flask-unsign

Decode a Flask session cookie

$ flask-unsign --decode --cookie "[cookie_value]"

$ flask-unsign --unsign --cookie "[cookie]" --wordlist [wordlist.txt]

$ flask-unsign --sign --cookie "{'user':'admin'}" --secret "[key]"

$ flask-unsign --decode --cookie "[cookie]" --no-verify

flask-unsign [options]

Flask-unsign is a security testing tool for analyzing and manipulating Flask session cookies. Flask stores session data in cryptographically signed cookies, and this tool can decode the contents, attempt to recover the secret key through brute-force attacks, and craft custom signed cookies.
The tool is primarily used in web application security assessments to test Flask applications for weak secret keys. If the secret key can be recovered, attackers could forge arbitrary session data, potentially leading to privilege escalation or authentication bypass vulnerabilities.
Flask-unsign supports multithreaded brute-forcing, custom wordlists, and both encoding and decoding operations. It can work with sessions even when the signature verification fails, allowing inspection of tampered or expired cookies.

--decode

Decode session cookie.

Brute force secret key.

Sign a cookie.

Cookie value.

Secret key.

Wordlist for brute forcing.

Skip signature verification.

Number of threads.

flask(1)