CVE-2023-30861 PoC — Flask vulnerable to possible disclosure of permanent session cookie due to missing Vary: Cookie header

Source

https://github.com/JawadPy/CVE-2023-30861-Exploit

Associated Vulnerability

Title:Flask vulnerable to possible disclosure of permanent session cookie due to missing Vary: Cookie header (CVE-2023-30861)
Description:Flask is a lightweight WSGI web application framework. When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by the proxy to other clients. If the proxy also caches `Set-Cookie` headers, it may send one client's `session` cookie to other clients. The severity depends on the application's use of the session and the proxy's behavior regarding cookies. The risk depends on all these conditions being met. 1. The application must be hosted behind a caching proxy that does not strip cookies or ignore responses with cookies. 2. The application sets `session.permanent = True` 3. The application does not access or modify the session at any point during a request. 4. `SESSION_REFRESH_EACH_REQUEST` enabled (the default). 5. The application does not set a `Cache-Control` header to indicate that a page is private or should not be cached. This happens because vulnerable versions of Flask only set the `Vary: Cookie` header when the session is accessed or modified, not when it is refreshed (re-sent to update the expiration) without being accessed or modified. This issue has been fixed in versions 2.3.2 and 2.2.5.

Description

Explaining how to exploit CVE-2023-30861

Readme

# Intro
This bug happens because Flask doesn't tell the caching server (proxy) to be careful with sensitive information like cookies.

To use this attack you have to check your checklist
- **User** must use a proxy and accesses the flask webapp
- **Proxy** must be caching proxy (caching server).
- **Flask** version of the targeted flask website that user uses must be before `2.2.5`
- **Attacker** must have access to the caching proxy of the proxy that **User** uses 

**Why the proxy?**

A caching proxy is like a helper that stores copies of web pages to make them load faster when you visit them again.
- Chat-GPT

Using this type of proxies to access any website runs on `Flask < 2.2.5` makes the proxy server stores your cockies for fast load, because the proxy doesn't know it's a sensitve data, because `Flask` didn't tell the proxy server it's a sensitve data.


**The imapct of this attack**

This attack could allow the attacker to steal sensitive information like user session cookies.


# PoC
First I want you to host this code to anywhere you like:

```python
from flask import Flask, session

app = Flask(__name__)
app.config['SESSION_PERMANENT'] = True
#app.config['SESSION_REFRESH_EACH_REQUEST'] = True

@app.route('/')
def index():
    session['user_id'] = 1
    return 'CVE-2023-30861!'

if __name__ == '__main__':
    app.run(host='0.0.0.0', port=5000)

```

This code is a simple `Flask` website, remember the version must be `< 2.2.5`.
Now access this website with via caching proxy that you have access to and wait for another user to access same website with the same proxy.
after that you will get that user session from cache.


# Support
If you would like to support me with donation, I recommend you to give it to someone who really need it please. If you do so then consider that i earned your support.

<a href="https://www.buymeacoffee.com/jawadpy" target="_blank"><img src="https://cdn.buymeacoffee.com/buttons/v2/default-green.png" alt="Buy Me A Coffee" style="height: 60px !important;width: 217px !important;" ></a>

File Snapshot


 [4.0K]  /data/pocs/be53b9b0935ca53cf326044817cd027a3e1cfdb9
└── [2.0K]  README.md

0 directories, 1 file

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!