https://github.com/cawfree/sameorigin

🤖 🧪 Masquerade as if you were their own frontend.
https://github.com/cawfree/sameorigin

axios blur bypass cloudflare cors exploit marketplace nft opensea puppeteer

Last synced: 20 days ago
JSON representation

🤖 🧪 Masquerade as if you were their own frontend.

• Host: GitHub
• URL: https://github.com/cawfree/sameorigin
• Owner: cawfree
• License: cc0-1.0
• Created: 2023-03-09T20:36:07.000Z (about 2 years ago)
• Default Branch: main
• Last Pushed: 2023-09-26T12:30:49.000Z (over 1 year ago)
• Last Synced: 2025-03-31T05:31:56.972Z (about 1 month ago)
• Topics: axios, blur, bypass, cloudflare, cors, exploit, marketplace, nft, opensea, puppeteer
• Language: TypeScript
• Homepage: https://twitter.com/cawfree
• Size: 88.9 KB
• Stars: 27
• Watchers: 3
• Forks: 1
• Open Issues: 1
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

        
## `@cawfree/sameorigin`

🤖 🧪 Masquerade as if you were their own frontend.

[`sameorigin`](https://github.com/cawfree/sameorigin) generalizes the process of [__Same-Origin-Resource-Crossing__](https://github.com/cawfree/opensea-submarine), which allows you to work around the domain-based restrictions centralized services use to protect their APIs from third parties.

###  🚀 Getting Started

You can install [`sameorigin`](https://github.com/cawfree/sameorigin) via [`yarn`](https://yarnpkg.com):

```shell

yarn add @cawfree/sameorigin

```

Next, declare the domain you wish to squat on. In the following example, let's assume I want to bypass the [__CloudFlare__](https://www.cloudflare.com/) restrictions on the [__Blur Marketplace__](https://blur.io/):

```typescript

import {sameorigin} from '@cawfree/sameorigin';

const [axios, {close}] = await sameorigin({

  // Define the website url that has access permissions and generates some requests.

  squatURL: 'https://blur.io/airdrop',

});

const {data} = await axios({

  // Important! You must declare the baseURL of the API you intend

  // to target. This is because it is used to isolate requests you

  // intend to hijack for your own purposes.

  baseURL: 'https://core-api.prod.blur.io/v1',

    

  // GET https://core-api.prod.blur.io/v1/prices

  url: '/prices',

  method: 'get',

});

// Once finished, you'll need to close your client to prevent

// memory leaks.

await close();

```

> **Warning**

> 

> Some interfaces defend against tools like `sameorigin` by making an analysis of the runtime window. If you find your requests are being rejected, please instantiate `sameorigin` using `headless: false` as a workaround.

### 🤔 How does it work?

When making a call to [`sameorigin`](https://github.com/cawfree/sameorigin), we allocate an instance of [`puppeteer`](https://github.com/puppeteer/puppeteer) in the background which is used to capture requests and serve as a trusted origin for API requests to originate from.

We make the page available via an [`express`](https://expressjs.com/) server which manages the life cycle of pages, captures requests which satisfy CloudFlare's protections and dynamically inject them with custom query data.

This process is masked behind the returned [`axios`](https://github.com/axios/axios) client. The underlying process of squatting on pages, hijacking requests and returning the data as if it were a conventional fetch request are abstracted away from the caller.

### ✌️ License

[__CC0-1.0__](./LICENSE)