JSON Web POST with Python

In an earlier post, it was outlined how to setup a Microsoft Flow workflow to generate a notification on a phone when a web request was made. This post will outline how to create such a web request using the popular scripting language Python.

Install Python

  • Ensure that Python (version 3) is installed on the system
  • During this process it is important to ensure that Python is added to the system PATH variable
    • This allows Python to be called from the command line
    • Having this ability will make it significantly easier to schedule this script to run when events occur, which is likely to be the role of the script.
  • After python is installed, we must install the “requests” library
    • This is the library that we will use to perform the actual request
    • Note: It is possible to perform the POST request without the “requests” library, however I believe it to be the cleanest method.
    • To install “requests” open a command line and enter “pip install requests”
      • If you get an error running this command, it is likely that Python was not added correctly to the system’s PATH variable

The Code Itself

  • First we need to import the “requests” library we just installed into the Python script
    • This is done with the following code:
    • import requests
  • Next we need to define the URL to which the request will be made
    • This can be found in your workflow you created previously and will be unique to each Flow
    • URL = "https://prod-02.australiasoutheast.logic.azure.com:443/workflows/.......
  • Next we need to define the JSON that will be sent in the request to provide the parameters to our notification service
    • For my notification I only had two parameters, a source and a message
    • For the purpose of this example I have set the source parameter to be “Computer” and the message parameter to be “42”
    • Parameters = {"Source" : "Computer", "Message" : "42"}
  • Finally we perform the actual request from the server
    • For the request to execute, we need to provide it with the URL and parameters we defined earlier
    • Request = requests.post(URL, json = Parameters)
  • After running the code you should now get a notification on your phone
  • By changing the values contained in the parameters section you can change the contents of the messages to whatever you wish.

New Hosting Provider

For over three years this blog was hosted on a shared server offered by BlueHost. However, six months ago I lost control of the admin account. From what I could gather an adversary had been able to socially engineer BlueHost support into changing the administrator email address to one under their control. Once this had been achieved, they were able to perform password recovery and gain access to the admin account.

Once they had access, they shutdown the server running my blog and launched a high power instance which worked up a considerable bill. After much pain I managed to re-gain access to the admin account and removed the powerful instance. Luckily, BlueHost refunded the cost of the powerful instance.

After this occurred I started looking for other methods of hosting my blog. Initially, I looked at hosting on Amazon Web Services. This method would have given me the best control over the blog as I could create a small Linux EC2 instance and then install WordPress to run my blog. However, this method would have also require me to maintain the site and server, a task I don’t believe I currently have time for.

The solution to this problem was brought to my attention by one of the security podcasts I often listen to “Security Now”. One of the sponsors of the show is Worpress.com which provide you with a WordPress site of your own, that is fully maintained by them. Additionally, their pricing was very reasonable and included the costs of registering the domain.

I created this blog on WordPress.com and will now have the fun of moving my domain registration and blog content over. Hopefully it won’t be too hard.

Additionally, the security of my blog appears to be sufficient. The WordPress.com site supports two factor authentication using either my phone or an authenticator app. I elected to use the authenticator app to eliminate the risk of the SMS message begin intercepted or the telecommunications provider being socially engineered and allowing a SIM swap. Another security benefit provided is that my blog is now running over HTTPS, resulting in my login information being encrypted when it is sent to the site. Hopefully, these measures will be enough to keep the site safe this time.