Not long ago, my friend’s company (let’s say amazingCorp
)conducted a Pen test against the whole codebase and identified a few security vulnerabilities. One of them being adding samesite
attribute to all cookies if it’s absent.(e.g. mostamazingCorp
.com
cannot make cross-domain requests to API.amazingCorp.com)
. To be more specific, he wants:
Given I am on a non amazingCorp domain e.g mostamazingCorp.com
When I am making an http get or post request to api.amazingCorp.com
Then I should not be able to complete the requestGiven I am on a amazingCorp subdomain e.g login.amazingCorp.com
When I am making an http get or post request to api.amazingCorp.com …
Not long ago, I was tasked to assess our current Content Security Policy (CSP) and find out ways to improve it. It took me longer than I thought, as I need to familiarise myself with the terminologies and protocols before go into implementation detail.
Content-Security-Policy(CSP) is the name of a HTTP response header (or as meta
tag) that browsers use to safeguard your site.
You may ask “aren’t we already have CORS and Same-site policy? Well, attackers have found clever ways to compromise the system. For example, Cross-site scripting (XSS) attack originates from the browser’s inability to distinguish between script from your application and script that’s been maliciously injected by a third-party but faked to be part of your application. …
Descriptor is any object which defines the methods __get__()
, __set__()
, or __delete__()
. When a class attribute is a descriptor, its special binding behaviour is triggered upon attribute lookup. Normally, using a.b to get, set or delete an attribute looks up the object named b in the class dictionary for a, but if b is a descriptor, the respective descriptor method gets called.
Descriptors are Python objects that implement any of the method of the descriptor protocol:
__get__(self, obj, type=None) -> object
__set__(self, obj, value) -> None
__delete__(self, obj) -> None
__set__()
or __delete__()
, it is a data descriptor. …Not long ago, my friend’s company (let’s say amazingCorp
conducted a Pen test against the whole codebase and identified a few security vulnerabilities. One of them being a loose CORS policy which allows domains ending with amazingCorp
.com
(e.g. mostamazingCorp
.com
) to make cross-domain requests to API.amazingCorp.com
.
This can be leveraged to steal information about users. As a result, some user coercion is required and there are other mitigating factors detailed in this report.
Below is a ticket my friend created for this problem:
Given I am on a non amazingCorp domain e.g mostamazingCorp.com
When I am making an http request to api.amazingCorp.com …
Most object-oriented programming languages have the concept of a constructor, a method that creates and initialises the object when it is created.
For Python, the constructor is split into __init__
(for initialisation)and __new__
(for creation).
Let’s look at how the other languages deal with constructor
first.
In JavaScript, the constructor
method is a syntax sugar method of a class
for creating and initialising an object of that class. And class
is another syntax sugar for a type of function
.
class Polygon {
constructor() {
this.name = ‘Polygon’;
}
}const poly1 = new Polygon();console.log(poly1.name);
// expected output: “Polygon”
When the code new Polygon(...)
is executed, the following things…
Remember in previous blog about ABC (Abstract Base Class) we can pass (metaclass=ABCMeta)
? Have you ever wondered what is metaclass and how can we use it?
To understand that, we need to understand the python Class (we are talking about new-style class) first.
The difference between old and new style class is the unity of class and type. Since with x being an instance of a new-style class, type(x) is x.__class__
, while with old style, type(x) is type <'instance'>
:
>>> class Example:
... pass
>>> e = Example()
>>> e.__class__
<class '__main__.Example'>
>>> type(e)
<class '__main__.Example'>
>>> e.__class__ …
As a strongly typed dynamic language, python has no enforcement of interface
like with static typed language such as Java. While it does introduce type annotations, but this can still be challenging when constructing more complex object such as a class for subclassing.
Luckily, protocol
was introduced. It is similar to interfaces in that they define a collection of methods/attributes on an object and force the implementation to conform with the definition. But it is informal, meaning it is known as an accepted truth or defined in documentation but not strictly in code.
Protocols are widely supported and used especially in Python’s builtin classes. …
If you are like me who have a few months experience of Python, then you might be in the same position as me — know something about Python, but not enough. So I spent sometime to gather bits and pieces of scattered knowledge to dig deeper into Python. In this blog, the piece will be iterable and iterator.
But before we choose between iterable and iterator, what does iteration mean?
Iteration is a process of taking each item in a list one after another.
And now we are coming down to iterable and iterator.
An Iterable is an object capable of returning its members one at a time. …
If you are like me who have a few months experience of Python, then you might be in the same position as me — know something about Python, but not enough. So I spent sometime to gather bits and pieces of scattered knowledge to dig deeper into Python. In this blog, the piece will be scopes and closures.
In computer programming, the scope of a name binding — an association of a name to an entity, such as a variable — is the part of a program where the name binding is valid, that is where the name can be used to refer to the entity. In other parts of the program the name may refer to a different entity (it may have a different binding), or to nothing at all (it may be unbound). …
If you are like me who have a few months experience of Python, then you might be in the same position as me — know something about Python, but not enough. So I spent sometime to gather bits and pieces of scattered knowledge to dig deeper into Python. In this blog, the piece will be the Python Class Attributes, Class and Static Methods as well as @property decorator.
First, let’s look at the class attribute— both exist on the class itself but not on the instance of class.
class MyClass:
class_var = "class variable" def __init__(self, instance_var):
self.instance_var = instance_vardef display(self):
print("This is class variable :" + MyClass.class_var) …