All Questions

Ask Question
Tagged with
374 questions with no upvoted or accepted answers
Newest
Active
Bountied
Unanswered
Filter by
Sorted by
Tagged with
10votes
0answers
12kviews

What is the best way to sanitize inputs with Flask and when using MongoDB?

I'm writing my application backend with Python Flask. As part of the registration process, I have a form that sends the new user's information to my backend and then adds it to my MongoDB database. I'...
user avatar
GMe
  • 1,041
6votes
0answers
1kviews

HTTPS TSL Certificate Chain Validation Using Python Requests

I'm running a windows service using python 2.7.9. As part of it i'm trying to connect to a server using HTTPS. I'm using requests model (2.7.0) to do it. I'm also using wincertstore (0.2) model to ...
user avatar
AmitE
  • 854
6votes
0answers
333views

Store Connection Parameters for SQLAlchemy securely

I'm writing an application in Python 2.7 + SQLAlchemy that will need to access hundreds of PostgreSQL databases, each on its own server. To connect using SQLAlchemy, an engine is created by passing ...
user avatar
bb9
  • 61
5votes
0answers
413views

What's the best practice to store secret information in memory in Python?

So the problem is that I have some secrets (TOTP/HOTP keys) that need to be used consistently by my program, but I don't want a memory dump to just show them all. I'm talking about common people whose ...
user avatar
The Quantum Physicist
  • 22.7k
5votes
0answers
352views

How do I create an apparmor profile for an application that runs using Python's twisted library?

I'm trying to create an apparmor profile for a networking application with access to ssh and runs using Python's twisted library. I have tried using aa-genprof to generate a profile. In another bash, ...
user avatar
Kareem Kamel
  • 51
5votes
3answers
2kviews

Keep a secret key safe in Python

I am aware that these questions has been asked before several times separately, and most of the answers I've found are "Python is not easy to obfuscate, because that's the nature of the language. If ...
user avatar
user2891462
  • 2,785
4votes
0answers
397views

What are recommended / minimum parameters for hashlib.scrypt?

The documentation of hashlib.scrypt is a bit short: hashlib.scrypt(password, *, salt, n, r, p, maxmem=0, dklen=64) The function provides scrypt password-based key derivation function as defined in ...
user avatar
Martin Thoma
  • 105k
4votes
0answers
974views

Logger configuration safety warning by SonarQube

After implementing logging functionality in a microservice, I sent the code thought a SonarQube code-check. SonarQube keeps warning me about a safety issues regarding loggers. I tried several things ...
user avatar
Christiaan Lamers
  • 51
4votes
0answers
2kviews

Flask Talisman Content Security Policy

I want to use Flask-talisman to secure my app SELF = '\'self\'' talisman = Talisman( app, content_security_policy={ 'default-src': [ 'https://fonts.googleapis.com', ...
user avatar
Dr.DOOM
  • 557
4votes
0answers
1kviews

securely passing a password to subprocess.Popen via environment

I would like to securely ask a password to a user and then pass it to subprocess.Popen to run a command that requires it. I have seen this question and that one, but I wonder if I can securely pass ...
user avatar
MagTun
  • 4,973
4votes
1answer
3kviews

Equivalent to python's uuid.uuid4().hex in javascript?

Python has functionality to create hex UUID's like so: >>> import uuid >>> uuid.uuid4().hex '47be94c37e484e13ab04ed3c54a5b681' Is it possible to do the same in client javascript, ...
user avatar
raphaelrk
  • 617
4votes
0answers
693views

How to implement a sandbox for an online-judge system?

OJ(Online Judge)s allow users to upload arbitrary code snippet to execute on the server, but it also has a sandbox to prevent malicious code from running. For instance, on leetcode, if I submit this ...
user avatar
NeoWang
  • 15.2k
4votes
0answers
459views

Embedded python security considerations

I'm embedding Python 3.4 in a C++ application. As an overview (or provide details if you can), what security considerations should I be thinking about if a user of the system is able to submit ...
user avatar
zcourts
  • 4,553
3votes
0answers
180views

Perl Moving Target Defense, prevent code injection attacks

I was looking for modern solution about xss prevention, in this page the author uses a technique known as: Moving target defense (MTD), takes advantage of this gap between time of check (exploit ...
user avatar
Imylor
  • 386
3votes
0answers
247views

Key Kollision in DES3 Implementation of PyCrypto

I'm pretty new to cryptography and only a user really. I stumbled however over a very interesting "vulnerability" of the DES3 Cipher of the PyCrypto library. I experimented with generating Private ...
user avatar
Carl Philipp
  • 161
3votes
0answers
1kviews

Protecting or Licensing a Django Application

I am making a Django application and I am running into an issue. I know Python is interpreted and it would be impossible to completely fight against piracy, however I want to implement some sort of ...
user avatar
Mark Barrett
  • 303
3votes
1answer
150views

Is compiling untrusted code in CPython considered safe?

