python_security

Overview

This repository collects lists of security-relavent Python APIs, along with examples of exploits using those APIs. Currently it only contains remote code/command execution libraries.

Usage

To work with the code in this repo, you must be in a virtual environment:

$ cd /path/to/python_security
$ python3.8 -m venv venv
$ source venv/bin/activate
(venv) $ pip3.8 install -r requirements.txt

Interactive Server

You can launch the server to interactively play with the examples:

(venv) $ FLASK_APP=webapp.app.py FLASK_ENV=development flask run -h localhost -p 2121

This will let you generate payloads for arbitrary code, and run those payloads on your own machine.

JSON Formatted Data

All the vulnerable functions covered by this repository are available in machine-readable format in sinks.json. sinks.json can be regenerated by running scripts/generate_sink_list.py.

Testing

When adding a new exploit, you can validate it by running the tests:

(venv) $ python3 -m unittest

Contributing

PRs are welcome. If you're looking for ideas, look at the "Future Work" section in code_execution/README.md. Before submitting an exploit, make sure to run the tests and include evidence of testing in the PR.