PyFu - Python Exploitation Handbook

This is an early release of PyFu! New content will be published weekly, so stay tuned!

Welcome to PyFu! a practical handbook built for offensive engineers, penetration testers, and security researchers, with a dedicated focus on discovering, understanding, and exploiting Python-related vulnerabilities, especially in the context of web applications.

PyFu is designed as a tactical guide, providing hands-on insights directly applicable to real-world offensive operations and it’s not to be comprehensive reference for Python exploitation.

PyFu primarily focuses on the inner workings and security models of Python’s most widely adopted web frameworks, including Flask, FastAPI, Django, and Streamlit. It breaks down how these frameworks are structured, how they process web requests, and highlights common misconfigurations and vulnerability patterns that can be exploited.

Beyond web frameworks, PyFu also dives into Python internals and covering topics such as deserialization, dynamic code evaluation and introspection among other concepts.

It offers practical insights into how Python behaves at a lower level, which is essential for understanding more advanced exploitation techniques.

Additionally, PyFu includes guidance on static code analysis techniques for Python from a security perspective, helping you identify insecure code patterns during security code analysis.

All the examples and techniques are supported by a fully integrated local Docker-based lab environment, allowing you to test, explore, and practice each scenario safely and consistently.

PyFu is built to sharpen your skills in identifying and exploiting Python-based security issues from application logic to the internals of the language itself.