In Python its possible to compile a Python script without executing (using py_compile module, Py_CompileString in C). A lot is written on issues attempting to sand-box CPython (and how difficult it ...
user avatar
ideasman42
  • 34.8k
3votes
1answer
316views

Django admin form can be manipulated with Cross-Site Request Forgery (CSRF)

In my Django admin site, I run a vulnerability test and it shows the following threat: An effective CSRF (Cross-Site Request Forgery) countermeasure for forms is to include a hidden field with a ...
user avatar
Muhammad Naeem Paracha
  • 1,697
3votes
0answers
2kviews

Using urandom in windows

What happens when you use os.urandom(256) in python in windows ? The code shows : def urandom(n): """urandom(n) -> str Return a string of n random bytes suitable for cryptographic use. ...
user avatar
asudhak
  • 2,659
3votes
0answers
314views

Android Application Attack Surface Analyzer (A3SA)

I'm working on a report of a security laboratory named quarkslab. They made a report about Android OEM security. -> http://www.quarkslab.com/dl/Android-OEM-applications-insecurity-and-backdoors-...
user avatar
Postnop
  • 55
3votes
1answer
805views

Injecting arbitrary code into a Python SimpleXMLRPC Server

In the python docs of python SimpleXMLRPC Server, it is mentioned: Warning Enabling the allow_dotted_names option allows intruders to access your module’s global variables and may allow intruders to ...
user avatar
Nehal J Wani
  • 14.9k
3votes
1answer
755views

Wapiti Security tool: Getting "Invalid Syntax Error "

I followed the following steps: Install Python27 and also download wapiti, placed it inside c:\wapiti-2.2.1 . Set environment variable for python(var name : c:\python27). Open python command prompt. ...
user avatar
Ankit
  • 203
3votes
1answer
539views

Python encryption scheme that supports multiple decryption keys

Is there a python library that supports (symmetric) encryption of data with the possibility of using multiple decryption keys. I have (sensitive) user data that must be stored encrypted in a database,...
user avatar
Martin Thurau
  • 7,370
3votes
1answer
728views

WSGI, Werkzeug and form based authentication

I would like to implement a WSGI/Werzeug based web application and need help implementing the form based authentication. I found repoze.who and think it solves most of my problems. It works fine with ...
user avatar
Achim
  • 14.8k
2votes
0answers
42views

Is my extremely simple website safe agains XSS?

I made a website that gets your request path and returns it in a <link> tag like this: <link rel="canonical" href="PATH_HERE"> You can go to any path you want and ...
user avatar
never_doubt
  • 21
2votes
0answers
144views

Bandit B404 security issue with subprocess import?

According to Bandit's documentation, importing the subprocess module is considered a low security issue (B404). Unfortunately, it does not provide alternatives or explanation why. Thus, I have 2 ...
user avatar
fgoudra
  • 528
2votes
0answers
78views

Stop user from running malicious python code in online compilers

I am developing an online compiler wherein user can run python code.My requirement is to run that python code on server side with exec. So I researched on how can I completely eliminate some user ...
user avatar
Jay Patel
  • 63
2votes
3answers
159views

how do i make python find words that look similar to a bad word, but not necessarily a proper word in english?

I'm making a cyberbullying detection discord bot in python, but sadly there are some people who may find their way around conventional English and spell a bad word in a different manner, like the n-...
user avatar
potato123
  • 33
2votes
1answer
505views

Microservices security with FastAPI

I'm working on a personal project which makes use of Python, FastAPI and a microservices architecture. I want to learn more about security so I'm trying to add some into this. I have read through the ...
user avatar
sohaib
  • 73
2votes
1answer
1kviews

Python http server for production

Python docs claim, that "http.server is not recommended for production. It only implements basic security checks." Is there another simple to use python server (like http.server) with "...
user avatar
Petr Marek
  • 425
2votes
0answers
30views

Finding out how onClick attribute is generated as a client?

I have a pretty interesting question. I wanted to automate reserving timeslots for my university's gym as you need to book 3 days in advance if you want a chance at a workout. I am using a framework ...
user avatar
Alejandro Armas
  • 189
2votes
0answers
156views

ARP spoofing using scapy changes my own ARP table

I wrote an ARP spoofer in Python using Scapy which works fine. The only problem with it is that sending the malicious ARP packet also changes my own ARP table, which makes my host think that it is the ...
user avatar
Shami735
  • 21
2votes
0answers
41views

How to find where a package is used in Python?

