flask-unsign

Decode a Flask session cookie

$ flask-unsign [[-d|--decode]] [[-c|--cookie]] [cookie]

$ flask-unsign [[-d|--decode]] --server [URL]

$ flask-unsign [[-u|--unsign]] [[-c|--cookie]] [cookie]

$ flask-unsign [[-u|--unsign]] [[-c|--cookie]] [cookie] [[-w|--wordlist]] [path/to/wordlist.txt]

$ flask-unsign [[-s|--sign]] [[-c|--cookie]] ["{'logged_in': False}"] [[-S|--secret]] [secret]

$ flask-unsign [[-s|--sign]] [[-c|--cookie]] ["{'logged_in': False}"] [[-S|--secret]] [secret] [[-l|--legacy]]

$ flask-unsign [[-u|--unsign]] [[-c|--cookie]] [cookie] [[-w|--wordlist]] [path/to/wordlist.txt] [[-t|--threads]] [threads] [[-nE|--no-literal-eval]]

flask-unsign [OPTIONS] COMMAND [ARGUMENTS]

Commands:
  unsign <cookie_value> [OPTIONS]
  sign <payload> [OPTIONS]
  crack <cookie_value> [OPTIONS]

--secret
    Specify the Flask application's secret key to use for signing or unsigning. This is required for signing and can be used for unsigning/cracking if known.

-c, --cookie
    The Flask session cookie value to unsign or crack. This option is required when using the unsign or crack commands.

-p, --payload
    The JSON payload (e.g., '{"user":"admin"}') to sign into a new cookie. This option is required when using the sign command.

-l, --legacy
    Use the legacy signing method (pre-itsdangerous v1.0). This might be necessary for older Flask applications.

--salt
    Specify a custom salt string used during the signing or unsigning process. Some Flask applications might use a custom salt.

--compress
    Apply zlib compression before signing (for sign command) or decompress after unsigning (for unsign command). Flask can optionally compress session data.

-o, --output
    Write the command's output to the specified file instead of printing it to standard output (stdout).

-v, --verbose
    Enable verbose output, providing more detailed information about the operation, which can be useful for debugging.

-h, --help
    Display the help message and exit, showing available commands and options.

-w, --wordlist
    Path to a wordlist file for brute-forcing the secret key. This option is specific to the crack command.

--no-guess
    Do not attempt to guess common secret keys before using the provided wordlist. This option is specific to the crack command.

--decode-base64
    Decode the cookie value from Base64 before unsigning. This is useful for very old Flask versions or specific configurations where the cookie might be Base64 encoded prior to signing.

flask-unsign is a powerful command-line utility designed for security researchers and penetration testers to analyze and manipulate Flask session cookies. Flask applications typically use the itsdangerous library to sign session cookies, ensuring their integrity and preventing tampering. flask-unsign leverages this mechanism by providing functionalities to:
Unsign cookies: Decrypt the payload of a Flask session cookie, revealing its internal data. This is crucial for understanding the structure and content of sessions.
Sign cookies: Forge new Flask session cookies with custom payloads, given the application's secret key. This allows testers to inject arbitrary data into sessions.
Crack secret keys: Brute-force or use a wordlist to discover the secret key used by a Flask application to sign its cookies. This is often the primary goal, as possessing the secret key allows full control over session forging.
The tool supports different signing methods and features like compression and salt specification, adapting to various Flask/itsdangerous configurations. It is an invaluable asset in web application security audits and Capture The Flag (CTF) challenges involving Flask applications.

flask-unsign is a specialized tool for security auditing and educational purposes. It should only be used against systems with explicit permission. Its effectiveness relies on the itsdangerous library's signing mechanisms. If a Flask application employs custom, non-standard session management or encryption methods beyond itsdangerous, this tool may not be effective. Brute-forcing secret keys can be time-consuming and computationally intensive without a strong wordlist, and it's subject to rate-limiting or lockout mechanisms if performed against a live application.

flask-unsign is primarily used in:
Penetration Testing: Identifying and exploiting insecure session management in Flask applications.
CTF Challenges: Solving web exploitation challenges where Flask session cookie manipulation is required.
Security Research: Understanding how Flask sessions are signed and identifying potential weaknesses in the implementation.

flask-unsign can typically be installed via Python's package manager pip:
pip install flask-unsign
It requires a Python environment to run.

flask-unsign emerged as a necessity within the cybersecurity community, particularly among penetration testers and CTF players, to effectively analyze and exploit vulnerabilities in Flask web applications. Its development closely mirrors the evolution of the itsdangerous library, the primary session signing mechanism used by Flask. As itsdangerous introduced new signing methods (e.g., changes between v0.x and v1.x), flask-unsign has been updated to support these different schemes, ensuring its continued relevance and utility in a constantly evolving web security landscape. It provides a convenient, focused alternative to manually scripting decryption and signing operations.

itsdangerous (Python library used by Flask for signing), jwt_tool (for JSON Web Token analysis, similar concept but for JWTs), hashcat (general-purpose password recovery utility, can be used for cracking other hashes)