SCPy - Writing Secure Code in Python

Learn how to write secure code in Python3 and its most common web frameworks - Django and Flask

Python is a general-purpose programming language that empowers developers to use several different programming styles as per their preference, style, or proficiency. As one of the more easy-to-learn and -use languages, Python is ideal for beginners and experienced coders alike. It has been holding the second place among the most used and demanded programming languages since 2019.

Python comes with an extensive library set available on the 'marketplaces' that developers can simply use to increase their productivity and speed up the delivery of software. Along with everything else, there have been multiple frameworks and libraries developed in Python to support the development of web applications. The list itself is extensive but in this course, we will focus on Django and Flask.

During this course, we will look at how vulnerabilities get introduced into Python projects. We will cover the most common vulnerabilities applicable in (all) other languages but also Python-specific ones in web solutions built with Django and Flask.

An example of vulnerable code from our hands-on labs of this trainings. Did you spot the 'bad code', yet?

def block_list(url):
	block_list = [".", "//", "%2e"]
	for b in block_list:
		if url.find(b) != -1:
			return True
	return False

@app.route("/go-to", methods=['GET'])
def redirector():
    go_to_page = request.args.get('u')
    if block_list(go_to_page):
    	return render_template("index.html", content = "Woops! No way.")
    return redirect(go_to_page, 302)

Email us if you figured out the bypass for bonus points!


  • Knowledge of Python3

  • Knowledge of MVC design patterns

  • Familiar with Python framework - Django, Flask

  • Familiar with most common frontend technologies and languages HTML, CSS and JavaScript

  • Interest in security

Target audience

  • Security Engineers

  • Security Champions

  • DevOps

  • Developers

Tools used

  • Any IDE

  • Docker (docker-compose)

  • Burp Suite Community edition

  • Coffee or Tea ☕️



The hacking mindset

Think like a hacker, act like a hacker, to understand the hacker

Secure coding introduction

Secure coding principles


OWASP Top 10 2021

OWASP ASVS and security requirements

CVSS: how to rate vulnerabilities

Security features

Django Security

Flask Security

Python security

Server side Vulnerabilities

Injection vulnerabilities

We will look at the class of injection vulnerablities such as SQL Injection, Command injections and more

LAB: SQL Injection in Django

LAB: SQL Injection in Flask

LAB: Command and Code Injection

LAB: Deserialization in python libraries

LAB: Server Side Template Injection in Flask

LAB: XML External Entities

LAB: Server Side Request Forgery

Race condition

Client side vulnerabilities

Client side web vulnerabilities

We will look at the most common vulnerabilities that affect victims through their web browsers

LAB: XSS (Cross Side Scripting)

DOM, Stored and Reflected

LAB: Client side Open Redirect

LAB: CSRF (Cross Site Request Forgery)

LAB: CSTI (Client Side Template Injection)

AuthNZ vulnerabilities and attacks

Authentication and Authorization principle s in web security

LAB: IDOR (Insecure Direct Object Reference)

LAB: Path traversal in Flask

LAB: JWT attacks

Secret bruteforce, None algorithm attacks

LAB: Attacking wrong OAuth2 implementations

Vulnerable and Outdated Dependencies

Dependency graphs

The importance of SCA (Static Component Analysis)

LAB: Detecting known vulnerabilities using Snyk

Integrate SCA in the CI/CD pipeline

Scanning your code using Semgrep

Semgrep basics

LAB: Semgrep for Flask

LAB: Semgrep for Django

Semgrep automation


Stefan Petrushevski

Why should you attend this course?

This course will teach you the inside out of exploiting and securing Python applications via real-life examples, targeting different frameworks and techniques. If you are a Python developer this is the course for you.

More info? Contact us at

Last updated