PyScript Vulnerabilities/Expected Behavior

Update (12/May/2022) : I reported below observations to the PyScript team and they have confirmed that these are expected behavior. Since the emscripten filesystem is in the user’s browser memory itself, no harm in being able to list files, access files or write to arbitrary locations. Refer this issue. Introduction Vulnerabilities I found in PyScript. Vulnerability 1: File System Browsing Using the glob module which is part of Python Standard Library, the Emscripten filesystem can be browsed....

May 11, 2022 · 3 min · Rizal

PyScript - XSS PoC's and Other Shenanigans

What is PyScript ? PyScript is a Pythonic alternative to Scratch, JSFiddle, and other “easy to use” programming frameworks, with the goal of making the web a friendly, hackable place where anyone can author interesting and interactive applications. Reference: PyScript Git Repo Note: Only modules in Python Standard Library are available. PyScript Hello World <html> <head> <link rel="stylesheet" href="https://pyscript.net/alpha/pyscript.css" /> <script defer src="https://pyscript.net/alpha/pyscript.js"></script> </head> <body> <py-script> print('Hello, World!') </py-script> </body> </html> Reference: PyScript Hello World...

May 10, 2022 · 4 min · Rizal