SCPy - Writing Secure Code in Python

Learn how to write secure code in Python3 and its most common web frameworks - Django and Flask

Python is a general-purpose programming language that empowers developers to use several different programming styles as per their preference, style, or proficiency. As one of the more easy-to-learn and -use languages, Python is ideal for beginners and experienced coders alike. It has been holding the second place among the most used and demanded programming languages since 2019.

Python comes with an extensive library set available on the 'marketplaces' that developers can simply use to increase their productivity and speed up the delivery of software. Along with everything else, there have been multiple frameworks and libraries developed in Python to support the development of web applications. The list itself is extensive but in this course, we will focus on Django and Flask.

During this course, we will look at how vulnerabilities get introduced into Python projects. We will cover the most common vulnerabilities applicable in (all) other languages but also Python-specific ones in web solutions built with Django and Flask.

An example of vulnerable code from our hands-on labs of this trainings. Did you spot the 'bad code', yet?

def block_list(url):
	block_list = [".", "//", "%2e"]
	for b in block_list:
		if url.find(b) != -1:
			return True
	return False

@app.route("/go-to", methods=['GET'])
def redirector():
    go_to_page = request.args.get('u')
    if block_list(go_to_page):
    	return render_template("index.html", content = "Woops! No way.")
    return redirect(go_to_page, 302)

Email us if you figured out the bypass for bonus points!

Prerequisites

  • Knowledge of Python3

  • Knowledge of MVC design patterns

  • Familiar with Python framework - Django, Flask

  • Familiar with most common frontend technologies and languages HTML, CSS and JavaScript

  • Interest in security

Target audience

  • Security Engineers

  • Security Champions

  • DevOps

  • Developers

Tools used

  • Any IDE

  • Docker (docker-compose)

  • Burp Suite Community edition

  • Coffee or Tea ☕️

Syllabus

Trainers

Stefan Petrushevski

Why should you attend this course?

This course will teach you the inside out of exploiting and securing Python applications via real-life examples, targeting different frameworks and techniques. If you are a Python developer this is the course for you.

More info? Contact us at trainings@dcodx.com

Last updated