Get Started
- CodeAnt AI
- Control Center
- Pull Request Review
- IDE
- Compliance
- Anti-Patterns
- Code Governance
- Infrastructure Security Database
- Application Security Database
- Apex
- Bash
- C
- Clojure
- Cpp
- Csharp
- Dockerfile
- Elixir
- Fingerprints
- Generic
- Go
- Html
- Java
- Javascript
- Json
- Kotlin
- Ocaml
- Php
- Problem-based-packs
- Python
- Airflow
- Attr
- Aws-lambda
- Bokeh
- Boto3
- Cassandra
- Click
- Correctness
- Couchbase
- Cryptography
- Distributed
- Django
- Docker
- Elasticsearch
- Fastapi
- Flask
- Ai
- Best practice
- Caching
- Code
- Correctness
- Db
- Debug
- Deserialization
- File
- Flask-hardcoded-database-password-uri
- Log
- Maintainability
- Net
- Os
- Regex
- Security
- Security
- Web
- Flask-cookie-app-config-httponly-false
- Flask-cookie-app-config-samesite-none
- Flask-cookie-app-config-secure-false
- Flask-cookie-httponly-false
- Flask-cookie-httponly-missing
- Flask-cookie-samesite-missing
- Flask-cookie-samesite-none
- Flask-cookie-secure-false
- Flask-cookie-secure-missing
- Flask-login-session-protection-app-config-none
- Flask-login-session-protection-none
- Flask-talisman-cookie-secure-false
- Flask-talisman-decorator-cookie-secure-false
- Flask-wtf-csrf-check-default-false
- Xml
- Jinja2
- Jwt
- Lang
- Ldap3
- Mariadb
- Mysql
- Mysqlclient
- Neo4j
- Openai
- Peewee
- Pg8000
- Psycopg2
- Pycryptodome
- Pyjwt
- Pymongo
- Pymssql
- Pymysql
- Pyramid
- Redis
- Requests
- Sh
- Sqlalchemy
- Tormysql
- Urllib3
- Webrepl
- Wtforms
- Ruby
- Rust
- Scala
- Solidity
- Swift
- Terraform
- Typescript
- Yaml
Flask-wtf-csrf-check-default-false
Flask wtf csrf check default false
The application does not appear to verify inbound requests which can lead to a Cross-site request forgery (CSRF) vulnerability. If the application uses cookie-based authentication, an attacker can trick users into sending authenticated HTTP requests without their knowledge from any arbitrary domain they visit. With WTF_CSRF_CHECK_DEFAULT
set to False
the CSRF tokens are still enabled and included, but the check no longer happens automatically. Doing the check manually requires a call to csrf.protect()
before handling the request. An appropriate place to do this is a @app.before_request
decorated function.
Likelihood: LOW
Confidence: HIGH
CWE:
- CWE-352: Cross-Site Request Forgery (CSRF)
OWASP:
- A01:2021 - Broken Access Control