Configuration: Weak Flask Session Secret¶

Identifier: flask_session_cookie

Scanner(s) Support¶

Description¶

Flask uses the SECRET_KEY value to cryptographically sign cookies and other data. If this key is weak, short, guessable, or left as the default, attackers can forge or tamper with session cookies, leading to account takeover, privilege escalation, or data exposure. This issue often occurs when developers use placeholder keys, store them in source control, or generate them from predictable sources.

References:

• https://flask.palletsprojects.com/en/latest/config/#SECRET_KEY
• https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html

Configuration¶

Example¶

Example configuration:

---
security_tests:
  flask_session_cookie:
    assets_allowed:
    - WEBAPP
    skip: false

Reference¶

assets_allowed¶

Type : List[AssetType]*

List of assets that this check will cover.

skip¶

Type : boolean

Skip the test if true.