Member-only story
Exploiting a Flask Server Using a Known Secret Key
How knowing the secret key of a Flask server can be used to create a custom session cookie and bypass authentication
Setting a long and complex application key in Flask is critical when using the library’s built-in authentication logic.
If an attacker gains access to this value, they can potentially forge custom cookies and fool the server into thinking that requests are legitimate.
In this article, we’ll examine the critical role of app keys in Flask and how improper generation can lead to security vulnerabilities.
Flask servers and secret keys
Flask uses an application key to sign cookies, ensuring their validity by verifying the associated signature.
The signature is generated using the HMAC algorithm, which hashes the cookie content (encoded in base64) and the application key to produce a unique value.
Since only the server should know the application key, external users should not be able to generate a valid signature without it.
However, if an attacker has access to the application key, they can create cookies with arbitrary data that Flask incorrectly accepts as valid.
