Fluid Attacks Database

Description

Detects when FastAPI or Starlette applications have debug mode enabled, which can expose sensitive application details and debugging information to users. This is a security risk in production environments as it could reveal implementation details, stack traces, and internal errors to potential attackers.

Weakness:

183 - Debugging enabled in production

Category: Functionality Abuse

Detection Strategy

• Scans Python files for FastAPI or Starlette application initialization

• Checks for debug configuration settings in the application setup

• Reports a vulnerability when debug=True is found in FastAPI/Starlette configuration

• Examines configuration in both direct assignments and parameter passing to app creation

Vulnerable code example

from fastapi import FastAPI

# Vulnerable: Debug mode enabled which can expose sensitive information in production
app = FastAPI(debug=True)

@app.get("/")
def read_root():
    return {"Hello": "World"}

✅ Secure code example

from fastapi import FastAPI

# Disable debug mode by default for security
app = FastAPI(debug=False)  # Debug mode disabled to prevent exposing sensitive details

@app.get("/")
def read_root():
    return {"Hello": "World"}

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.