Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-30861 PoC — Flask 安全漏洞

Source
https://github.com/JawadPy/CVE-2023-30861-Exploit
Associated Vulnerability
Title:Flask 安全漏洞 (CVE-2023-30861)
Description:Pallets Project Flask是Pallets项目的一款轻量级的WSGI(Web服务器网关接口)应用程序框架。 Flask存在安全漏洞,该漏洞源于用于一个客户端的数据响应可能会被缓存并随后由代理发送给其他客户端。
Description
Explaining how to exploit CVE-2023-30861
Readme
# Intro
This bug happens because Flask doesn't tell the caching server (proxy) to be careful with sensitive information like cookies.

To use this attack you have to check your checklist
- **User** must use a proxy and accesses the flask webapp
- **Proxy** must be caching proxy (caching server).
- **Flask** version of the targeted flask website that user uses must be before `2.2.5`
- **Attacker** must have access to the caching proxy of the proxy that **User** uses 

**Why the proxy?**

A caching proxy is like a helper that stores copies of web pages to make them load faster when you visit them again.
- Chat-GPT

Using this type of proxies to access any website runs on `Flask < 2.2.5` makes the proxy server stores your cockies for fast load, because the proxy doesn't know it's a sensitve data, because `Flask` didn't tell the proxy server it's a sensitve data.


**The imapct of this attack**

This attack could allow the attacker to steal sensitive information like user session cookies.


# PoC
First I want you to host this code to anywhere you like:

```python
from flask import Flask, session

app = Flask(__name__)
app.config['SESSION_PERMANENT'] = True
#app.config['SESSION_REFRESH_EACH_REQUEST'] = True

@app.route('/')
def index():
    session['user_id'] = 1
    return 'CVE-2023-30861!'

if __name__ == '__main__':
    app.run(host='0.0.0.0', port=5000)

```

This code is a simple `Flask` website, remember the version must be `< 2.2.5`.
Now access this website with via caching proxy that you have access to and wait for another user to access same website with the same proxy.
after that you will get that user session from cache.


# Support
If you would like to support me with donation, I recommend you to give it to someone who really need it please. If you do so then consider that i earned your support.

<a href="https://www.buymeacoffee.com/jawadpy" target="_blank"><img src="https://cdn.buymeacoffee.com/buttons/v2/default-green.png" alt="Buy Me A Coffee" style="height: 60px !important;width: 217px !important;" ></a>
File Snapshot

 [4.0K]  /data/pocs/be53b9b0935ca53cf326044817cd027a3e1cfdb9
└── [2.0K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.