H3-2023-0002

Flask Authentication Bypass Misconfiguration

Description

A Flask-based web application was found to be using a weak or default Flask SECRET_KEY value. Flask is a web framework for building web applications in Python, and the SECRET_KEY value is used for signing session cookies. This misconfiguration allows the application's SECRET_KEY to be easily guessed or brute-forced. An attacker can exploit this misconfiguration by using tools to guess the SECRET_KEY and forge session cookies, which lets them impersonate legitimate users.

Impact

By exploiting this misconfiguration, it may be possible for an attacker to gain unauthorized access to the application and perform actions as if they were a legitimate user, potentially accessing sensitive data or performing administrative tasks.

References

• Flask Configuration Handling
• Flask-Unsign
• MITRE ATT&CK Technique: T1606: Forge Web Credentials