Reverse engineering Javascript behind Google+ button

前端 未结 2 1670
别那么骄傲
别那么骄傲 2021-02-03 10:57

I am trying to simulate google+ button.In Somepart of code at LINK,It converts the session id into Some kinda hash.What i found is session id name is SAPISID and the converted h

2条回答
  •  滥情空心
    2021-02-03 11:39

    VICTORY! Well for me at least =p the SAPISIDHASH I was looking for was the one in the api console. Automation for rather large job, totally legitimate.

    Anyways -> the one I found was a SHA1 on the current javascript milliseconds timestamp plus your current SAPISID from your cookie plus the domain origin

    In order for my request to work I had to include the following headers in the request Authorization:SAPISIDHASH 1439879298823_ and X-Origin:https://console.developers.google.com

    The first header I assume tells the server your timestamp and your sha1 value. The second ( breaks if you don't include it ) tells it the origin to use in the sha1 algorithm.

    I found the algorithm by digging through and debugging the hell out of tons of minified js NOTE there are spaces appended between the values

    The psuedo code is basiclly >

    sha1(new Date().getTime() + " " + SAPISID + " " + origin)

    That is at least how I got my SAPISIDHASH value in my use case here in 2015 ( few years later I know )... different from yours but maybe I will help some other young good hacker out there one day

提交回复
热议问题