HTTP Clients

aiohttp provides async HTTP client and server. ClientSession.get / post and the top-level request() are SSRF sinks on user-controlled URLs. aiohttp.web request handlers expose sources via request.query, request.post, request.json.

Third-party Python package module — aws_xray_sdk. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

boto3 is the AWS SDK for Python. client('s3').get_object(...) and similar operations commonly ingest user input into bucket / key names — SSRF-like vectors through S3 URLs and IAM misconfiguration. Covering for rule writers that check AWS-specific patterns.

The email package. email.message.EmailMessage assembly with user-controlled Subject, To, From, or body is an email-header-injection sink (CRLF in header values can inject extra headers). email.parser handles incoming messages — sources of user content.

The ftplib module for FTP (insecure plaintext protocol). FTP() connects unencrypted; FTP_TLS is the secure variant. Any use of the plain FTP class is a finding for sensitive data flows.

The http.client module provides low-level HTTP primitives. HTTPConnection / HTTPSConnection.request() is an SSRF sink when the host or path comes from user input. HTTPSConnection with context=None falls back to system default TLS settings.

The http.cookies module for cookie parsing. SimpleCookie accepts raw Cookie headers — the parsed morsels carry user input. Setting a cookie without Secure / HttpOnly / SameSite is a common hardening finding.

The http.server module. SimpleHTTPRequestHandler serves files from the current working directory — path-traversal sink on directory containing secrets. Intended for development only, finding on any production use.

httplib2 is an HTTP client with advanced caching features. Http.request() is an SSRF sink when the URI is user-controlled.

httpx is a modern async-capable HTTP client. Identical SSRF surface to requests — the URL argument on get/post/etc is a sink when user-controlled. verify=False disables TLS verification (separate rule).

The imaplib module. IMAP4() uses plaintext; IMAP4_SSL is the encrypted variant. Any use of plain IMAP is a credential-over-plaintext finding.

The ipaddress module for IP address parsing and classification. IPv4Address / IPv6Address constructors raise on invalid input — sanitizer for IP flows. is_private / is_loopback / is_reserved are building blocks for SSRF defense.

Python stdlib module — mailbox. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Python stdlib module — mailcap. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Third-party Python package module — netaddr. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Third-party Python package module — netifaces. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Python stdlib module — netrc. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Python stdlib module — nntplib. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Third-party Python package module — pika. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

The poplib module. POP3() is plaintext; POP3_SSL encrypts. Plaintext POP3 is a credential-over-plaintext finding.

pycurl wraps libcurl. curl.setopt(pycurl.URL, ...) is an SSRF sink on user-controlled URLs. setopt(pycurl.SSL_VERIFYPEER, 0) disables TLS verification.

Third-party Python package module — pysocks. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

requests is the most popular HTTP client for Python. All top-level methods and Session methods accept a URL as the first argument — SSRF sink when the URL is user-controlled. verify=False disables TLS verification (separate rule).

Third-party Python package module — slumber. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

Python stdlib module — smtpd. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.

The smtplib module for SMTP. SMTP() uses plaintext unless starttls() is called. SMTP_SSL is the always-encrypted variant. Rule writers also target email header / recipient construction for header-injection sinks.

The socket module for low-level network operations. socket.connect() is an SSRF primitive when the host / port comes from user input. socket.bind() on 0.0.0.0 is a finding for services that should be localhost-only.

The telnetlib module for Telnet (insecure plaintext protocol). Any use of Telnet is a finding; use paramiko / SSH instead. Deprecated since 3.11, removed in 3.13.

urllib.request (stdlib) is the lowest-level HTTP client in Python. urlopen() accepts both a URL string and a Request object — SSRF sink when the URL is user-controlled. Unlike requests, urlopen defaults to no TLS verification on some platforms.

The urllib.parse module for URL parsing and building. urljoin is commonly used to build request URLs — when the base is user-controlled, attackers can redirect to arbitrary hosts. urlparse can be used as a sanitizer for SSRF if the netloc is validated.

Third-party Python package module — webob. Auto-indexed from CDN. Method-level security roles have not been annotated; rule writers should inspect the source before use.