This bug happens because Flask doesn't tell the caching server (proxy) to be careful with sensitive information like cookies.
To use this attack you have to check your checklist
- User must use a proxy and accesses the flask webapp
- Proxy must be caching proxy (caching server).
- Flask version of the targeted flask website that user uses must be before
2.2.5
- Attacker must have access to the caching proxy of the proxy that User uses
Why the proxy?
A caching proxy is like a helper that stores copies of web pages to make them load faster when you visit them again.
- Chat-GPT
Using this type of proxies to access any website runs on Flask < 2.2.5
makes the proxy server stores your cockies for fast load, because the proxy doesn't know it's a sensitve data, because Flask
didn't tell the proxy server it's a sensitve data.
The imapct of this attack
This attack could allow the attacker to steal sensitive information like user session cookies.
First I want you to host this code to anywhere you like:
from flask import Flask, session
app = Flask(__name__)
app.config['SESSION_PERMANENT'] = True
#app.config['SESSION_REFRESH_EACH_REQUEST'] = True
@app.route('/')
def index():
session['user_id'] = 1
return 'CVE-2023-30861!'
if __name__ == '__main__':
app.run(host='0.0.0.0', port=5000)
This code is a simple Flask
website, remember the version must be < 2.2.5
.
Now access this website with via caching proxy that you have access to and wait for another user to access same website with the same proxy.
after that you will get that user session from cache.
If you would like to support me with donation, I recommend you to give it to someone who really need it please. If you do so then consider that i earned your support.