Preventing Pwnage against Python Pickle

Image for post
Image for post

If you’re a heavy python user you’ve probably come across the pickle module from the standard library at some point. You may have even heard that this library is dangerous. This post will take a look at how pickle works (at a high level), what the risks are, and risk prevention strategies.

What is Pickle?


What is a “ReDoS” Attack, and how can you make sure your code is safe?

Image for post
Image for post

What is DoS?

I’ve covered this in a few earlier posts, but DoS stands for Denial-of-Service. Denial-of-Service is a type of cyber attack technique where the attacker attempts to disrupt the availability of a service, application, or company. DoS attacks generally exist in one of two broad categories, Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS). Both have the same general intent in mind, but they take very different forms. Within the DoS there are a Network based attacks and Application based attacks.

Application layer attacks, also sometime called Layer 7 attacks, involve putting operational strain on the software serving the requests in such a way that it cannot handle additional requests — this is what we’ll be looking at with the ReDoS attack. …


Why Typosquatting is a Threat to Python Developers and their Companies

Image for post
Image for post
Based on Photo by Gwendal Cottin on Unsplash

The Setup

Imagine this, you’re a developer at Super corp. You’re working on a new web application and you’re planning on building it using Flask. Like many Macbook Pros, your laptop has some keyboard issues. No biggie. Typing like the wind, you try to install flask using pip. However, instead of typing pip install flask you end up with pip install flaskk.

The install completes in just a second, but you notice the typo. You uninstall flaskk and give the install a second try with the appropriate number of k’s. …


What’s your Infosec origin story?

Image for post
Image for post

I’ve always been fascinated by how other Cybersecurity professionals ended up in their roles. For some it was a childhood dream to be a hacker (or catch hackers) after watching an old school hacker movie, others fell into roles organically after a career in enterprise IT, and if we’re being honest, some are in it for the money. With record shortages in skilled security personnel, the field is growing with more and more diverse people with different backgrounds.

I’ve always enjoyed my own origin story (though I may be biased), partially because it was so unexpected. Here it is.

Notice: Any names and specific details have been changed due to privacy concerns.


Why does cloud sprawl happen and how can we control it?

Image for post
Image for post
Based on photo by Nicholas Swanson on Unsplash

First, what is cloud sprawl?

Cloud sprawl is the lack of controls against the expansion of an organization’s cloud instances, services or providers.

What are the dangers?

While instances and services are managed differently than providers, the lack of effective controls on any of these is a cause of concern for organizations.

A lack of visibility and control around the volume and types of instances and services offered by a Cloud Service Provider (CSP) is dangerous from a cost perspective as any unnecessary or untracked usage that is not contained can pose a serious financial burden. …


What are Wheels, Eggs, and Source Distributions?

Image for post
Image for post
Based on photo by Erol Ahmed on Unsplash

If you’ve done much Python development you’re probably familiar with importing dependencies using pip, or even easy_install, if you’ve been at this for awhile. Whether you were aware of it or not, these dependencies likely came from the public Python Package Index (PyPI) or perhaps an internal mirror of the PyPi repository that is hosted by your company.

What you may not have been aware of is how these dependencies are actually packaged, delivered, and installed, and the differences between the different distribution types available for Python.

The Primary Distribution Types

There are two primary distribution types in use today, Built Distributions and Source Distributions. …


If you’re looking to learn more about vulnerability scanners on the cheap, look no further

Image for post
Image for post
Based on photo by Taylor Vick on Unsplash

Whether you’re a student, studying for certification, or a vulnerability management pro, finding cheap tools to satisfy educational requirements or satiate your scanning curiosity can be difficult. In this post I’ll be looking at my top 5 free vulnerability assessment tools.

Network Scanning vs. Vulnerability Assessment vs. Vulnerability Management

This terminology can get a little confusing. Network Scanning can often be boiled down to the act of port scanning and mapping a network. Vulnerability Assessment is one step beyond network scanning where there is an additional step to identify services and test for vulnerable software. Finally Vulnerability Management is the process of identifying, prioritizing, and remediation vulnerabilities detected in a network. …


Python Boolean Operators can be Super Compact, but a Little Confusing

Image for post
Image for post
Based on photo by Michael Dziedzic on Unsplash

Most of us are familiar with and and or in python acting as logical operators in conditional expressions. For example:

However, they also have a somewhat less common use case where these keywords can be used in a non-conditional context for the sake of brevity. Many purists do not consider this usage of and and or to be very pythonic, regardless of brevity. I believe the reason for thinking this way is that these expressions can often be less clear than using the more traditional ifelse construct.

How They Work

and, or, and not are what are sometimes known as short-circuit boolean operators. You can find them described briefly in the python documentation. …


What is a “Tarbomb” attack and how can you protect your python applications?

Image for post
Image for post

⚠️This code in this post is meant for education purposes ONLY! f you don’t own or have explicit permission to do penetration testing against an application, DO NOT USE THIS CODE⚠️

What is a Tarbomb?

A tarbomb can actually be a few different things. One common definition is similar to the XML bomb we looked at previously which expands from a small file into a very large object in memory, in this case the tar archive contains many, many files which flood the file system when extracted. …


If your CISO is asking whether your SOAR is CCPA complaint… what the hell does that mean?

Image for post
Image for post
Based on photo by Robert Bye on Unsplash

Technology is inundated with acronyms, and cybersecurity egregiously so. Here’s a quick cheatsheet you help you through your next certification, job interview, or day job. I’ve broken these down into categories here, but as always CTRL-F is your friend here.

I’ve purposely excluded protocols and crypto-related terminology from this list. Please feel free to share anything you think I should include in the comments or if you’d like to see a more complete extension of this list.

The Classics

CIA

Also know as AIC, ICA, or the CIA Triad. This isn’t the US intelligence agency, but rather stands for Confidentiality, Integrity, and Availability, which are considered by many to be the primary pillars of Cybersecurity. …

About

Andrew Scott

Founder @OchronaSec | PANW, ex Expanse, ex Tenable | DevSecOps | Automation | All views are my own... and awesome

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store