pwneglyph logo

Note

web python checklist methodology

First-pass triage checklist for Python web targets — parser disagreement, cache/pickle, import hooks, and validation-vs-execution splits.

When the Stack is Python

A quick triage list for what to think about first when you confirm a Python web stack, before committing to any single exploit path.

Checklist

  • Think about URL parser disagreement before trying only direct SSRF payloads.
  • Think about FileSystemCache, deterministic filenames, and whether serialization is still pickle.
  • Think about import-time code hooks such as sitecustomize.py when you get arbitrary write but not immediate execution.
  • Think about pycurl, XML parsing, latin1, .find(".//..."), and whether the app mixes "validation parse" and "execution parse".
  • Think about Jinja globals, GraphQL introspection, and all low-level HTTP differences between frontend and backend servers.

Sources

  • Aggregated from the Python section of the 2026 web corpus.