{"id":27744,"library":"flask-unsign","title":"Flask Unsign","description":"Penetration testing tool to decode and brute-force Flask session cookies by testing against a wordlist of common secret keys. Current version: 1.2.1. Release cadence is irregular, with the last release in 2022.","status":"active","version":"1.2.1","language":"python","source_language":"en","source_url":"https://github.com/Paradoxis/Flask-Unsign","tags":["flask","security","pentest","session-cookie","brute-force"],"install":[{"cmd":"pip install flask-unsign","lang":"bash","label":"Install from PyPI"}],"dependencies":[{"reason":"Required for Flask session format handling","package":"flask","optional":false}],"imports":[{"note":"","wrong":"","symbol":"UnsignSession","correct":"from flask_unsign import UnsignSession"}],"quickstart":{"code":"from flask_unsign import UnsignSession\n\n# Decode a session cookie (no secret needed)\ncookie = 'eyJ1c2VyIjoiYWRtaW4ifQ.XYZ...'\nunsign = UnsignSession()\nprint(unsign.decode(cookie))\n\n# Brute-force secret key using a wordlist\nwordlist = ['secret', 'key', 'password']\nresult = unsign.unsign(cookie, wordlist=wordlist)\nprint(f\"Secret found: {result}\" if result else \"Not found\")","lang":"python","description":"Decode a Flask session cookie or brute-force its secret key using a wordlist."},"warnings":[{"fix":"Read the wordlist file into a list before passing: wordlist = [line.strip() for line in open('wordlist.txt')]","message":"UnsignSession.unsign() expects a wordlist as a list of strings. Passing a file path will fail silently.","severity":"gotcha","affected_versions":"<=1.2.1"},{"fix":"Use requests or another library to fetch cookies, then pass the cookie value to flask-unsign.","message":"The tool does not support custom HTTP headers or proxies; it only extracts the session cookie string.","severity":"gotcha","affected_versions":"<=1.2.1"},{"fix":"Use the Python API with UnsignSession class.","message":"The command-line interface (flask-unsign --decode) is still available but not actively maintained. The Python API is preferred.","severity":"deprecated","affected_versions":">=1.0.0"}],"env_vars":null,"last_verified":"2026-05-09T00:00:00.000Z","next_check":"2026-08-07T00:00:00.000Z","problems":[{"fix":"Use 'from flask_unsign import UnsignSession' then create an instance: unsign = UnsignSession(); unsign.decode(cookie)","cause":"User tried to call flask_unsign.decode() directly instead of using the UnsignSession class.","error":"AttributeError: module 'flask_unsign' has no attribute 'decode'"},{"fix":"Provide a list of candidate secret keys: result = unsign.unsign(cookie, wordlist=['secret1', 'secret2'])","cause":"The unsign method requires a wordlist argument; it does not default to an internal list.","error":"TypeError: unsign() missing 1 required positional argument: 'wordlist'"}],"ecosystem":"pypi","meta_description":null,"install_score":null,"install_tag":null,"quickstart_score":null,"quickstart_tag":null}