debug-enabled
debug-enabled
Detected Flask app with debug=True. Do not deploy to production with this flag enabled as it will leak sensitive information. Instead, consider using Flask configuration variables or setting ‘debug’ using system environment variables.
Likelihood: HIGH
Confidence: HIGH
CWE:
- CWE-489: Active Debug Code
OWASP:
- A
- 0
- 6
- :
- 2
- 0
- 1
- 7
-
- -
-
- S
- e
- c
- u
- r
- i
- t
- y
-
- M
- i
- s
- c
- o
- n
- f
- i
- g
- u
- r
- a
- t
- i
- o
- n
Likelihood: HIGH
Confidence: HIGH
CWE:
- CWE-489: Active Debug Code
OWASP:
- A
- 0
- 6
- :
- 2
- 0
- 1
- 7
-
- -
-
- S
- e
- c
- u
- r
- i
- t
- y
-
- M
- i
- s
- c
- o
- n
- f
- i
- g
- u
- r
- a
- t
- i
- o
- n
secure-set-cookie
secure-set-cookie
directly-returned-format-string
directly-returned-format-string
Detected Flask route directly returning a formatted string. This is subject to cross-site scripting if user input can reach the string. Consider using the template engine instead and rendering pages with ‘render_template()’.
Likelihood: HIGH
Confidence: MEDIUM
CWE:
- CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection
Likelihood: HIGH
Confidence: MEDIUM
CWE:
- CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
OWASP:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection
avoid_hardcoded_config_TESTING
avoid_hardcoded_config_TESTING
Hardcoded variable
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-489: Active Debug Code
OWASP:
- A05:2021 - Security Misconfiguration
TESTING
detected. Use environment variables or config files insteadLikelihood: LOW
Confidence: LOW
CWE:
- CWE-489: Active Debug Code
OWASP:
- A05:2021 - Security Misconfiguration
avoid_hardcoded_config_SECRET_KEY
avoid_hardcoded_config_SECRET_KEY
Hardcoded variable
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-489: Active Debug Code
OWASP:
- A05:2021 - Security Misconfiguration
SECRET_KEY
detected. Use environment variables or config files insteadLikelihood: LOW
Confidence: LOW
CWE:
- CWE-489: Active Debug Code
OWASP:
- A05:2021 - Security Misconfiguration
avoid_hardcoded_config_ENV
avoid_hardcoded_config_ENV
Hardcoded variable
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-489: Active Debug Code
OWASP:
- A05:2021 - Security Misconfiguration
ENV
detected. Set this by using FLASK_ENV environment variableLikelihood: LOW
Confidence: LOW
CWE:
- CWE-489: Active Debug Code
OWASP:
- A05:2021 - Security Misconfiguration
avoid_hardcoded_config_DEBUG
avoid_hardcoded_config_DEBUG
Hardcoded variable
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-489: Active Debug Code
OWASP:
- A05:2021 - Security Misconfiguration
DEBUG
detected. Set this by using FLASK_DEBUG environment variableLikelihood: LOW
Confidence: LOW
CWE:
- CWE-489: Active Debug Code
OWASP:
- A05:2021 - Security Misconfiguration
avoid_app_run_with_bad_host
avoid_app_run_with_bad_host
Running flask app with host 0.0.0.0 could expose the server publicly.
Likelihood: HIGH
Confidence: HIGH
CWE:
- CWE-668: Exposure of Resource to Wrong Sphere
OWASP:
- A01:2021 - Broken Access Control
Likelihood: HIGH
Confidence: HIGH
CWE:
- CWE-668: Exposure of Resource to Wrong Sphere
OWASP:
- A01:2021 - Broken Access Control
flask-wtf-csrf-disabled
flask-wtf-csrf-disabled
Setting ‘WTF_CSRF_ENABLED’ to ‘False’ explicitly disables CSRF protection.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-352: Cross-Site Request Forgery (CSRF)
OWASP:
- A01:2021 - Broken Access Control
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-352: Cross-Site Request Forgery (CSRF)
OWASP:
- A01:2021 - Broken Access Control
render-template-string
render-template-string
Found a template created with string formatting. This is susceptible to server-side template injection and cross-site scripting attacks.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-96: Improper Neutralization of Directives in Statically Saved Code (‘Static Code Injection’)
OWASP:
- A03:2021 - Injection
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-96: Improper Neutralization of Directives in Statically Saved Code (‘Static Code Injection’)
OWASP:
- A03:2021 - Injection
avoid_using_app_run_directly
avoid_using_app_run_directly
top-level app.run(…) is ignored by flask. Consider putting app.run(…) behind a guard, like inside a function
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-668: Exposure of Resource to Wrong Sphere
OWASP:
- A01:2021 - Broken Access Control
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-668: Exposure of Resource to Wrong Sphere
OWASP:
- A01:2021 - Broken Access Control
host-header-injection-python
host-header-injection-python
The
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-20: Improper Input Validation
flask.request.host
is used to construct an HTTP request. This can lead to host header injection issues. Vulnerabilities that generally occur due to this issue are authentication bypasses, password reset issues, Server-Side-Request-Forgery (SSRF), and many more. It is recommended to validate the URL before passing it to a request library, or using application logic such as authentication or password resets.Likelihood: LOW
Confidence: LOW
CWE:
- CWE-20: Improper Input Validation