Python › Programming Fundamentals
Strings: the type you'll touch most
Master strings and you’ve unlocked half of Python’s usefulness for security work. Here’s why: almost everything you deal with is text. URLs, headers, tokens, API responses, log lines, source code — all strings. The operations in this lesson are the ones you’ll reach for in nearly every script.
You'll learn to
- Slice a string to pull out the part you want
- Use the string methods that show up in real recon code
- Build URLs and payloads cleanly with f-strings
The operations you’ll actually use
url = "https://api.example.com/v1/users"
len(url) # 33 — length
url.upper() # uppercase copy
url.startswith("https") # True
url.endswith(".com") # False (it ends with /users)
"api" in url # True — substring test, used CONSTANTLY
url.split("/") # ['https:', '', 'api.example.com', 'v1', 'users']
url.replace("https", "http")# a new string with the swap
url[8:] # 'api.example.com/v1/users' — slicing from index 8
Two ideas carry most of the weight here. Slicing: url[8:] means “from position 8 to the end” — Python counts from zero, so url[0:5] is the first five characters. Methods: those are functions attached to a value with a dot. url.split("/") breaks the string into a list wherever / appears — that’s how you tear a URL into pieces.
And "api" in url — the substring test — is the workhorse. You’ll use it to filter responses, find keywords, and triage output thousands of times.
f-strings: building text from variables
This is the single most useful string feature for tooling. An f-string lets you drop variables straight into text using { }:
host = "example.com"
port = 443
url = f"https://{host}:{port}/login" # the f before the quote is the magic
print(url) # https://example.com:443/login
token = "abc123"
headers = f"Authorization: Bearer {token}"
Notice the f right before the opening quote — that’s what turns on the substitution. Without f-strings you’d be awkwardly gluing pieces together with +. With them, you build URLs, headers, payloads, and log messages in one clean line.
A subtle but important detail
Strings in Python are immutable — methods like .upper() and .replace() don’t change the original, they return a new string. This trips people up:
url = "https://example.com"
url.replace("https", "http") # this RESULT is http://... but url is unchanged
print(url) # still https://example.com !
url = url.replace("https", "http") # you must reassign to keep the change
print(url) # now http://example.com
Checkpoint
Given path = '/v1/users/42', how would you get just '42' using a string method?
path.split('/')[-1] — split on the slash to get ['', 'v1', 'users', '42'], then take the last item with [-1].
Try it yourself
Take the string "GET /admin/login HTTP/1.1". Use .split(" ") to break it into its three parts, then print just the path (the middle piece). This is exactly how you’d parse a request line from a log file.
Summary
Strings are text, and text is most of security work. Slicing (url[8:]) extracts portions; methods (.split(), .replace(), .startswith()) transform and inspect; in tests for substrings. f-strings (f"...{var}...") build dynamic text and are the key to assembling requests. Remember that string methods return new values — reassign to keep changes.
Key takeaways
inis the substring test you’ll use most — learn to reach for it.- Slicing uses zero-based indexes:
s[start:end]. - f-strings are how you build URLs, headers, and payloads cleanly.
- String methods return a new string; the original is unchanged.
Quick quiz
Next, the container types — lists, sets, and dictionaries — which is how you hold many targets, dedupe results, and shape every HTTP request.