From 537a8a111f0ec3f36cd3bf3c27b187ed96b52b44 Mon Sep 17 00:00:00 2001
From: Machiavelli <145562237+MachiavelliII@users.noreply.github.com>
Date: Mon, 2 Jun 2025 05:40:25 +0300
Subject: [PATCH] flask-unsign: add page (#16708)

* flask-unsign: add page

* Update pages/common/flask-unsign.md

Co-authored-by: Fazle Arefin <fazlearefin@users.noreply.github.com>

* Update pages/common/flask-unsign.md

Co-authored-by: Fazle Arefin <fazlearefin@users.noreply.github.com>

* Update pages/common/flask-unsign.md

Co-authored-by: Fazle Arefin <fazlearefin@users.noreply.github.com>

* Update pages/common/flask-unsign.md

Co-authored-by: Fazle Arefin <fazlearefin@users.noreply.github.com>

---------

Co-authored-by: Fazle Arefin <fazlearefin@users.noreply.github.com>
---
 pages/common/flask-unsign.md | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)
 create mode 100644 pages/common/flask-unsign.md

diff --git a/pages/common/flask-unsign.md b/pages/common/flask-unsign.md
new file mode 100644
index 0000000000..c0438bf9cb
--- /dev/null
+++ b/pages/common/flask-unsign.md
@@ -0,0 +1,32 @@
+# flask-unsign
+
+> A tool to brute-force, decode and craft `Flask` session cookies.
+> More information: <https://github.com/Paradoxis/Flask-Unsign>.
+
+- Decode a Flask session cookie:
+
+`flask-unsign {{[-d|--decode]}} {{[-c|--cookie]}} {{cookie}}`
+
+- Decode a session cookie fetched from a URL which returns a `Set-Cookie` header:
+
+`flask-unsign {{[-d|--decode]}} --server {{URL}}`
+
+- Brute-force a secret key using the default flask-unsign-wordlist (requires `flask-unsign-wordlist`):
+
+`flask-unsign {{[-u|--unsign]}} {{[-c|--cookie]}} {{cookie}}`
+
+- Brute-force a secret key with a custom wordlist (use `--no-literal-eval` for unquoted entries):
+
+`flask-unsign {{[-u|--unsign]}} {{[-c|--cookie]}} {{cookie}} {{[-w|--wordlist]}} {{path/to/wordlist.txt}}`
+
+- Sign a new session cookie with a secret key:
+
+`flask-unsign {{[-s|--sign]}} {{[-c|--cookie]}} {{"{'logged_in': False}"}} {{[-S|--secret]}} {{secret}}`
+
+- Sign a session cookie using legacy timestamp (useful for old versions):
+
+`flask-unsign {{[-s|--sign]}} {{[-c|--cookie]}} {{"{'logged_in': False}"}} {{[-S|--secret]}} {{secret}} {{[-l|--legacy]}}`
+
+- Brute-force a session cookie with custom threads and no literal evaluation:
+
+`flask-unsign {{[-u|--unsign]}} {{[-c|--cookie]}} {{cookie}} {{[-w|--wordlist]}} {{path/to/wordlist.txt}} {{[-t|--threads]}} {{threads}} {{[-nE|--no-literal-eval]}}`