Python Flask Sensitive Data Logging

Description

Detects when sensitive user input from Flask applications is written to log files. This creates security risks by potentially exposing sensitive user data like passwords, tokens or personal information in log files that may be accessible to unauthorized parties.

Weakness:

059 - Sensitive information stored in logs

Category: Information Collection

Detection Strategy

• Application code must import both the 'logging' and 'flask' libraries

• There must be logging operations present in the code (e.g. logging.info(), logging.debug())

• The logging calls must contain user input data from Flask request objects or similar sources

• The logging statement and sensitive data must be directly connected in the code

Vulnerable code example

import logging
from flask import request

def unsafe_login():
    password = request.form.get('password')
    # VULNERABLE: Logging sensitive password in cleartext
    logging.info("Login attempt with password: %s", password)

✅ Secure code example

import logging
import hashlib
from flask import request

def safe_login():
    password = request.form.get('password')
    # SAFE: Only log hash of password, never the cleartext value
    password_hash = hashlib.sha256(password.encode()).hexdigest()...

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.