Have you had a problem figuring out how to detect vulnerabilities in your Flask application?
Do you know what penetration testing is and how to apply it in your Flask application?
If you’re asking yourself these questions, you are right on track. In this article, you’ll learn about penetration testing (also known as pen testing), the importance of pen testing your applications, and the process of pen testing a Flask application.
It is critical to understand and apply pen testing. It aids you in identifying security flaws in your application so that you can address them before they reach the end-user. If your software is delivered to the end-user with flaws, hackers may be able to take advantage of it, and personal data may be exposed.
Prerequisites
- Basic knowledge of Flask
What is Penetration Testing?
Penetration testing is the process of hacking your software to find flaws and determine where security improvements should be made. A penetration test is used to uncover application vulnerabilities as soon as possible.
Penetration testing empowers engineers to check, find, and get the quality of their framework web application security by re-enacting real-time cyber assault under secure conditions. However, it is challenging for most engineers to figure out which application parameters and components they wish to include within the pen testing checklist and how to go about it.
This is where OWASP Foundation comes in. The OWASP Foundation is a non-profit organization that works to improve security in software applications. It is a reference point when doing anything related to security in your software.
The OWASP Foundation provides a list, the OWASP Top 10, which is a standard awareness document that lists the most detrimental cyber security risks to web applications out there.
Reasons for Penetration Testing
There are a lot of reasons you should perform pen testing. A few have been listed here:
- Avoid incurring financial losses.
- Comply with security standards.
- Discover and solve your security flaws.
Penetration Testing in Flask Applications
You may manually test your Flask application by going through the OWASP top 10 list one by one and manually testing your Flask application for each vulnerability.
For example, you pick A5:2017–Broken Access Control. All you need to do is check if:
- An average authenticated user is able to access the admin page.
- A regular authenticated user can access the database, etc.
You can also pick A2:2017–Broken Authentication and try to see if:
- Your application allows automated attacks such as credential stuffing.
- The use of default, weak, or well-known passwords like “Password1” or easy-to-guess user names are allowed.
You’ll know what needs to be fixed and what changes need to be made from there. This approach can be used to find any flaw in your Flask application or any application for that matter.
Apart from doing penetration tests manually, you can also use tools to help with the testing. Some of the tools that can be used to pen test Flask applications are w3af, Flask Unsign, Zed Attack Proxy (ZAP), etc. In this article, Flask Unsign and ZAP will be covered.
Introduction to Zed Attack Proxy
Zed Attack Proxy, aka ZAP, is an open-source pen testing tool developed by OWASP. ZAP imitates the action that is frequently carried out by malicious users to find out where the vulnerabilities lie.
When you use ZAP on your application, all of the URLs in it are scanned for vulnerabilities. Then they are attacked to confirm the vulnerabilities actually exist and eliminate false positives. ZAP is a fantastic tool since it works well with automated tests, provides clear actionable information on how to solve security problems present in an application, shows you exactly what’s wrong with your code, saves you time.
How to Use ZAP on Your Flask Application
To start using ZAP, you need to download it on your local machine.
Note: Linux is used in this example. So, your UI might be different depending on the operating system you are using.
Once you open the ZAP on your system, you should do something like this (see below image) and click on “Automated Scan”.
After you click on “Automated Scan”, you will be prompted to a form where you need to input your URL. Do that and click the “Attack” button.
For this tutorial, I will use an already deployed Flask application. You can also test the code directly and see if you can make it more secure.
Next, ZAP goes through all the URLs, acting as a user of the application, and input various sets of inputs to test for vulnerabilities.
When the penetration test is complete, you should see something like this:
Introduction to Flask Unsign
Flask Unsign is a pen testing tool that uses a signed session to validate the secret key of a Flask server against a wordlist of regularly used and publicly known secret keys.
By guessing secret keys, a command-line program may fetch, decode, and craft session cookies of a Flask application.
How to Use Flask Unsign on Your Flask Application
To use Flask Unsign, you have to install it by running:
| $ pip3 install flask-unsign[wordlist] |
To get an overview of all possible options run:
| $ flask-unsign |
You can use Flask Unsign’s automatic session grabbing functionality by passing the –server argument instead of the –cookie argument. Next, input the URL of the website you want to get the session cookie from.
| $ flask-unsign –decode –server ‘<https://www.example.com/login>’ |
Example:
| $ flask-unsign –decode –server ‘https://sleepy-fjord-94640.herokuapp.com/login?next=%2F’ |
After running that, the “session cookie” will be displayed, but it will be encoded. It’ll look something like this:
eyJjc3JmX3Rva2VuIjoiYWNlYzNmMDcxNWU3YTVhMjU2MDU5ZjYwZWY4NGEzMTYyNjllODY1OSJ9.FAtBlQ.JlX17t_9vszgUqidcsGBDMEUfsA
The next thing you have to do is copy the session cookie you got into a cookie.txt file and then run:
| $ flask-unsign –unsign –cookie < cookie.txt |
You should see:
Flask Unsign wasn’t able to decode and predict the session cookie. So that means your session cookie is secure enough.
If the session cookie wasn’t secure, you would have seen this:
As you can see, Flask Unsign was able to predict the session cookie, which shows that it isn’t safe enough.
Conclusion
Doing pen testing manually can be effective but tedious. You have to start thinking like a malicious user to attack your application more effectively. Manual pen testing is prone to human error, which is why using a tool is most advisable.
In this article, I went over what pen testing is, why it’s important, and how to do it on a Flask application. After that, we discussed two tools that you can use to test your Flask application easily, thoroughly, and effectively.
Hopefully, from now on, you will start pen testing your Flask applications.
