Every Python user knows that you can execute code using eval or exec, but what about yaml or str.format? This talk will take you on a walk through all the weird and wild ways that you can achieve code execution on a Python server (and trust me, I didn’t spoil the surprise by putting the weirdest ones in the description).
The talk should be equal parts practical and entertaining as we work through both real examples of code execution vulnerabilities found in running code as well as absurd remote code execution exploits. The talk will end on a practical note by explaining how Facebook detects and prevents the exploit vectors we discussed, using an open source Python Static Analyzer called Pysa.
All demos are available at: https://github.com/gbleaney/python_security
Attendees are encouraged to download the demos and follow along at home.
To get started using static analysis to detect the vulnerabilities discussed in this talk, check out: https://pyre-check.org/docs/pysa-quickstart/