Implement Flask backend and web UI for security alert enrichment with VirusTotal, AbuseIPDB, and Shodan

[Copilot]

Built a Flask-based threat intelligence enrichment platform that aggregates data from VirusTotal, AbuseIPDB, and Shodan APIs for IP addresses and domains.

Backend Architecture

Flask API (app.py)

• /api/enrich - POST endpoint accepting {indicator, type}, returns aggregated threat data
• /api/health - System status and API key configuration check
• CORS enabled for cross-origin requests
• Sanitized error responses (no stack trace exposure)

Modular Enrichers (enrichers/)

class BaseEnricher(ABC):
    def __init__(self, api_key):
        self.api_key = api_key  # Allows None for graceful degradation
    
    @abstractmethod
    def enrich(self, indicator, indicator_type=None):
        pass

• virustotal.py - Detection stats, reputation scores (IP/domain)
• abuseipdb.py - Abuse confidence scores, report counts (IP only)
• shodan.py - Open ports, services, OS detection (IP only)

Configurable constants: MAX_AGE_DAYS=90, MAX_SERVICES_DISPLAY=5

Frontend

Responsive SPA (static/)

• Gradient purple theme with modern card-based layout
• Client-side validation (IP regex, label-based domain validation)
• No ReDoS vulnerabilities (removed nested quantifiers)
• ARIA labels for screen reader accessibility

// Efficient domain validation without exponential backtracking
function isValidDomain(domain) {
    if (!domain || domain.length < 3 || domain.length > 253) return false;
    
    const labels = domain.split('.');
    for (const label of labels) {
        if (label.length > 63 || !/^[a-zA-Z0-9-]+$/.test(label)) return false;
        if (label.startsWith('-') || label.endsWith('-')) return false;
    }
    return labels.length >= 2 && /^[a-zA-Z]+$/.test(labels[labels.length - 1]);
}

Configuration

• .env.example - API key template
• .gitignore - Excludes .env, __pycache__, virtual environments
• requirements.txt - Flask 3.0.0, flask-cors 4.0.0, python-dotenv 1.0.0, requests 2.31.0

Security

• ✅ CodeQL clean (0 alerts)
• Fixed stack trace exposure in exception handling
• Fixed ReDoS in domain validation regex
• Environment-based secret management

Screenshots

Main Interface

Results View

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• api.abuseipdb.com
  • Triggering command: python3 app.py (dns block)
• api.shodan.io
  • Triggering command: python3 app.py (dns block)
• www.virustotal.com
  • Triggering command: python3 app.py (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

Build a Flask-based backend and HTML/JS frontend to enrich security alerts (IP/domain) using VirusTotal, AbuseIPDB, and Shodan APIs. Include modular enrichers, .env for secrets, CORS support, and a user-friendly web interface.

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.