Reflected XSS POC in flask

login.html

{% block body %}
{% if session['logged_in'] %}
<p>You're logged in already!</p>
{% else %}
<form action="/login" method="POST">
  <input type="username" name="username" placeholder="Username">
  <input type="password" name="password" placeholder="Password">
  <input type="submit" value="Log in">
</form>
{% endif %}
{% endblock %}

xss_flask.py

#!/usr/bin/env python
# -*- coding: utf-8 -*-
from flask import Flask, abort, flash, make_response, redirect, render_template, request, session, url_for
import os


app = Flask(__name__)
app.secret_key = os.urandom(12)


@app.route("/hello")
def hello():
	if request.args.get('name'):
		f = """
	    <html>
	    <h1>Hello """ + request.args.get('name') + """</h1>
	    </html>
	    """
		return f
	else:
		f = """
		<html>
	    <h1>Please input your name in the name parameter, i.e. http://localhost:5000/hello?name=bob</h1>
	    </html>
	    """
		return f


@app.route('/')
def home():
    if not session.get('logged_in'):
        return render_template('login.html')
    else:
        return redirect(url_for("hello"))


@app.route('/login', methods=['POST'])
def login():
    if request.form['password'] == 'password' and request.form['username'] == 'admin':
        response = redirect(url_for("home"))
        response.set_cookie('YourSessionCookie', 'admin')
        session['logged_in'] = True
        return response
    else:
        return redirect(url_for('home'))


if __name__ == "__main__":
    app.run(debug=True,host='0.0.0.0', port=5000)

# To install: pipenv --python 3.6.5 install  
# mkdir templates
# Put the content from login.html into templates/login.html
# Get inside virtualenv: pipenv shell

# To run: pip install flask && export FLASK_APP=xss_flask.py && flask run
# Go to http://localhost:5000/hello?name=<script>alert(document.cookie)</script>