https://github.com/paralin/hwassassinrev
Messing with HW assassin
https://github.com/paralin/hwassassinrev
Last synced: 4 months ago
JSON representation
Messing with HW assassin
- Host: GitHub
- URL: https://github.com/paralin/hwassassinrev
- Owner: paralin
- Created: 2015-05-22T05:30:47.000Z (almost 11 years ago)
- Default Branch: master
- Last Pushed: 2015-05-22T05:35:56.000Z (almost 11 years ago)
- Last Synced: 2025-10-29T09:37:28.859Z (4 months ago)
- Language: Python
- Size: 203 KB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
HW ASSASSIN
==========
This repo is a couple of hours of messing around with James Lennon's HW
Assassin app endpoints to see what kind of information can be gleaned.
GAME STATE REQUEST
------
```
POST http://hwassassin.hwtechcouncil.com/game/get_state
```
```
key=encrypted base64 key
```
The key is based on the value returned by add_player.
REGISTER AS PLAYER
-------
`POST http://hwassassin.hwtechcouncil.com/players/add_player`
```
image=base64 image data
name=full name
year=2015
school_id=115-010
```
Response:
```
{"key":"base64 encoded encrypted data"}
```
Appears to be an encrypted (probably with secret) key. Probably not
forgeable without source code of the app.
SIGNIFICANT VULNERABILITIES
-------
There is a problem, `school_id` is displayed for all of the top 25
players. This should be considered a secret. [Data
dump](https://gist.github.com/paralin/812e93282fd45869592b) acquired
using this vulnerability.