Brute Force Attack in Flask

A brute force attack in a Flask application typically targets authentication endpoints, password reset mechanisms, or API endpoints that rely on simple token or password verification. In Flask, this often occurs when developers implement their own login routes without rate limiting or account lockout mechanisms. For example, a common pattern is a POST /login endpoint that directly compares user-provided credentials against a database using werkzeug.security.check_password_hash() without throttling failed attempts. Each failed guess results in a full database query, making it trivial for attackers to automate credential stuffing using tools like hydra or custom Python scripts.

Consider the following Flask route:

from flask import Flask, request, jsonify
import sqlite3

app = Flask(__name__)

@app.route('/login', methods=['POST'])
def login():
    data = request.get_json()
    username = data.get('username')
    password = data.get('password')

    conn = sqlite3.connect('users.db')
    cur = conn.cursor()
    cur.execute("SELECT password FROM users WHERE username = ?", (username,))
    row = cur.fetchone()
    if row and row[0] == password:  # Insecure direct comparison

        return jsonify({'status': 'success'})
    else:
        return jsonify({'error': 'Invalid credentials'}), 401

    conn.close()

if __name__ == '__main__':
    app.run(debug=True)

This code lacks rate limiting, account lockout, or CAPTCHA mechanisms. Attackers can submit thousands of username/password combinations per second using tools like:

hydra -L usernames.txt -P passwords.txt http://example.com/login POST "username=^s{username}\^p{password}^" -s 443 -V

Flask applications often expose such endpoints over HTTP in development or staging environments, making them especially vulnerable. Additionally, when developers use Flask's flask-limiter extension incorrectly or omit it entirely, the application remains exposed to credential enumeration attacks where error messages differentiate between

Detecting brute force attacks in Flask requires monitoring for patterns indicative of repeated failed authentication attempts, especially targeting endpoints like /login, /api/v1/auth, or /reset-password. middleBrick identifies this risk by scanning unauthenticated endpoints and analyzing response patterns across multiple requests. During a scan, middleBrick may simulate hundreds of credential combinations against your /login endpoint and observe whether the application responds with consistent error messages (e.g., "Invalid credentials") or distinguishes between invalid usernames and invalid passwords — a sign of user enumeration.

For example, middleBrick might send these requests:

POST /login HTTP/1.1
Host: example.com
Content-Type: application/json

{"username": "admin", "password": "password1"}

POST /login HTTP/1.1
Host: example.com
Content-Type: application/json

{"username": "admin", "password": "password2"}

If both return subtly different responses — such as one indicating "User not found" and another "Invalid password" — middleBrick flags this as a potential user enumeration vulnerability, which is a precursor to brute force attacks. Additionally, middleBrick evaluates the number of failed attempts within a short window and compares it against expected traffic patterns. Since no authentication is required to initiate a scan, middleBrick can detect exposed endpoints that lack IP-based rate limiting or CAPTCHA, even if they are not publicly documented. This aligns with OWASP API Top 10 category A07:2023 — Identification and Authentication Failures.

middleBrick does not require API keys or authentication to perform these checks, making it ideal for black-box assessment of public-facing Flask APIs. The tool aggregates findings into a risk score and provides specific remediation guidance tailored to Flask's ecosystem.

Remediation of brute force vulnerabilities in Flask applications involves implementing rate limiting, account lockout policies, and secure credential handling. One effective approach is to use the flask-limiter extension to restrict the number of requests per IP address. For example:

from flask_limiter import Limiter
from flask_limiter.util import get_remote_address

limiter = Limiter(app, key_func=get_remote_address)

@app.route('/login', methods=['POST'])
@limiter.limit('5 per minute')  # Limit to 5 login attempts per minute per IP
@limiter.limit('10 per hour', per_method=True)
def login():
    # ... existing logic

    # ... existing logic

    # 

Additionally, Flask applications should avoid disclosing specific error details. Instead of returning different messages for invalid usernames vs. invalid passwords, return a generic "Invalid credentials" message to prevent user enumeration. Another best practice is to implement account lockout after a configurable number of failed attempts, combined with a delay that increases exponentially with each subsequent failure. For password storage, always use werkzeug.security.generate_password_hash() and check_password_hash() with a strong algorithm like PBKDF2 or Argon2, never store plaintext passwords. Finally, consider integrating CAPTCHA (e.g., Google reCAPTCHA) on login and password reset forms to block automated tools.

Example of secure password handling:

from werkzeug.security import generate_password_hash, check_password_hash

# During registration
hashed_pw = generate_password_hash(password)

# During login
if check_password_hash(user['password_hash'], password):
    # Authentication successful

These measures collectively reduce the risk of brute force attacks. middleBrick can validate that your Flask application now enforces rate limits and returns consistent responses, helping you maintain compliance with security frameworks like PCI-DSS and OWASP Top 10.

Q: Can middleBrick scan my Flask app if it only has a staging URL with basic auth?
A: Yes. middleBrick performs black-box scanning and does not require credentials. You can provide an unauthenticated URL (e.g., http://staging.example.com/login) and middleBrick will test it directly without needing login details.

Q: Does middleBrick automatically block brute force attacks?
A: No. middleBrick detects and reports vulnerabilities, including those indicative of brute force risks, and provides remediation guidance. It does not block traffic or enforce policies — it only informs you of findings so your team can take action.