St3fan: Created page with " Some basic examples of common vulnerabilities found in Python web applications. == Embedded API Credentials == TWITTER_OAUTH_TOKEN = "dkedjekdjekldjekldje" TWITTER_OAUTH_SEC..."

2012-12-19T17:09:40Z

Created page with " Some basic examples of common vulnerabilities found in Python web applications. == Embedded API Credentials == TWITTER_OAUTH_TOKEN = "dkedjekdjekldjekldje" TWITTER_OAUTH_SEC..."

New page

Some basic examples of common vulnerabilities found in Python web applications.

== Embedded API Credentials ==

TWITTER_OAUTH_TOKEN = "dkedjekdjekldjekldje"
TWITTER_OAUTH_SECRET = "dkejkdjekdjkejdkjekdjekjdkjed"

AWS_CREDENTIALS = { 'key': 'djekjdkejde', 'secret': 'dncndmncdmncd' }

There are also a good amount of very popular wrappers for third party (web) services that we can detect and see if for example static strings are passed to constructors or functions that are known to take credentials.

== Constructed SQL/HTML/JavaScript ==

response = "<html>%s</html>" % something

request = "<html>%s</html>" % request.parameters('something')

== References to internal hosts ==

LOG_SERVER = "secret.logging.internal.mozilla.com"

r = requests.get("http://some.internal.hosts.that.should.be.hidden")

== Python API calls that should raise warnings ==

import commands
template_vars['output'] = commands.getstatusoutput('/usr/bin/process_soemthing')

Questionable useage of MD5:

hashed_password = hashlib.md5(request.params['foo']).hexdigest()

I'm sure we can make a nice list of things to avoid.

== Common vulnerability patterns ==

Need to work on a nice list of dos and donts.

Common Python Code Vulnerabilities - Revision history

St3fan: Created page with " Some basic examples of common vulnerabilities found in Python web applications. == Embedded API Credentials == TWITTER_OAUTH_TOKEN = "dkedjekdjekldjekldje" TWITTER_OAUTH_SEC..."