Mojolicious weak secret key
Description
The Mojolicious web framework uses a secret key to cryptographically sign session cookies, preventing unauthorized modification of cookie data. This application is configured with a weak, default, or commonly-used secret key that can be easily guessed or is publicly known. Invicti successfully identified the secret key, demonstrating that attackers can also discover it.
Remediation
Generate a cryptographically strong random secret key and configure your Mojolicious application to use it. The secret should be at least 32 characters long and contain random alphanumeric characters.
Update your application configuration:
use Mojolicious::Lite; # Generate a random secret (do this once, then store it securely) app->secrets(['your-randomly-generated-secret-key-here']); app->start;
For production environments, store the secret in an environment variable or secure configuration management system rather than hardcoding it:
use Mojolicious::Lite;
app->secrets([$ENV{MOJOLICIOUS_SECRET}]);
app->start;Generate a secure random secret using:
perl -e 'print map{("a".."z","A".."Z",0..9)[rand 62]}1..40'After changing the secret, all existing sessions will be invalidated and users will need to re-authenticate.