This talk describes various things in Python that, if used incorrectly, can lead to security risks. It shows examples of insecure serialization that can lead to remote code execution attacks, examples how an attacker can leverage those and ways to fix it (at least for yaml module). It also shows ways to exploit eval calls that were attempted to be sandboxed and describes pwnlib.safeeval that can be used to evaluate expressions (and more) in a secure fashion. In the end, it describes a Python reversing challenge from Python Challenges competition hosted on PyCon PL conference.
Resources:
Presented at
- PyCon PL 2018: an earlier but more technically deep version
- Noc Informatyka 1.1 (2018): an earlier version
Authored by
- Dominik 'disconnect3d' Czarnota