Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.


Python Taint

Static analysis of Python web applications based on theoretical foundations (Control flow graphs, fixed point, dataflow analysis)


  • Detect command injection, SSRF, SQL injection, XSS, directory traveral etc.
  • A lot of customisation possible

For a look at recent changes, please see the changelog.

Example usage and output:


pip install python-taint

PyT can also be installed from source. To do so, clone the repo, and then run:

python3 install

How it Works

Soon you will find a README.rst in every directory in the pyt/ folder, start here.

How to Use

  1. Choose a web framework

The -a option determines which functions will have their arguments tainted, by default it is Flask.

  1. (optional) Customize source and sink information

Use the -t option to specify sources and sinks, by default this file is used.

  1. (optional) Customize which library functions propagate taint

For functions from builtins or libraries, e.g. url_for or os.path.join, use the -m option to specify whether or not they return tainted values given tainted inputs, by default this file is used.


usage: python -m pyt [-h] [-a ADAPTOR] [-pr PROJECT_ROOT]
                 [-b BASELINE_JSON_FILE] [-j] [-m BLACKBOX_MAPPING_FILE]
                 [-t TRIGGER_WORD_FILE] [-o OUTPUT_FILE] [--ignore-nosec]
                 [-r] [-x EXCLUDED_PATHS] [-trim] [-i]
                 targets [targets ...]

required arguments:
  targets               source file(s) or directory(s) to be tested

important optional arguments:
  -a ADAPTOR, --adaptor ADAPTOR
                      Choose a web framework adaptor: Flask(Default),
                      Django, Every or Pylons

  -t TRIGGER_WORD_FILE, --trigger-word-file TRIGGER_WORD_FILE
                      Input file with a list of sources and sinks

                      Input blackbox mapping file

optional arguments:
  -pr PROJECT_ROOT, --project-root PROJECT_ROOT
                      Add project root, only important when the entry file
                      is not at the root of the project

                      Path of a baseline report to compare against (only
                      JSON-formatted files are accepted)

  -j, --json            Prints JSON instead of report

                      Write report to filename

  --ignore-nosec      Do not skip lines with # nosec comments

  -r, --recursive     Find and process files in subdirectories

                      Separate files with commas

print arguments:
  -trim, --trim-reassigned-in
                      Trims the reassigned list to just the vulnerability
  -i, --interactive   Will ask you about each blackbox function call in
                      vulnerability chains.

Usage from Source

Using it like a user python3 -m pyt examples/vulnerable_code/

Running the tests python3 -m tests

Running an individual test file python3 -m unittest tests.import_test

Running an individual test python3 -m unittest tests.import_test.ImportTest.test_import


Join our slack group: - ask for invite:


Virtual env setup guide

Create a directory to hold the virtual env and project

mkdir ~/a_folder

cd ~/a_folder

Clone the project into the directory

git clone

Create the virtual environment

python3 -m venv ~/a_folder/

Check that you have the right versions

python3 --version sample output Python 3.6.0

pip --version sample output pip 9.0.1 from /Users/kevinhock/a_folder/lib/python3.6/site-packages (python 3.6)

Change to project directory

cd pyt

In the future, just type source ~/a_folder/bin/activate to start developing.