Privilege Escalation in Flask
How Privilege Escalation Manifests in Flask
Privilege escalation in Flask applications typically occurs when an attacker exploits improper access controls to gain elevated permissions. Flask's simplicity and flexibility, while powerful, can create security gaps if developers don't explicitly implement proper authorization checks.
The most common Flask-specific privilege escalation pattern involves role-based access control failures. Consider an e-commerce Flask app where users have different roles (customer, admin, superuser). A vulnerable endpoint might look like this:
from flask import Flask, session, request
app = Flask(__name__)
@app.route('/admin/delete_user/<user_id>')
def delete_user(user_id):
# NO authorization check!
user = get_user_from_db(user_id)
delete_user_from_db(user)
return 'User deleted', 200
Any authenticated user can access /admin/delete_user/123 and delete arbitrary users. The absence of a role check before performing the deletion is the core vulnerability.
Another Flask-specific pattern involves improper session management. Flask's default session uses client-side signed cookies, which developers might incorrectly assume are secure:
from flask import Flask, session
app = Flask(__name__)
app.secret_key = 'weak-default-key'
@app.route('/set_role')
def set_role():
session['role'] = request.args.get('role', 'user')
return 'Role set to: ' + session['role']
With a weak secret key, an attacker can forge session cookies and escalate to admin privileges. The client-side nature of Flask sessions requires careful secret key management and validation.
Flask's decorator-based routing can also lead to privilege escalation when developers forget to protect certain endpoints. A common mistake is protecting only some routes:
from functools import wraps
def admin_required(f):
@wraps(f)
def decorated_function(*args, **kwargs):
if session.get('role') != 'admin':
return 'Access denied', 403
return f(*args, **kwargs)
return decorated_function
@app.route('/public/data')
def public_data():
return get_sensitive_data()
@app.route('/admin/secret')
@admin_required
def admin_secret():
return get_admin_data()
The /public/data endpoint exposes sensitive information without any authorization check, allowing any user to access admin-level data.
Database query patterns in Flask can also enable privilege escalation. Using raw SQL with string formatting instead of parameterized queries creates injection opportunities:
@app.route('/user/<user_id>/orders')
def user_orders(user_id):
# Vulnerable to SQL injection
query = f"SELECT * FROM orders WHERE user_id = '{user_id}'"
orders = db.execute(query).fetchall()
return jsonify(orders)
An attacker could manipulate the URL to access other users' orders by injecting SQL payloads, effectively escalating their data access privileges.
Flask-Specific Detection
Detecting privilege escalation in Flask requires both static code analysis and dynamic runtime testing. For static analysis, look for patterns where authorization checks are missing or improperly implemented.
Code review should focus on these Flask-specific indicators:
# Look for endpoints without decorators
@app.route('/sensitive/endpoint')
def sensitive_endpoint():
# Is there an authorization check here?
return sensitive_data
# Check for missing role validation
@app.route('/admin/action')
def admin_action():
# Missing: if session['role'] != 'admin': return deny
perform_admin_action()
return 'Done'
Dynamic testing involves systematically attempting to access protected endpoints without proper credentials. For Flask applications, this means:
# Test unauthenticated access to protected routes
response = requests.get('http://localhost:5000/admin/delete_user/1')
assert response.status_code != 200, "Privilege escalation possible"
# Test session manipulation
# Attempt to modify session data via cookies
cookies = {'session': forged_session_cookie}
response = requests.get('http://localhost:5000/admin/secret', cookies=cookies)
assert response.status_code == 403, "Session-based escalation possible"
middleBrick's black-box scanning approach is particularly effective for Flask applications because it tests the actual running API without requiring source code access. The scanner automatically checks for common Flask privilege escalation patterns:
- Missing authorization decorators on sensitive endpoints
- Improper session validation
- Role-based access control bypasses
- SQL injection vulnerabilities in Flask-SQLAlchemy queries
- Flask-specific authentication bypass techniques
The scanner tests endpoints by sending requests with different authentication states and analyzing the responses for privilege escalation indicators. For example, it might attempt to access an admin endpoint with a regular user's session cookie to verify proper authorization enforcement.
middleBrick also analyzes Flask's routing patterns to identify endpoints that should require authentication but don't have proper guards. The scanner's OpenAPI spec analysis can detect when Flask route definitions don't match the documented security requirements.
Flask-Specific Remediation
Remediating privilege escalation in Flask requires a defense-in-depth approach using Flask's built-in features and best practices. The foundation is implementing proper role-based access control throughout your application.
Flask's decorator system provides an elegant way to enforce authorization:
from functools import wraps
from flask import session, abort
def role_required(required_role):
def decorator(f):
@wraps(f)
def decorated_function(*args, **kwargs):
user_role = session.get('role')
if user_role != required_role:
abort(403)
return f(*args, **kwargs)
return decorated_function
return decorator
@app.route('/admin/delete_user/<user_id>')
@role_required('admin')
def delete_user(user_id):
user = get_user_from_db(user_id)
delete_user_from_db(user)
return 'User deleted', 200
This ensures the authorization check executes before the endpoint logic, preventing unauthorized access.
For more complex authorization scenarios, Flask-Principal provides a robust permissions system:
from flask_principal import Principal, Permission, RoleNeed
from flask import Flask
app = Flask(__name__)
principals = Principal(app)
admin_permission = Permission(RoleNeed('admin'))
def admin_required(f):
@wraps(f)
def decorated(*args, **kwargs):
if not admin_permission.can():
abort(403)
return f(*args, **kwargs)
return decorated
@app.route('/admin/secret')
@admin_required
def admin_secret():
return get_admin_data()
This approach separates authorization logic from business logic, making it easier to maintain and audit.
Session security is critical for Flask applications. Use strong secret keys and consider server-side session storage:
app.secret_key = os.environ.get('FLASK_SECRET_KEY')
# or use server-side sessions
from flask_session import Session
app.config['SESSION_TYPE'] = 'filesystem'
Session(app)
Never use weak default keys or expose session secrets in your codebase.
Database queries in Flask should always use parameterized statements to prevent SQL injection:
from flask_sqlalchemy import SQLAlchemy
from sqlalchemy import text
db = SQLAlchemy(app)
@app.route('/user/<user_id>/orders')
def user_orders(user_id):
# Safe: parameterized query
query = text("SELECT * FROM orders WHERE user_id = :user_id")
orders = db.engine.execute(query, {'user_id': user_id}).fetchall()
return jsonify(orders)
This prevents attackers from manipulating queries to access unauthorized data.
For comprehensive protection, implement the principle of least privilege at the database level:
# Database user permissions
# Application DB user can only SELECT from orders table
# Admin DB user has full permissions but only used in admin contexts
Combine these technical controls with regular security testing using middleBrick to continuously verify your privilege escalation defenses remain effective as your Flask application evolves.