Configuration: Weak Flask Session Secret¶
Identifier:
flask_session_cookie
Scanner(s) Support¶
| GraphQL Scanner | REST Scanner | WebApp Scanner | ASM Scanner |
|---|---|---|---|
Description¶
Flask applications using weak, short, guessable, or default SECRET_KEY values allow attackers to forge or tamper with session cookies, potentially leading to account takeover, privilege escalation, or data exposure.
How we test: We analyze Flask session cookies to detect weak SECRET_KEY usage. We check if session cookies can be decoded, modified, and re-signed, which would indicate that the SECRET_KEY is weak or predictable. We also look for default or placeholder keys that should not be used in production.
References:
- https://flask.palletsprojects.com/en/latest/config/#SECRET_KEY
- https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html
Configuration¶
Example¶
Example configuration:
Reference¶
skip¶
Type : boolean
Skip the test if true.