Trying to find an auth token which gets generated(Somewhere) and passed.


  • Banned

    I have been looking for an auth token that I am not being able to find where it is generated. I can see it getting passed but the token gets changed every 24 hours. Can anyone point me in the right direction as to where this can get generated and how can I get it parsed? As of now I am physically extracting the auth and passing it as input in the config. I tried to look at every request but was unable to find it. It keeps getting passed at this request only.

    auth: <auth> (it gets passed here)
    codemarket: [COUNTRY CODE]
    content-length: 65
    content-type: application/json;charset=UTF-8
    countrycode: GB
    dnt: 1
    langcode: en
    origin: https://[hidden]
    referer: https://[hidden]/account/login
    sec-fetch-dest: empty
    sec-fetch-mode: cors
    sec-fetch-site: cross-site
    secret: 98FmvhJFqNOK87GtdGNn3E73pI0LqzJxS1pn3wWZj94Er1Kg2e5LBp81ppeP
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36
    userid: 4914447553
    x-api-key: siYAzKattmawHSwMV4OJYtaoP8SRq
    
    


  • Auth Token isnt only in the source look in the response headers etc



  • the information you have given aren't enough to identify whether the code can be found in a source or generated within the app. or even identify which token it is


  • Banned

    @Ancient @Fairy The Auth token is like this - 8ac76a426db63219e14bfe0191bcf8b6e64bf603. Sorry for the insufficient info. It is a SHA1 Encryption.

    Pic - https://www.upload.ee/image/11858711/4235325.PNG

    @Ancient said in Trying to find an auth token which gets generated(Somewhere) and passed.:

    Auth Token isnt only in the source look in the response headers etc

    Yes I know where the auth tokens may be found. I looked in headers, cookies, and the source obv. But it is not found. This auth token is generated anew after 24 hours. This is the only place where I see the auth token. In the above-mentioned request. I mean even if it is generated it should be passed to the request to be valid rignt.

    @Fairy said in Trying to find an auth token which gets generated(Somewhere) and passed.:

    the information you have given aren't enough to identify whether the code can be found in a source or generated within the app. or even identify which token it is

    This is not an app I can say that. This is a website config.
    I mean can it be generated through some script inbuilt in the website or something like that?



  • Did you check all of the sites Javascript sources?


  • Banned

    @Pure I checked the js sources and I could find the "api key" and the "secret" mentioned in the above request but the auth is not in the source. Not in a parsable manner atleast.



  • if the authorization token is changing with each request even when using the same credentials, then it hashes other variables such ass CSRF tokens, TimeStamp, NONCE, or SessionID... i advice a trial and error method which means trying to hash whatever think possible, and if this doesn't help, then try API


  • Banned

    Sorry sir this auth changes only once every 24hours. @Fairy



  • they must be generating it using a JS function then. we can't know for sure, try searching the responses for "hash, sha1, ...etc" or "auth" or anything related to it.


Log in to reply