Common Python Code Vulnerabilities

From MozillaWiki
Jump to: navigation, search

Some basic examples of common vulnerabilities found in Python web applications.

Embedded API Credentials

TWITTER_OAUTH_TOKEN = "dkedjekdjekldjekldje"
TWITTER_OAUTH_SECRET = "dkejkdjekdjkejdkjekdjekjdkjed"
AWS_CREDENTIALS = { 'key': 'djekjdkejde', 'secret': 'dncndmncdmncd' }

There are also a good amount of very popular wrappers for third party (web) services that we can detect and see if for example static strings are passed to constructors or functions that are known to take credentials.

Constructed SQL/HTML/JavaScript

response = "<html>%s</html>" % something
request = "<html>%s</html>" % request.parameters('something')

References to internal hosts

LOG_SERVER = "secret.logging.internal.mozilla.com"
r = requests.get("http://some.internal.hosts.that.should.be.hidden")

Python API calls that should raise warnings

import commands
template_vars['output'] = commands.getstatusoutput('/usr/bin/process_soemthing')

Questionable useage of MD5:

hashed_password = hashlib.md5(request.params['foo']).hexdigest()

I'm sure we can make a nice list of things to avoid.

Common vulnerability patterns

Need to work on a nice list of dos and donts.