSE%200%20END%29%29%3A%3Atext%7C%7C%28CHR%28113%29%7C%7CCHR%28107%29%7C%7CCHR%28107%29%7C%7CCHR%28122%29%7C%7CCHR%28113%29%29%20AS%20NUMERIC%29--%20QqHX HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%29%20AND%202498%20IN%20%28SELECT%20%28CHAR%28113%29%2BCHAR%28112%29%2BCHAR%28106%29%2BCHAR%28107%29%2BCHAR%28113%29%2B%28SELECT%20%28CASE%20WHEN%20%282498%3D2498%29%20THEN%20CHAR%2849%29%20ELSE%20CHAR%2848%29%20END%29%29%2BCHAR%28113%29%2BCHAR%28107%29%2BCHAR%28107%29%2BCHAR%28122%29%2BCHAR%28113%29%29%29%20AND%20%287928%3D7928 HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%20AND%202498%20IN%20%28SELECT%20%28CHAR%28113%29%2BCHAR%28112%29%2BCHAR%28106%29%2BCHAR%28107%29%2BCHAR%28113%29%2B%28SELECT%20%28CASE%20WHEN%20%282498%3D2498%29%20THEN%20CHAR%2849%29%20ELSE%20CHAR%2848%29%20END%29%29%2BCHAR%28113%29%2BCHAR%28107%29%2BCHAR%28107%29%2BCHAR%28122%29%2BCHAR%28113%29%29%29 HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%27%29%20AND%202498%20IN%20%28SELECT%20%28CHAR%28113%29%2BCHAR%28112%29%2BCHAR%28106%29%2BCHAR%28107%29%2BCHAR%28113%29%2B%28SELECT%20%28CASE%20WHEN%20%282498%3D2498%29%20THEN%20CHAR%2849%29%20ELSE%20CHAR%2848%29%20END%29%29%2BCHAR%28113%29%2BCHAR%28107%29%2BCHAR%28107%29%2BCHAR%28122%29%2BCHAR%28113%29%29%29%20AND%20%28%27pThu%27%3D%27pThu HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%27%20AND%202498%20IN%20%28SELECT%20%28CHAR%28113%29%2BCHAR%28112%29%2BCHAR%28106%29%2BCHAR%28107%29%2BCHAR%28113%29%2B%28SELECT%20%28CASE%20WHEN%20%282498%3D2498%29%20THEN%20CHAR%2849%29%20ELSE%20CHAR%2848%29%20END%29%29%2BCHAR%28113%29%2BCHAR%28107%29%2BCHAR%28107%29%2BCHAR%28122%29%2BCHAR%28113%29%29%29%20AND%20%27fjwz%27%3D%27fjwz HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%20AND%202498%20IN%20%28SELECT%20%28CHAR%28113%29%2BCHAR%28112%29%2BCHAR%28106%29%2BCHAR%28107%29%2BCHAR%28113%29%2B%28SELECT%20%28CASE%20WHEN%20%282498%3D2498%29%20THEN%20CHAR%2849%29%20ELSE%20CHAR%2848%29%20END%29%29%2BCHAR%28113%29%2BCHAR%28107%29%2BCHAR%28107%29%2BCHAR%28122%29%2BCHAR%28113%29%29%29--%20qZPS HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%29%20AND%204932%3D%28SELECT%20UPPER%28XMLType%28CHR%2860%29%7C%7CCHR%2858%29%7C%7CCHR%28113%29%7C%7CCHR%28112%29%7C%7CCHR%28106%29%7C%7CCHR%28107%29%7C%7CCHR%28113%29%7C%7C%28SELECT%20%28CASE%20WHEN%20%284932%3D4932%29%20THEN%201%20ELSE%200%20END%29%20FROM%20DUAL%29%7C%7CCHR%28113%29%7C%7CCHR%28107%29%7C%7CCHR%28107%29%7C%7CCHR%28122%29%7C%7CCHR%28113%29%7C%7CCHR%2862%29%29%29%20FROM%20DUAL%29%20AND%20%282599%3D2599 HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%20AND%204932%3D%28SELECT%20UPPER%28XMLType%28CHR%2860%29%7C%7CCHR%2858%29%7C%7CCHR%28113%29%7C%7CCHR%28112%29%7C%7CCHR%28106%29%7C%7CCHR%28107%29%7C%7CCHR%28113%29%7C%7C%28SELECT%20%28CASE%20WHEN%20%284932%3D4932%29%20THEN%201%20ELSE%200%20END%29%20FROM%20DUAL%29%7C%7CCHR%28113%29%7C%7CCHR%28107%29%7C%7CCHR%28107%29%7C%7CCHR%28122%29%7C%7CCHR%28113%29%7C%7CCHR%2862%29%29%29%20FROM%20DUAL%29 HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%27%29%20AND%204932%3D%28SELECT%20UPPER%28XMLType%28CHR%2860%29%7C%7CCHR%2858%29%7C%7CCHR%28113%29%7C%7CCHR%28112%29%7C%7CCHR%28106%29%7C%7CCHR%28107%29%7C%7CCHR%28113%29%7C%7C%28SELECT%20%28CASE%20WHEN%20%284932%3D4932%29%20THEN%201%20ELSE%200%20END%29%20FROM%20DUAL%29%7C%7CCHR%28113%29%7C%7CCHR%28107%29%7C%7CCHR%28107%29%7C%7CCHR%28122%29%7C%7CCHR%28113%29%7C%7CCHR%2862%29%29%29%20FROM%20DUAL%29%20AND%20%28%27EzCa%27%3D%27EzCa HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%27%20AND%204932%3D%28SELECT%20UPPER%28XMLType%28CHR%2860%29%7C%7CCHR%2858%29%7C%7CCHR%28113%29%7C%7CCHR%28112%29%7C%7CCHR%28106%29%7C%7CCHR%28107%29%7C%7CCHR%28113%29%7C%7C%28SELECT%20%28CASE%20WHEN%20%284932%3D4932%29%20THEN%201%20ELSE%200%20END%29%20FROM%20DUAL%29%7C%7CCHR%28113%29%7C%7CCHR%28107%29%7C%7CCHR%28107%29%7C%7CCHR%28122%29%7C%7CCHR%28113%29%7C%7CCHR%2862%29%29%29%20FROM%20DUAL%29%20AND%20%27mqNr%27%3D%27mqNr HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%20AND%204932%3D%28SELECT%20UPPER%28XMLType%28CHR%2860%29%7C%7CCHR%2858%29%7C%7CCHR%28113%29%7C%7CCHR%28112%29%7C%7CCHR%28106%29%7C%7CCHR%28107%29%7C%7CCHR%28113%29%7C%7C%28SELECT%20%28CASE%20WHEN%20%284932%3D4932%29%20THEN%201%20ELSE%200%20END%29%20FROM%20DUAL%29%7C%7CCHR%28113%29%7C%7CCHR%28107%29%7C%7CCHR%28107%29%7C%7CCHR%28122%29%7C%7CCHR%28113%29%7C%7CCHR%2862%29%29%29%20FROM%20DUAL%29--%20nfSX HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /%28SELECT%206461%20FROM%28SELECT%20COUNT%28%2A%29%2CCONCAT%280x71706a6b71%2C%28SELECT%20%28ELT%286461%3D6461%2C1%29%29%29%2C0x716b6b7a71%2CFLOOR%28RAND%280%29%2A2%29%29x%20FROM%20INFORMATION_SCHEMA.PLUGINS%20GROUP%20BY%20x%29a%29 HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /%28SELECT%20CONCAT%280x71706a6b71%2C%28SELECT%20%28ELT%288966%3D8966%2C1%29%29%29%2C0x716b6b7a71%29%29 HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /%28SELECT%20%28CHR%28113%29%7C%7CCHR%28112%29%7C%7CCHR%28106%29%7C%7CCHR%28107%29%7C%7CCHR%28113%29%29%7C%7C%28SELECT%20%28CASE%20WHEN%20%282330%3D2330%29%20THEN%201%20ELSE%200%20END%29%29%3A%3Atext%7C%7C%28CHR%28113%29%7C%7CCHR%28107%29%7C%7CCHR%28107%29%7C%7CCHR%28122%29%7C%7CCHR%28113%29%29%29 HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /%28SELECT%20CHAR%28113%29%2BCHAR%28112%29%2BCHAR%28106%29%2BCHAR%28107%29%2BCHAR%28113%29%2B%28SELECT%20%28CASE%20WHEN%20%282674%3D2674%29%20THEN%20CHAR%2849%29%20ELSE%20CHAR%2848%29%20END%29%29%2BCHAR%28113%29%2BCHAR%28107%29%2BCHAR%28107%29%2BCHAR%28122%29%2BCHAR%28113%29%29 HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%29%3BSELECT%20PG_SLEEP%285%29-- HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%3BSELECT%20PG_SLEEP%285%29-- HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%27%29%3BSELECT%20PG_SLEEP%285%29-- HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%27%3BSELECT%20PG_SLEEP%285%29-- HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%29%3BWAITFOR%20DELAY%20%270%3A0%3A5%27-- HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%3BWAITFOR%20DELAY%20%270%3A0%3A5%27-- HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%27%29%3BWAITFOR%20DELAY%20%270%3A0%3A5%27-- HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%27%3BWAITFOR%20DELAY%20%270%3A0%3A5%27-- HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%29%3BSELECT%20DBMS_PIPE.RECEIVE_MESSAGE%28CHR%2878%29%7C%7CCHR%2888%29%7C%7CCHR%2885%29%7C%7CCHR%28122%29%2C5%29%20FROM%20DUAL-- HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%3BSELECT%20DBMS_PIPE.RECEIVE_MESSAGE%28CHR%2878%29%7C%7CCHR%2888%29%7C%7CCHR%2885%29%7C%7CCHR%28122%29%2C5%29%20FROM%20DUAL-- HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%27%29%3BSELECT%20DBMS_PIPE.RECEIVE_MESSAGE%28CHR%2878%29%7C%7CCHR%2888%29%7C%7CCHR%2885%29%7C%7CCHR%28122%29%2C5%29%20FROM%20DUAL-- HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%27%3BSELECT%20DBMS_PIPE.RECEIVE_MESSAGE%28CHR%2878%29%7C%7CCHR%2888%29%7C%7CCHR%2885%29%7C%7CCHR%28122%29%2C5%29%20FROM%20DUAL-- HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%29%20AND%20SLEEP%285%29%20AND%20%286539%3D6539 HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%20AND%20SLEEP%285%29 HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%27%29%20AND%20SLEEP%285%29%20AND%20%28%27qQLV%27%3D%27qQLV HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%27%20AND%20SLEEP%285%29%20AND%20%27zpXC%27%3D%27zpXC HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%20AND%20SLEEP%285%29--%20nXqJ HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%29%20AND%204554%3D%28SELECT%204554%20FROM%20PG_SLEEP%285%29%29%20AND%20%285070%3D5070 HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%20AND%204554%3D%28SELECT%204554%20FROM%20PG_SLEEP%285%29%29 HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%27%29%20AND%204554%3D%28SELECT%204554%20FROM%20PG_SLEEP%285%29%29%20AND%20%28%27zTMc%27%3D%27zTMc HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%27%20AND%204554%3D%28SELECT%204554%20FROM%20PG_SLEEP%285%29%29%20AND%20%27LzGx%27%3D%27LzGx HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%20AND%204554%3D%28SELECT%204554%20FROM%20PG_SLEEP%285%29%29--%20VryF HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%29%20WAITFOR%20DELAY%20%270%3A0%3A5%27%20AND%20%285554%3D5554 HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%20WAITFOR%20DELAY%20%270%3A0%3A5%27 HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%27%29%20WAITFOR%20DELAY%20%270%3A0%3A5%27%20AND%20%28%27Ihwt%27%3D%27Ihwt HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%27%20WAITFOR%20DELAY%20%270%3A0%3A5%27%20AND%20%27zbwk%27%3D%27zbwk HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%20WAITFOR%20DELAY%20%270%3A0%3A5%27--%20iZuQ HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%29%20AND%205364%3DDBMS_PIPE.RECEIVE_MESSAGE%28CHR%2887%29%7C%7CCHR%28110%29%7C%7CCHR%2872%29%7C%7CCHR%28104%29%2C5%29%20AND%20%284789%3D4789 HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%20AND%205364%3DDBMS_PIPE.RECEIVE_MESSAGE%28CHR%2887%29%7C%7CCHR%28110%29%7C%7CCHR%2872%29%7C%7CCHR%28104%29%2C5%29 HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%27%29%20AND%205364%3DDBMS_PIPE.RECEIVE_MESSAGE%28CHR%2887%29%7C%7CCHR%28110%29%7C%7CCHR%2872%29%7C%7CCHR%28104%29%2C5%29%20AND%20%28%27amTV%27%3D%27amTV HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%27%20AND%205364%3DDBMS_PIPE.RECEIVE_MESSAGE%28CHR%2887%29%7C%7CCHR%28110%29%7C%7CCHR%2872%29%7C%7CCHR%28104%29%2C5%29%20AND%20%27fHXC%27%3D%27fHXC HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%20AND%205364%3DDBMS_PIPE.RECEIVE_MESSAGE%28CHR%2887%29%7C%7CCHR%28110%29%7C%7CCHR%2872%29%7C%7CCHR%28104%29%2C5%29--%20zBuv HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%29%20ORDER%20BY%201--%20pRfO HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%29%20UNION%20ALL%20SELECT%20NULL--%20uTSL HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%29%20UNION%20ALL%20SELECT%20NULL%2CNULL--%20aNzC HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%29%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL--%20gDWc HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%29%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL%2CNULL--%20SGqr HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%29%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL%2CNULL%2CNULL--%20dWEg HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%29%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL--%20otFt HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%29%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL--%20OCmn HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%29%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL--%20svAb HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%29%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL--%20EoWh HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%29%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL--%20wCXk HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%20ORDER%20BY%201--%20oONj HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%20UNION%20ALL%20SELECT%20NULL--%20BQCi HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%20UNION%20ALL%20SELECT%20NULL%2CNULL--%20oCcs HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL--%20yVPM HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL%2CNULL--%20GbNZ HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL%2CNULL%2CNULL--%20tFXR HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL--%20GbjA HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL--%20oJIE HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL--%20Ntwn HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL--%20ihvk HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL--%20LyYC HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%27%29%20ORDER%20BY%201--%20wVlA HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%27%29%20UNION%20ALL%20SELECT%20NULL--%20bPrZ HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%27%29%20UNION%20ALL%20SELECT%20NULL%2CNULL--%20bFXN HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%27%29%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL--%20ghLf HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%27%29%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL%2CNULL--%20SAdQ HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%27%29%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL%2CNULL%2CNULL--%20Naiq HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%27%29%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL--%20OUpK HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%27%29%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL--%20dNZi HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%27%29%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL--%20dyNy HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%27%29%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL--%20cEfI HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%27%29%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL--%20gthB HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%27%20ORDER%20BY%201--%20FHOl HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%27%20UNION%20ALL%20SELECT%20NULL--%20hCEY HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%27%20UNION%20ALL%20SELECT%20NULL%2CNULL--%20gRTa HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%27%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL--%20bxqx HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%27%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL%2CNULL--%20eswv HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%27%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL%2CNULL%2CNULL--%20EAAJ HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%27%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL--%20aphs HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%27%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL--%20gvSc HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%27%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL--%20YPEI HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%27%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL--%20IaAw HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%27%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL--%20keAB HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%20ORDER%20BY%201--%20fTpy HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%20UNION%20ALL%20SELECT%20NULL--%20TXMq HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%20UNION%20ALL%20SELECT%20NULL%2CNULL--%20bhKV HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL--%20BjOk HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL%2CNULL--%20BoxH HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL%2CNULL%2CNULL--%20fyIu HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL--%20KYiy HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL--%20GKRO HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL--%20pwwO HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL--%20rhzY HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:06] "GET /ping%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL--%20brUo HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:17] "GET /ping/%3Cscript%3Ealert(1)%3C/script%3E HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:17] "GET /ping/?test=%3Cscript%3Ealert(1)%3C/script%3E HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:17] "GET /ping/%3CScRipT%3Ealert(1);%3C/ScRipT%3E HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:17] "GET /ping/?test=%3CScRipT%3Ealert(1);%3C/ScRipT%3E HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:17] "GET /ping/%3CIMG%20SRC=%22javascript:alert(1);%22%3E HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:17] "GET /ping/?test=%3CIMG%20SRC=%22javascript:alert(1);%22%3E HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:17] "GET /ping/%3CScRipT%3Ealert%601%60%3C/ScRipT%3E HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:17] "GET /ping/?test=%3CScRipT%3Ealert%601%60%3C/ScRipT%3E HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:17] "GET /ping/%3cscript%3ealert(1)%3c%2fscript%3e HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:17] "GET /ping/?test=%3cscript%3ealert(1)%3c%2fscript%3e HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:17] "GET /ping/%3Csvg%20onload=alert(1)+ HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:17] "GET /ping/?test=%3Csvg%20onload=alert(1)+ HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:17] "GET /ping/%3Cimg%20src=xss%20onerror=alert(1)%3E HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:17] "GET /ping/?test=%3Cimg%20src=xss%20onerror=alert(1)%3E HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:17] "GET /ping/%3Csvg%20onload=alert(1)%3E HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:17] "GET /ping/?test=%3Csvg%20onload=alert(1)%3E HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:17] "GET /ping/%3Csvg%20onload=confirm(1)%3E HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:17] "GET /ping/?test=%3Csvg%20onload=confirm(1)%3E HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:17] "GET /ping HTTP/1.1" 200 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:17] "GET /ping HTTP/1.1" 200 