https://www.secdev.uk/blog/tags/injection/ Recent content in Injection on guy@secdev.uk Hugo en-gb Guy Dixon | guy@secdev.uk Sat, 03 Jan 2026 00:00:00 +0000 https://www.secdev.uk/blog/technology/2026-01-03-string-formatting-and-security/ Sat, 03 Jan 2026 00:00:00 +0000 https://www.secdev.uk/blog/technology/2026-01-03-string-formatting-and-security/ <p>String formatting is one of those operations that&rsquo;s everywhere, and it&rsquo;s more dangerous than most developers realise when user input gets involved. Every language provides multiple ways to build strings from dynamic data, and each mechanism carries different security implications. From C&rsquo;s <code>printf</code> family, where a format string bug can read and write arbitrary memory, to Python&rsquo;s f-strings that can execute attribute lookups, the attack surface is broader than most people think. I wanted to map out the full landscape across languages, and what I found was that each mechanism breaks down in its own unique and sometimes surprising way.</p> https://www.secdev.uk/blog/technology/2025-08-30-python-security-pitfalls/ Sat, 30 Aug 2025 00:00:00 +0000 https://www.secdev.uk/blog/technology/2025-08-30-python-security-pitfalls/ <p>I&rsquo;ve spent a lot of time reviewing Python codebases, and the language&rsquo;s readability and rapid development cycle are exactly what make it dangerous. Python is the default choice for web services, data pipelines, and automation scripts, and that same ease of use hides security pitfalls that experienced developers walk into regularly. The language&rsquo;s dynamic nature, runtime evaluation, duck typing, implicit conversions, and powerful serialization, creates attack surfaces that simply don&rsquo;t exist in statically typed languages. In this post, I want to cover the Python-specific anti-patterns that lead to real vulnerabilities, from the well-known <code>pickle</code> deserialization trap to the subtle template injection that can survive code review.</p>