Tornado weak secret key
Description
The Tornado web framework uses signed cookies to protect user session data from tampering by signing cookie values with a secret key. This application is configured with a weak, default, or publicly known secret key that can be easily guessed or discovered by attackers. Invicti successfully identified the secret key being used, demonstrating that it is not sufficiently random or unique.
Remediation
Generate a strong, cryptographically random secret key and configure it in your Tornado application settings. The secret key should be at least 32 characters long and contain random alphanumeric characters and symbols.<br/><br/>Update your application configuration:<br/><pre>import os import base64 # Generate a secure random secret (run once, then store the output) # secret_key = base64.b64encode(os.urandom(32)).decode('utf-8') application = tornado.web.Application([ # your handlers here ], cookie_secret="YOUR_GENERATED_SECRET_KEY_HERE") </pre><br/>Store the secret key securely using environment variables or a secrets management system rather than hardcoding it in source code. Never use default values, dictionary words, or publicly known strings. Rotate the secret key periodically and whenever there is a suspected compromise.