If you are like many developers, you use one of several dynamic languages for writing applications. But languages can interact in undefined or, worse, defined yet astonishing ways that have serious implications for app security. Understanding these behaviors is key to securing your apps from malicious users. These commonly used languages—Ruby, Java, and Python—should serve to illustrate the security-related challenges that exist in all programming languages, and what you can do to address them.
Python: Don’t get in a pickle
Due to its balance of simplicity and power, Python is one of the top languages. Furthermore, its versatility has resulted in a thriving ecosystem across many different applications, from simple tools to complex web apps to data science. Python provides a serialization mechanism known as “pickles.” These are extremely useful because they are convenient, and people have used them for a variety of things, including cookie values and auth tokens. It can also be tempting to use a powerful mechanism in a way that ultimately results in compromised security.
Note this approximation for what was in the server framework Twisted for handling authentication tokens:
def verifyAuth(self, headers): try: token = cPickle.loads(base64.b64decode(headers['AuthToken'])) if not check_hmac(token['signature'], token['data'], getSecretKey()): raise AuthenticationFailed self.secure_data = token['data'] except: raise AuthenticationFailed