I'm writing program for commercial use and the company vulnerability scan gave me this. Clicking on the links leads me to here https://nvd.nist.gov/vuln/detail/CVE-2018-15560. Now I'm sure I've never ...
user avatar
Xuekai Du
  • 495
2votes
0answers
2kviews

Python subprocess.run in secure way

My Python script has to run binary available only via console, so I use subprocess.run and it looks like this: CMD = [ "C:\\Program Files\\Azure DevOps Server 2019\\Tools\\TFSSecurity.exe", "/...
user avatar
kagarlickij
  • 5,966
2votes
0answers
5kviews

(Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')])"

I am making an API request, and I've been having issues with the SSL certificate it seems. requests.get(url=full_url, headers=headers,verify =certifi.where()) Gives me the error: Max retries ...
user avatar
Chelsea Challacombe
  • 21
2votes
2answers
2kviews

How to secure a Python script SQL Server authentification

I am using a Python script to connect to a SQL Server database: import pyodbc import pandas server = 'SQL' database = 'DB_TEST' username = 'USER' password = 'My password' sql=''' SELECT * FROM ...
user avatar
Catapultaa
  • 160
2votes
0answers
298views

Unauthorized access and token not working

I have been struggling while trying to get Flask Authentication work . I'm using this example: https://github.com/miguelgrinberg/REST-auth/blob/master/api.py I have a user in mysql database, I can ...
user avatar
Souad
  • 4,257
2votes
2answers
166views

Python script not appending my csv with parsed xml data, no errors

I am trying to parse xml data from the National Vulnerability Database (NVD) in order to isolate vulnerabilities what are remotely executable (Access Vector = Network). I have followed other ...
user avatar
lanceDamage
  • 21
2votes
0answers
362views

How to make a tensorflow GAN model that attack an OCR model

I was using the the attacks algorithm in the Cleverhans to do an OCR attacks. Basically, I am attacking a black-box mobile phone app that recognize the ID numbers from picture. I found C++ tesseract ...
user avatar
Ximin Lin
  • 79
2votes
0answers
558views

GET STIX data from TAXII server based on indicators (IP and Hash)

I am working on a project where I need to retrieve the STIX data from TAXII server(HailaTaxii in my case) and parse the data for indicators and TTP's. I am facing the below problem. 1) Unable to ...
user avatar
Shravan
  • 21
2votes
0answers
294views

create a relatively safe eval

I read this Q&A and I'm not convince it applies here. I have an application where I want to allow mostly preset formulas to be set in widgets: for instance return last part of a string using str....
user avatar
Jean-François Fabre
  • 131k
2votes
2answers
952views

Flask Security rest API

Context I'm creating a quote generation script using Python and Digital Ocean server (Ubuntu 16.04). Here's how it works: End user fills out a form on HubSpot hosted website the form submission ...
user avatar
rheemy
  • 21
2votes
0answers
169views

Django: Make log-in time invariable to avoid user enumeration attack

Currently I'm having an issue where anyone can check if a user exists or not, simply by trying to log-in with the username and timing how long it takes to error out (non-existent usernames take a ...
user avatar
Cisplatin
  • 2,562
2votes
0answers
3kviews

DLL Injection - CreateRemoteThread

Hello again at StackOverflow! I return for help on implementing DLL injection using Python, and the results have been fairly successful. I am using non-reflective injection ('CreateRemoteThread') to ...
user avatar
RandomHash
  • 619
2votes
1answer
710views

Security considerations with server side urllib2.urlopen with url from user

I'd like users to be able to upload images from the web by providing a URL. I don't think I can get the client to fetch the image and upload it due to possible CORS issues and hotlink prevention, so I'...
user avatar
jozxyqk
  • 15.2k
2votes
1answer
437views

Confirm if Ddos attack and how to block ip using django and apache http.conf

UPDATE I've edited the conf file to this but the ip's are still hitting the server, we are hosted on a webfaction shared server. ServerRoot "/home/kbuzz/webapps/django/apache2" LoadModule ...
user avatar
user4910881
2votes
0answers
2kviews

Impersonation for Windows in Python 3 using win32security

I've been working on a way to access and modify privileges to a file on Windows via Python 3, more precisely with the win32security library. From those 2 answers How to authorize/deny write access to ...
user avatar
user3311142
  • 315
2votes
1answer
122views

Restrict python script locations

I'm wondering if there is a way of controlling from where python scripts are allowed to run? So that only scripts in certain locations are allowed to be run by python. We are running a windows ...
user avatar
andpou
  • 21
2votes
0answers
258views

What privileges should I give my MySQL database user for my Flask application?

Is there a standard set of privileges that should be given to the user used to access a Flask SQLAlchemy database. For example with application.config['SQLALCHEMY_DATABASE_URI'] = 'mysql://app@127.0....
user avatar
orome
  • 39.4k
2votes
1answer
254views

Django: Is this a viable alternative method for including CSRF tokens in template forms?

I usually add CSRF tokens to forms in templates in the format specified by the Django documentation: <form action="" method="post">{{ csrf_token }} ... </form> However, I've seen ...
user avatar
w00
  • 21

15 30 50 per page
1
2 3 4 5
8

Your privacy

By clicking “Accept all cookies”, you agree Stack Exchange can store cookies on your device and disclose information in accordance with our Cookie Policy.