Python

Server-side Python web bugs — SSRF parser confusion, pickle and cache abuse, Jinja2 SSTI, XML and pycurl sinks, import-time code hooks, and request smuggling.

0 categories 15 notes

Notes

15 total

Arbitrary File Write → Code Overwrite → Gunicorn Restart

Chain a messy write, an admin rename/move, and worker recycling to overwrite a real module path and execute code.

web python arbitrary-file-write code-execution gunicorn privilege-escalation +1

CRLF Injection via XML Entities + latin1 in pycurl.CUSTOMREQUEST

Decode numeric XML character references into literal CRLF and carry them through latin1 into a low-level request builder.

web python crlf-injection xml-entities pycurl latin1 +1

Digest Auth + Challenge State Stored in a Flask Session

Compare Digest nonce/opaque state held in a mutable Flask session against the advertised WWW-Authenticate values to find replay or fixation edges.

web python http-digest flask-session authentication replay

FileSystemCache Race + Pickle via /proc/self/fd

Race a still-open cache-directory FD through /proc/self/fd to plant a malicious pickle, then force code execution on the next cache read.

web python deserialization pickle race-condition flask +3

GraphQL Introspection + Internal Leak + JWT Algorithm Confusion

Introspect a GraphQL schema to leak a token via an over-trusted node resolver, then forge a JWT through RS256/HS256 confusion.

web python graphql introspection jwt algorithm-confusion +1

.htaccess Generated from a Python Share App

Inject Apache directives by feeding user data into a Python-generated .htaccess that crosses into a parser with its own escaping rules.

web python htaccess apache injection cross-parser

Jinja2 SSTI Hidden in an RFC 5322 Email Field

Smuggle a Jinja2 expression inside an email display name that survives weak validation and is later rendered server-side.

web python ssti jinja2 template-injection email-validation +1

List-vs-String Type Confusion to Bypass Filename Validation

Send a non-string JSON value where a string is expected so substring checks skip, then rely on later coercion to a usable path.

web python type-confusion json filename-validation arbitrary-file-write

mimetypes.guess_type() Confused by Pseudo-URL Filenames

Control the served Content-Type by storing a filename whose URL-like suffix changes the guessed MIME.

web python mime-confusion file-upload content-type xss

NoSQL Injection / LDAP Injection

Push operator-shaped or filter-shaped input into Mongo or LDAP query contexts on directory-style login portals.

web python nosql-injection ldap-injection authentication-bypass mongodb

Request Smuggling against Hypercorn / Gunicorn

Desync a frontend and a Python backend that disagree on TE/CL, whitespace, or line endings to inject a second request.

web python request-smuggling http-desync gunicorn hypercorn +1

Overwriting sitecustomize.py + Forcing Worker Restart

Plant code in an auto-imported module (sitecustomize.py) via a file-write primitive, then force a worker restart to execute it.

web python arbitrary-file-write code-execution sitecustomize gunicorn +1

SSRF via URL Parser / HTTP Client Disagreement

Abuse the gap between the validator's URL parse tree and the HTTP client's normalization to reach internal hosts.

web python ssrf url-parsing parser-differential requests +1

XML Depth-First Resolution (.//icon_url) + Internal Fetch via pycurl

Exploit tree-wide .//field lookups where the first depth-first match — not the visible top-level field — becomes the trusted value.

web python xml xpath ssrf pycurl +1

XS-Leak Timing / Top-Level Navigation with a Browser Bot

Infer cross-origin secrets from navigation timing, redirect behavior, or window state when direct reads are impossible.

web python xs-leak browser-bot timing-attack samesite