Link Search Menu Expand Document

Insecure Functionality Exposed in Python

Play SecureFlag Play Python Labs on this vulnerability with SecureFlag!

Flask

Flask (via Werkzeug) provides debugging functionalities via the browser when an exception is raised. Even though a PIN can be provided so that only developers are able to access this feature, it should never be enabled in a production environment. When debug mode is enabled, the full stack traces are displayed. An interactive Python shell is also provided, by default this is protected by a PIN. If the PIN is disabled or easily guessable, the shell can be used to compromise the system.

Vulnerable Example

The debugger mode can be enabled with the FLASK_DEBUG=1 environment variable, while the PIN can be disabled with WERKZEUG_DEBUG_PIN=off or set to a predictable value.

Prevention

Never ship debugging features in production environments.

References

OWASP Top 10 - Security Misconfiguration

MITRE - CWE 749 Exposed Dangerous Method or Function