Security Test: Weak Flask Session Secret¶

Scanner(s) Support¶

GraphQL Scanner	REST Scanner	Frontend Scanner

Description¶

Default Severity:

Flask uses the SECRET_KEY value to cryptographically sign cookies and other data. If this key is weak, short, guessable, or left as the default, attackers can forge or tamper with session cookies, leading to account takeover, privilege escalation, or data exposure. This issue often occurs when developers use placeholder keys, store them in source control, or generate them from predictable sources.

Reference:

https://flask.palletsprojects.com/en/latest/config/#SECRET_KEY
- https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html

Configuration¶

Identifier: frontend_configuration/weak_flask_secret

Examples¶

All configuration available:

checks:
  frontend_configuration/weak_flask_secret:
    skip: false # default

Compliance and Standards¶

Standard	Value
OWASP API Top 10	A02:2021
PCI DSS	`3.5`
GDPR	`Article-32`
SOC2	`CC6`
PSD2	`Article-95`
ISO 27001	`A.10.1`
NIST	`SC-12`
FedRAMP	`SC-12`
CWE	`331`
CVSS Vector	`AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N`
CVSS Score	`8.8`