Description
Kayran has detected that a Flask web application is being used in ‘Debug Mode’.
When software developers are developing applications, they often enable the ‘debug mode’ for testing purposes.
Flask Debug Mode is categorized as a ‘Active Debug Code’ vulnerability (CWE-489).
The application is being deployed to unauthorized actors with debugging code still enabled or active.
That could lead to existing, unintended entry points or expose sensitive information.
Attackers could abuse this and the fact that the interactive debugger is enabled, to execute Arbitrary Codes.
If an attacker can successfully initiate and perform a remote debugging session, it may result in exposing sensitive information about the application and it’s supportive infrastructure.
That, might be be of useful for attackers in creating more-focused attacks on the system.
Recommendation
Make sure that all production machines never use the Debug Mode.
Make sure to disable Debug Mode before releasing the application to production.
Make sure that all of the “DEBUG” statements are disabled or can be used only by those who are authorized to do so.