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:17] "GET /ping HTTP/1.1" 200 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:17] "GET /ping HTTP/1.1" 200 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:17] "GET /ping HTTP/1.1" 200 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:17] "GET /ping HTTP/1.1" 200 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:17] "GET /ping HTTP/1.1" 200 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:17] "GET /ping HTTP/1.1" 200 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:17] "GET /ping HTTP/1.1" 200 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:17] "GET /ping HTTP/1.1" 200 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:17] "GET /ping HTTP/1.1" 200 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:17] "GET /ping HTTP/1.1" 200 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:17] "GET /ping HTTP/1.1" 200 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:17] "GET /ping HTTP/1.1" 200 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:17] "GET /ping HTTP/1.1" 200 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:17] "GET /ping HTTP/1.1" 200 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:17] "GET /ping HTTP/1.1" 200 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:17] "GET /ping HTTP/1.1" 200 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:20] "GET /?url=http://www.google.com HTTP/1.1" 200 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:20] "GET /?url=https://www.google.com HTTP/1.1" 200 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:20] "GET /?next=http://www.google.com HTTP/1.1" 200 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:20] "GET /?next=https://www.google.com HTTP/1.1" 200 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:20] "GET /?url=http://www.google.com HTTP/1.1" 200 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:20] "GET /?url=https://www.google.com HTTP/1.1" 200 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:20] "GET /?url=http://www.google.com HTTP/1.1" 200 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:20] "GET /?url=//www.google.com HTTP/1.1" 200 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:20] "GET /?url=$2f%2fwww.google.com HTTP/1.1" 200 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:20] "GET /?next=//www.google.com HTTP/1.1" 200 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:20] "GET /?next=$2f%2fwww.google.com HTTP/1.1" 200 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:20] "GET /?url=//www.google.com HTTP/1.1" 200 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:20] "GET /?url=$2f%2fwww.google.com HTTP/1.1" 200 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:20] "GET /?url=//www.google.com HTTP/1.1" 200 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:20] "GET //redirect/www.google.com HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:20] "GET //cgi-bin/redirect.cgi?www.google.com HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:20] "GET //out/www.google.com HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:20] "GET //out?www.google.com HTTP/1.1" 301 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:20] "GET //out?/www.google.com HTTP/1.1" 301 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:20] "GET //out?//www.google.com HTTP/1.1" 301 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:20] "GET //out?/%5Cwww.google.com HTTP/1.1" 301 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:20] "GET //out?///www.google.com HTTP/1.1" 301 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:20] "GET /?view=www.google.com HTTP/1.1" 200 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:20] "GET /?view=/www.google.com HTTP/1.1" 200 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:20] "GET /?view=//www.google.com HTTP/1.1" 200 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:20] "GET /?view=/%5Cwww.google.com HTTP/1.1" 200 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:20] "GET /?view=///www.google.com HTTP/1.1" 200 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:20] "GET //login?to=www.google.com HTTP/1.1" 301 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:20] "GET //login?to=/www.google.com HTTP/1.1" 301 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:20] "GET //login?to=//www.google.com HTTP/1.1" 301 