pwneglyph logo

Note

web python http-digest flask-session authentication replay

Compare Digest nonce/opaque state held in a mutable Flask session against the advertised WWW-Authenticate values to find replay or fixation edges.

Digest Auth + Challenge State Stored in a Flask Session

The Digest challenge is supposed to bind nonce and opaque state tightly to the auth exchange. If the app also stores that state in a mutable Flask session, inconsistencies between cookie state and header state may create exploitable edge cases.

Why It Works

  • Per-session nonce bookkeeping inside a client-readable cookie invites replay, fixation, or mismatch between the cookie's view and the advertised challenge.

Vulnerable Pattern

  • HTTP Digest implemented in application code, with per-session nonce bookkeeping using Flask session cookies.

Exploit Flow

  1. Decode the Flask session and compare what the server thinks the current challenge values are vs. what it advertises in WWW-Authenticate.
  2. Look for replay, session fixation, or mismatch conditions where one cookie can validate another request's Digest header.

Common Blockers

  • Correct server-side nonce tracking and strict replay counters.

PoC Sketch

# decode the Flask cookie; compare stored auth_nonce / auth_opaque
# with WWW-Authenticate values and your submitted Authorization: Digest ... header

Good Situations To Use It

  • The app implements Digest auth by hand.
  • Challenge state lives in a decodable Flask session cookie.
  • Replay counters look weak or absent.

Sources

  • 0xFUN2026/web/manofauth