Python Security

The Python language is used in many different settings – from command-line tools to complex Web applications. Many of these Python programs are exposed to attack, either by being directly accessible through the Internet or by directly processing user-provided data in a server environment. Developers must therefore be extremely cautious in how to use different technologies securely, and should also have a deep understanding in secure coding techniques and potential pitfalls.

Interested in attending? Have a suggestion about running this event near you?
Register your interest now


Client-side security
JavaScript security
Same Origin Policy
Simple requests
Preflight requests
Exercise – Same-Origin Policy
JavaScript usage
JavaScript Global Object
Dangers of JavaScript
Exercise – Client-side authentication
Client-side authentication and password management
Protecting JavaScript code
Exercise – IFrame, Where is My Car?
Protection against Clickjacking
Anti frame-busting – dismissing protection scripts
Protection against busting frame busting

AJAX security
Script injection attack in AJAX
Exercise – XSS in AJAX
XSS protection in AJAX
Exercise CSRF in AJAX – JavaScript hijacking
CSRF protection in AJAX

HTML5 security
New XSS possibilities in HTML5
HTML5 clickjacking attack – text field injection
HTML5 clickjacking – content extraction
Form tampering
Exercise – Form tampering
Cross-origin requests
HTML proxy with cross-origin request
Exercise – Client side include

XML security
XML parsing
XML parsing in Python
XML bomb
Exercise – XML bomb

JSON security
Embedding JSON server-side
JSON injection
JSON hijacking
Case study – XSS via spoofed JSON element

Python security architecture
Python architecture
Python applications and their attack surfaces
Authentication and authorization
Authentication in Python
Authorization in Python
Authentication and authorization in Django
Authentication and authorization in Flask
Code protection in Python
Python bytecode
Modifying the Python runtime
Weaknesses in the techniques
Other protection methods
Related security issues

Practical cryptography
Rule #1 of implementing cryptography
Elements of a cryptosystem
Cryptographic libraries in Python – overview
Symmetric-key cryptography
Providing confidentiality with symmetric cryptography
Symmetric encryption algorithms
Modes of operation

Symmetric encryption
Other cryptographic algorithms
Hash or message digest
Hash algorithms
Message Authentication Code (MAC)
Providing integrity and authenticity with a symmetric key
Random number generation
Random numbers and cryptography
Cryptographically-strong PRNGs
Weak PRNGs in Python
Random numbers
Hardware-based TRNGs

Asymmetric (public-key) cryptography
Providing confidentiality with public-key encryption
Rule of thumb – possession of private key
The RSA algorithm
Introduction to RSA algorithm
Encrypting with RSA
Combining symmetric and asymmetric algorithms
Digital signing with RSA
Asymmetric encryption

Public Key Infrastructure (PKI)
Man-in-the-Middle (MitM) attack
Digital certificates against MitM attack
Certificate Authorities in Public Key Infrastructure
X.509 digital certificate

Common coding errors and vulnerabilities
Input validation
Input validation concepts
Integer problems
Representation of negative integers
Integer overflow
Integers in Python
Integer problems in Python
Exercise IntOverflow
Path traversal vulnerability
Path traversal vulnerability
Path traversal – weak protections
Path traversal – best practices
Path traversal mitigation
Unvalidated redirects and forwards
Redirects in Django
Log forging
Some other typical problems with log files
Executing user-controlled code in Python
Dangerous code execution – eval() and exec()
Dangerous code execution – input()
String formatting issues in Python
Format string problems in Python
Information leakage – can you guess the output?

Improper use of security features
Typical problems related to the use of security features
Password management
Exercise – Weakness of hashed passwords
Password management and storage
Special purpose hash algorithms for password storage
PBKDF2 and scrypt implementations in Python
Argon2 and bcrypt implementations in Python
Case study – the Ashley Madison data breach
Typical mistakes in password management

Dangers of reflection in Python
Python introspection and reflection – features and risks
Dynamic loading
Module injection
Monkey patching
Monkey patching example
Function hijacking
Exercise – Module injection in Python

Improper error and exception handling
Typical problems with error and exception handling
Exception handling in Python
Empty except block
Overly broad except
Using multi-except
Returning from finally block – spot the bug!
Exercise ErrorHandling – spot the bug!
Exercise – Error handling
Relying on assertions for error checking – spot the bug!

Time and state problems
Concurrency and threading
Concurrency issues in Python
Concurrency modules in Python
The threading module
Synchronization options
The Global Interpreter Lock
Performance and the GIL
GIL management
Bypassing the GIL
A quote from Guido van Rossum
Exercise – GIL performance
Exercise – Concurrency issues
Time-of-check-to-time-of-use (TOCTTOU)
Serialization errors
Preventing file I/O TOCTTOU in Python
Exercise - TOCTTOU

Code quality problems
Dangers arising from poor code quality
Immutability – guess the output!
Context managers
Resource management in Python
Releasing resources – spot the bug!
An even better solution
Behind the with statement
@contextmanager decorator – spot the bug!
@contextmanager decorator – handling error

Denial of service
DoS introduction
Asymmetric DoS
Regular expression DoS (ReDoS)
Exercise ReDoS
ReDoS mitigation
Case study – ReDos in Stack Exchange
Hashtable collision attack
Using hashtables to store data
Hashtable collision
Hash tables in Python

Principles of security and secure coding
Matt Bishop’s principles of robust programming
The security principles of Saltzer and Schroeder

Knowledge sources
Secure coding sources – a starter kit
Vulnerability databases
Python secure coding resources
Recommended books – Python security

Learning Outcomes

  • Understand basic concepts of security, IT security and secure coding
  • Learn Web vulnerabilities beyond OWASP Top Ten and know how to avoid them
  • Learn about XML security
  • Learn client-side vulnerabilities and secure coding practices
  • Understand security concepts of Web services
  • Learn about JSON security
  • Learn about Python security architecture
  • Have a practical understanding of cryptography
  • Learn about typical coding mistakes and how to avoid them
  • Learn about denial of service attacks and protections
  • Get sources and further readings on secure coding practices

Subscribe to Newsletter

Enter your email address to register to our newsletter subscription delivered on regular basis! 


© Copyright ICSI, Limited
(International CyberSecurity Institute) 2023