Welcome

Welcome to PyFu, a practical handbook for discovering, understanding, and exploiting Python-related vulnerabilities, with a focus on web applications and the language internals that make them exploitable.

Start with the PyFu - Python Exploitation Handbook for the full introduction, then spin up the practice lab so you can follow along with every example.

Core Python Concepts

The language behavior that the rest of the handbook builds on.

• Python Under The Hood
• Python Introspection
• Python Object Model and MRO
• Python Magic Methods and Attributes
• Python Type Hinting and Annotations
• Python Packages
• Python Virtual Environment
• Python Web Interfaces

Python-based Vulnerabilities Anatomy

How individual vulnerability classes work at the language level. Start with the Python Vulnerability Anatomy section index.

• Python Command Injection
• Insecure Dynamic Code Evaluation and Execution in Python
• Serialization and Deserialization Concept
• Insecure Deserialization - Python Pickle
• Insecure Deserialization - Python Shelve
• Insecure Deserialization - Unsafe YAML Loading
• Insecure File Access and Path Traversal in Python
• Walking the Python Object Graph with subclasses()
• Import System Abuse with .pth Files and sys.meta_path
• Escaping Python exec and eval Sandboxes

Web Application Attacks

The same primitives applied to real Flask, FastAPI, and Streamlit applications.

Injection

• Server Side Template Injection (SSTI) in Flask Application
• Server Side Template Injection (SSTI) in AI Prompt Templates
• Prompt Injection in Python LLM Backends
• Vanilla Command Injection in Flask Application
• SQL Injection (SQLi) in Flask Application
• XML External Entity (XXE) Injection in Flask Application

Library-based attacks

• Python Jinja2 Server Side Template Injection
• Python LXML Insecure XML Parsing
• Python Requests Library SSRF via URL Parsing
• Python Pandas Library Arbitrary Command Execution

Authentication & Authorization

• Authentication Bypass via Unsafe Python Deserialization
• Authentication Bypass via Development Environment Headers Abuse
• Broken Access Control in Flask Applications
• Business Logic Vulnerabilities in Flask Applications
• Business Logic Vulnerabilities in FastAPI Applications

JWT attacks

• Introduction to JSON Web Tokens in Python
• Authentication Bypass via JWT Hardcoded Secret
• Authentication Bypass via Broken JWT Validation
• Forging JWTs with the none Algorithm
• Cracking Weak JWT Signing Keys
• JWT Algorithm Confusion (RS256 to HS256)
• JWT Header Injection via jku, jwk, and kid

Other

• Code Execution via Dynamic Python Code Invokation
• Server Side Request Forgery (SSRF) in Flask Applications
• Exposed FastAPI Documentation Page
• Insecure Flask Debug Mode and PIN Bypass
• Path Traversal in Flask Applications

Web Framework Internals

How the frameworks process requests, and where their security models break.

• Introduction to Flask Security Testing
• Introduction to FastAPI Security Testing
• Introduction to Streamlit Security Testing
• Introduction to FastMCP Security Testing

FastMCP concepts

• Running a FastMCP Server
• FastMCP Tools
• FastMCP Resources
• FastMCP Prompts
• FastMCP Authentication