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:21] "GET //login?to=/%5Cwww.google.com HTTP/1.1" 301 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:21] "GET //login?to=///www.google.com HTTP/1.1" 301 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:21] "GET ///google.com/%2f.. HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:21] "GET ////google.com/%2f.. HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:21] "GET /////google.com/%2f.. HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:21] "GET //https://google.com/%2f.. HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:21] "GET ///google.com/%2f.. HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:21] "GET /https://google.com/%2f.. HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:21] "GET ////google.com/ HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:21] "GET ///google.com/ HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:21] "GET //////google.com HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:21] "GET //////google.com/ HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:21] "GET ////google.com HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:21] "GET ////%5C;@google.com HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:21] "GET //.google.com HTTP/1.1" 301 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:21] "GET //google.com/%2f.. HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:21] "GET //%2f%2fgoogle.com HTTP/1.1" 301 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:21] "GET /@google.com HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:21] "GET /http://;@google.com HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:21] "GET ///;@google.com HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:21] "GET /%3C%3E//google.com HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:21] "GET /%E3%80%B1google.com HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:21] "GET /%E3%80%B5google.com HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:21] "GET /%E3%82%9Dgoogle.com HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:21] "GET /%E3%83%BCgoogle.com HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:21] "GET /%EF%BD%B0google.com HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:21] "GET //%E3%80%B1google.com HTTP/1.1" 301 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:21] "GET //%E3%80%B5google.com HTTP/1.1" 301 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:21] "GET //%E3%82%9Dgoogle.com HTTP/1.1" 301 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:21] "GET //%E3%83%BCgoogle.com HTTP/1.1" 301 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:21] "GET //%EF%BD%B0google.com HTTP/1.1" 301 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:21] "GET ///google%00.com HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:24] "POST /ping HTTP/1.1" 405 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:24] "POST /ping HTTP/1.1" 405 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:37] "GET /ping/%0aCRLF-Test:%20crlf=injection HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:37] "GET /ping/%0d%0aCRLF-Test:%20crlf=injection HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:37] "GET /ping/%0dCRLF-Test:%20crlf=injection HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:37] "GET /ping/%23%0aCRLF-Test:%20crlf=injection HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:37] "GET /ping/%23%0d%0aCRLF-Test:%20crlf=injection HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:37] "GET /ping/%23%0dCRLF-Test:%20crlf=injection HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:37] "GET /ping/%250aCRLF-Test:%20crlf=injection HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:37] "GET /ping/%250aCRLF-Test:%20crlf=injection HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:37] "GET /ping/%250aCRLF-Test:%20crlf=injection HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:37] "GET /ping/%25250aCRLF-Test:%20crlf=injection HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:37] "GET /ping/..%2f%0d%0aCRLF-Test:%20crlf=injection HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:37] "GET /ping/%2f..%0d%0aCRLF-Test:%20crlf=injection HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:37] "GET /ping/%2F..%0d%0aCRLF-Test:%20crlf=injection HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:37] "GET /ping/%3f%0d%0aCRLF-Test:%20crlf=injection HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:37] "GET /ping/%3f%0dCRLF-Test:%20crlf=injection HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:37] "GET /ping/%25u000aCRLF-Test:%20crlf=injection HTTP/1.1" 404 - INFO:werkzeug:127.0.0.1 - - [04/Jan/2019 11:40:40] "GET /ping HTTP/1.1" 200 -
