Common Python Code Vulnerabilities
From MozillaWiki
Some basic examples of common vulnerabilities found in Python web applications.
Contents
Embedded API Credentials
TWITTER_OAUTH_TOKEN = "dkedjekdjekldjekldje" TWITTER_OAUTH_SECRET = "dkejkdjekdjkejdkjekdjekjdkjed"
AWS_CREDENTIALS = { 'key': 'djekjdkejde', 'secret': 'dncndmncdmncd' }
There are also a good amount of very popular wrappers for third party (web) services that we can detect and see if for example static strings are passed to constructors or functions that are known to take credentials.
Constructed SQL/HTML/JavaScript
response = "<html>%s</html>" % something
request = "<html>%s</html>" % request.parameters('something')
References to internal hosts
LOG_SERVER = "secret.logging.internal.mozilla.com"
r = requests.get("http://some.internal.hosts.that.should.be.hidden")
Python API calls that should raise warnings
import commands template_vars['output'] = commands.getstatusoutput('/usr/bin/process_soemthing')
Questionable useage of MD5:
hashed_password = hashlib.md5(request.params['foo']).hexdigest()
I'm sure we can make a nice list of things to avoid.
Common vulnerability patterns
Need to work on a nice list of dos and donts.