Fluid Attacks Database

Description

Detects when Flask applications are configured to run in debug mode in production environments. Debug mode exposes sensitive internal information and allows remote code execution through the debugger, making it a critical security risk if enabled in production.

Weakness:

183 - Debugging enabled in production

Category: Functionality Abuse

Detection Strategy

• Looks for Flask application run configurations using 'app.run'

• Checks if debug parameter is explicitly set to True in the run configuration

• Reports a vulnerability when debug mode is enabled in Flask application code

• Focuses on direct assignments like 'app.run(debug=True)' in the application code

Vulnerable code example

from flask import Flask

app = Flask(__name__)

DEBUG_MODE = True  # Dangerous: Debug mode should never be enabled in production

app.run(debug=DEBUG_MODE)  # Vulnerable: Exposes debugger with code execution

✅ Secure code example

from flask import Flask
from typing import Final

app: Flask = Flask(__name__)

DEBUG_MODE: Final = False  # Security: Debug mode disabled for production

@app.route("/")...

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.