Skip to content
AttackIUM
Training

Offensive Security Training

Built and delivered by advanced engineers who actively break complex real-world systems.

Courses

Offensive Python: Exploitation Patterns in Complex and Modern Systems

ADVANCED

Participants learn to analyze Python applications the way attackers do; tracing execution paths, abusing implicit behavior, chaining safe features into exploits, and turning subtle design decisions into reliable attack vectors. This course assumes deep Python familiarity and targets red teamers, vulnerability researchers, and security engineers working on production-grade systems.

Module 1: Python as an RCE Delivery Mechanism
  • Code execution primitives hidden in “utility” functions
  • eval, exec, compile, ast.literal_eval abuse chains
  • pickle, yaml.load, jsonpickle, marshal exploitation patterns
  • Import-time code execution and weaponized side effects
  • __reduce__ __reduce_ex__ and object resurrection
  • Reviewing plugins, hooks, workers, and task queues for implicit execution
Module 2: Deserialization, Object Injection & Logic Corruption
  • Object injection via deserialization without direct execution
  • Type confusion in deserialized objects
  • Trust-boundary bypass using __init__ __setstate__, and __del__
  • Exploiting implicit assumptions in task payloads and RPC layers
  • Abuse of dataclasses, attrs, and ORM hydration
  • Cross-process deserialization in Celery, RQ, custom workers
Module 3: Sandbox Escapes & 'Safe Execution' Delusions
  • Escaping restricted eval environments
  • Breaking globals() / locals() isolation
  • Abusing object graphs, closures, and frame objects
  • Reaching os, sys, or file descriptors indirectly
  • Escaping Jinja2, Mako, and custom template engines
  • Reviewing “safe expression evaluators” and policy engines
Module 4: Async, Concurrency & Race-Condition Exploitation
  • TOCTOU vulnerabilities in async Python
  • Race conditions across asyncio, threads, and processes
  • Exploiting cancellation, retries, and idempotency failures
  • Queue poisoning and task replay attacks
  • Reentrancy bugs in async frameworks
  • Event-loop starvation as a DoS primitive
Module 5: Python-Specific Web Exploitation Patterns
  • Jinja2 exploitation beyond basic SSTI
  • SSRF via URL handlers, SDKs, and cloud metadata clients
  • Path traversal via pathlib, os.path, and archive extraction
  • Request smuggling helpers, internal-only routes, and trust headers
  • Abuse of background jobs, webhooks, and internal APIs
  • Reviewing middleware and request lifecycle hooks
Module 6: Supply Chain, Dependency & Build-Time Attacks
  • Malicious Python packages and typosquatting
  • setup.py, pyproject.toml, and build hook execution
  • Dependency confusion in private indexes
  • Runtime code injection via monkey patching
  • Reviewing vendored libraries and internal forks
  • Abuse of dynamic imports and plugin discovery

Training Philosophy

  • No recorded fluff.
  • Real vulnerabilities.
  • Real exploitation paths.
  • Focused on attacker thinking, not checklists.