Astra is tryin to break your API. And Astra will serve you a report in the Browser, when done:

Security Scanning Report for your API from Astra
The Security Issues addressed most are missing or wrong Header informations. The standard Flask App Header response is looking like this:
Content-Length : 26 Content-Type : application/json Date : Fri, 04 Jan 2019 10:40:40 GMT Server : Werkzeug/0.14.1 Python/3.6.7
Fixing Security Issues of your Flask App
As one can see in the beginning of every Flask App development, Flask itself warns you, not to use the built in Werkzeug in Production. First things first: A Flask App needs a Web Server Gateway Interface (WSGI) in front of it. There are a lot, but Gunicorn and uWSGI are the most often used. We are using Gunicorn, because if you are using Docker anyways to deploy, it’s just a 1-line change. Because we are not serving static content like .css files or images, we do not necessarily have to use Nginx as Proxy in front of the WSGI.
To add additional Header informations, we utilize the after_request function from Flask and add Werkzeug Header informations. This has to be placed after the last route in the Flask app.
# Python 3.6 @app.after_request def after_request(response): # Add and remove custom headers for Security reasons # https://github.com/shieldfy/API-Security-Checklist/blob/master/README-de.md # and after Astra Security Check ContentSecurityPolicy = '' ContentSecurityPolicy += "default-src 'self'; " ContentSecurityPolicy += "script-src 'self' 'unsafe-inline'; " ContentSecurityPolicy += "style-src 'self' 'unsafe-inline'; " ContentSecurityPolicy += "img-src 'self' data:; " ContentSecurityPolicy += "connect-src 'self';" response.headers.add('Content-Security-Policy', ContentSecurityPolicy) response.headers.add('X-Content-Type-Options', 'nosniff') response.headers.add('Strict-Transport-Security', 'max-age=86400; includeSubDomains') response.headers.add('X-Frame-Options', 'deny') response.headers.add('Access-Control-Allow-Methods', 'GET') response.headers.add('X-XSS-Protection', '1; mode=block') response.headers.set('Server', '') # This is neccessary for a project partner response.headers.add('Access-Control-Allow-Origin', '*') return response
A lot of the entries are from the API Security Checklist and from the Content Security Policy Reference Page. They have to be customized, because we are using SwaggerUI for documentation and it needs some more rights than just ‘none’.
Now, if you scan again, you will find an empty Astra security report. It doesn’t mean, that your API is 100% secure, but you got a lot of common attack scenarios tested.
The response header is looking like this:
access-control-allow-methods: GET access-control-allow-origin: * content-length: 26 content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self'; content-type: application/json date: Fri, 04 Jan 2019 12:07:39 GMT server: strict-transport-security: max-age=86400; includeSubDomains x-content-type-options: nosniff x-frame-options: deny x-xss-protection: 1; mode=block
Deploy the Flask App with Gunicorn as Docker
Now we have a Flask API with additional header information and can deploy it behind a WSGI, like Gunicorn. As said, if you deploy via Docker, it is a simple one-liner to change in your Dockerfile.
# Configure the WSGI Server ENV GUNICORN_CMD_ARGS="--bind=0.0.0.0:5000 --workers=4 --access-logfile=- --error-logfile=-" # instead of CMD ["python3", "main.py"] CMD ["gunicorn", "main:app"]
Now Gunicorn as WSGI will serve your Flask App (named “app” in main.py) and will handle the traffic.
Summary
Its pretty simple to develop a Flask based API with Flask Restplus, but you can only use it for development. To get it battle safe, you have to do some extra work. This is just a basic setup and we are no security company. There may be a lot of other attacking scenarios, which are not covered. But for now, we are releasing it into the wild…
Leave A Comment