Blacksmith

Prerequisites & Requirements

• Basic command-line comfort (running a tool like flask-unsign).
• Familiarity with Burp Suite is helpful but not strictly required.

What will you learn?

• How Flask session cookies are signed and can be forged if the secret is weak.
• How to use flask-unsign to recover or create signed cookies.
• How Server-Side Template Injection (SSTI) can lead to command execution.

Tools

• Burp Suite (to capture/modify requests).
• flask-unsign (to unsign/sign Flask session cookies).
• A wordlist (e.g., rockyou.txt) for brute-forcing the Flask secret.