Share
## https://sploitus.com/exploit?id=A030C540-7B23-5025-9AE8-2EB3E9FB84B5
# Laravel Threat Detection

**Know who's attacking your Laravel app โ€” without changing a single line of code.**

A zero-config, middleware-based Web Application Firewall (WAF) for Laravel. Drop it in, and it instantly starts detecting SQL injection, XSS, RCE, scanner bots, DDoS patterns, and 40+ other attack types โ€” logging everything to your database with full geo-enrichment and a built-in dark-mode dashboard.

> Extracted from a production application. Battle-tested with real traffic.

---

## Why This Package?

| Problem | Solution |
|---------|----------|
| Laravel has no built-in request-level threat detection | This package scans every request through 100+ regex patterns |
| External WAF services cost money and add latency | Runs entirely within your app โ€” zero external dependencies |
| Security logs are scattered across server files | Centralized database logging with API + dashboard |
| You don't know who's probing your app right now | Real-time Slack alerts + live threat count endpoint |

---

## Dashboard Preview

The package ships with a built-in dark-mode dashboard (Alpine.js + Tailwind CDN โ€” zero build step):




```
+------------------------------------------------------------------+
|  Threat Detection Dashboard                                       |
+------------------------------------------------------------------+
|  Total: 847  |  High: 23  |  Med: 156  |  Low: 668  |  IPs: 94  |
+------------------------------------------------------------------+
|  [โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆ Timeline Chart - 7 Day Stacked Bar โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆ]          |
+------------------------------------------------------------------+
|  Search: [___________]  Level: [All โ–ผ]                           |
|  Time         IP              Type              Level    URL      |
|  Mar 2 14:02  185.220.101.4   SQL Injection     HIGH    /api/... |
|  Mar 2 13:58  45.33.32.156    XSS Script Tag    HIGH    /search  |
|  Mar 2 13:45  192.168.1.10    Scanner: Nikto    MEDIUM  /admin   |
+------------------------------------------------------------------+
|  Top IPs              |  Threats by Country                       |
|  185.220.101.4  [23]  |  US โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆ 234                     |
|  45.33.32.156   [18]  |  CN โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆ 156                         |
|  103.152.220.1  [12]  |  RU โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆ 98                            |
+------------------------------------------------------------------+
```

> Enable with `THREAT_DETECTION_DASHBOARD=true` in your `.env`

---

## Quick Start

```bash
# Install
composer require jayanta/laravel-threat-detection

# Publish & migrate
php artisan vendor:publish --tag=threat-detection-config
php artisan vendor:publish --tag=threat-detection-migrations
php artisan migrate
```

Register the middleware:

**Laravel 11+ (bootstrap/app.php):**
```php
->withMiddleware(function (Middleware $middleware) {
    $middleware->web(append: [
        \JayAnta\ThreatDetection\Http\Middleware\ThreatDetectionMiddleware::class,
    ]);
})
```

**Laravel 10 (app/Http/Kernel.php):**
```php
protected $middlewareGroups = [
    'web' => [
        // ... other middleware
        \JayAnta\ThreatDetection\Http\Middleware\ThreatDetectionMiddleware::class,
    ],
];
```

**That's it.** Your app is now detecting threats.

---

## Features

- **40+ Attack Patterns** โ€” SQL injection, XSS, RCE, directory traversal, SSRF, XXE, Log4Shell, and more
- **Scanner Detection** โ€” SQLMap, Nikto, Nmap, Burp Suite, Acunetix, WPScan, Dirbuster
- **Bot Detection** โ€” Suspicious user agents, automated scripts, headless browsers
- **DDoS Monitoring** โ€” Rate-based threshold detection with configurable windows
- **PII Detection** โ€” Sensitive data exposure patterns (configurable per region)
- **Geo-Enrichment** โ€” Country, city, ISP, cloud provider identification via free API
- **Slack Alerts** โ€” Real-time notifications for high-severity threats
- **Built-in Dashboard** โ€” Dark-mode Blade dashboard (Alpine.js + Tailwind CDN)
- **12 API Endpoints** โ€” Full REST API for custom Vue/React/mobile dashboards
- **CSV Export** โ€” One-click threat log export
- **Correlation Analysis** โ€” Detect coordinated attacks and attack campaigns
- **Database Agnostic** โ€” MySQL, PostgreSQL, SQLite, SQL Server
- **Zero Config** โ€” Works out of the box with sensible defaults

---

## Configuration

Add to your `.env` file:

```env
# Core
THREAT_DETECTION_ENABLED=true

# Whitelist IPs (comma-separated, supports CIDR)
THREAT_DETECTION_WHITELISTED_IPS=127.0.0.1,10.0.0.0/8

# DDoS thresholds
THREAT_DETECTION_DDOS_THRESHOLD=300
THREAT_DETECTION_DDOS_WINDOW=60

# Notifications
THREAT_DETECTION_NOTIFICATIONS=true
THREAT_DETECTION_SLACK_WEBHOOK=https://hooks.slack.com/services/...
THREAT_DETECTION_SLACK_CHANNEL=#threat-alerts

# API & Dashboard
THREAT_DETECTION_API=true
THREAT_DETECTION_DASHBOARD=true
```

### Slack Notifications (Laravel 11+)

Laravel 11 removed the built-in Slack channel. Install separately:

```bash
composer require laravel/slack-notification-channel
```

### Environment Note

By default, detection runs in `production`, `staging`, and `local`. Change in your published config:

```php
'enabled_environments' => ['production', 'staging', 'local'],
```

---

## API Endpoints

The package provides 12 authenticated REST endpoints for building custom dashboards.

> **Security:** API routes use `auth:sanctum` middleware by default. Update `api.middleware` in your config to change.

| Method | Endpoint | Description |
|--------|----------|-------------|
| GET | `/api/threat-detection/threats` | List threats (paginated, filterable) |
| GET | `/api/threat-detection/threats/{id}` | Single threat details |
| GET | `/api/threat-detection/stats` | Overall statistics |
| GET | `/api/threat-detection/summary` | Detailed breakdown by type, level, IP |
| GET | `/api/threat-detection/live-count` | Threats in last hour |
| GET | `/api/threat-detection/by-country` | Grouped by country |
| GET | `/api/threat-detection/by-cloud-provider` | Grouped by cloud provider |
| GET | `/api/threat-detection/top-ips` | Top offending IPs |
| GET | `/api/threat-detection/timeline` | Threat timeline (for charts) |
| GET | `/api/threat-detection/ip-stats?ip=x.x.x.x` | Stats for specific IP |
| GET | `/api/threat-detection/correlation` | Correlation analysis |
| GET | `/api/threat-detection/export` | Export to CSV |

### Query Parameters for `/threats`

| Parameter | Description |
|-----------|-------------|
| `keyword` | Search in IP, URL, type |
| `ip` | Filter by IP address |
| `level` | Filter by threat level (high, medium, low) |
| `type` | Filter by threat type |
| `country` | Filter by country code |
| `is_foreign` | Filter foreign IPs (true/false) |
| `cloud_provider` | Filter by cloud provider |
| `date_from` / `date_to` | Date range |
| `per_page` | Items per page (default: 20) |

---

## Artisan Commands

```bash
# View threat stats in CLI
php artisan threat-detection:stats

# Enrich logs with geo-data
php artisan threat-detection:enrich --days=7

# Purge old logs
php artisan threat-detection:purge --days=30
```

---

## Using the Facade

```php
use JayAnta\ThreatDetection\Facades\ThreatDetection;

// Get IP statistics
$stats = ThreatDetection::getIpStatistics('192.168.1.1');

// Detect coordinated attacks
$attacks = ThreatDetection::detectCoordinatedAttacks(15, 3);

// Detect attack campaigns
$campaigns = ThreatDetection::detectAttackCampaigns(24);

// Get correlation summary
$summary = ThreatDetection::getCorrelationSummary();
```

---

## Custom Patterns

Add your own detection patterns in `config/threat-detection.php`:

```php
'custom_patterns' => [
    '/your-regex-pattern/i' => 'Your Threat Label',
    '/another-pattern/' => 'Another Threat',
],
```

Configure threat level mappings:

```php
'threat_levels' => [
    'high' => ['XSS', 'SQL Injection', 'RCE', 'Token', 'Password'],
    'medium' => ['Directory Traversal', 'LFI', 'SSRF', 'Config'],
    'low' => ['User-Agent', 'Bot', 'Rate'],
],
```

---

## Building Custom Frontends

### Vue.js

```javascript
async mounted() {
    const response = await fetch('/api/threat-detection/stats');
    this.stats = await response.json();

    const threats = await fetch('/api/threat-detection/threats?per_page=20');
    this.threats = await threats.json();
}
```

### React

```jsx
useEffect(() => {
    fetch('/api/threat-detection/stats')
        .then(res => res.json())
        .then(data => setStats(data));
}, []);
```

---

## Detected Attack Types

| Category | Examples |
|----------|---------|
| **Injection** | SQL injection, NoSQL injection, command injection, LDAP injection |
| **XSS** | Script tags, event handlers, JavaScript URIs, DOM manipulation |
| **Code Execution** | RCE, PHP deserialization, template injection, eval() |
| **File Access** | Directory traversal, LFI/RFI, sensitive file probes (.env, wp-config) |
| **SSRF** | Localhost access, AWS/GCP metadata endpoints |
| **Authentication** | Brute force detection, token leaks, password exposure |
| **Scanners** | SQLMap, Nikto, Nmap, Burp Suite, Acunetix, WPScan |
| **Bots** | Automated scripts, suspicious user agents, headless browsers |
| **DDoS** | Rate-based excessive request detection |
| **XXE** | XML external entity attacks |
| **Log4Shell** | JNDI injection attempts |

---

## Geo-Enrichment

Enrich threat logs with country, city, ISP, and cloud provider data:

```bash
php artisan threat-detection:enrich --days=7
```

Uses the free [ip-api.com](http://ip-api.com) service (HTTP, rate-limited to 45 req/min โ€” auto-throttled).

---

## Testing

```bash
composer test
```

The package includes 19 tests covering service detection, middleware behavior, and API endpoints.

---

## Requirements

- PHP 8.1+
- Laravel 10.x, 11.x, or 12.x

---

## License

MIT License. See [LICENSE](LICENSE) for details.

## Contributing

Contributions are welcome! Please submit a Pull Request.

## Credits

- [Jay Anta](https://github.com/jay123anta)