Discuss Scratch
- Discussion Forums
- » Advanced Topics
- » What *exact* url in the API sets cloud data
![[RSS Feed]](//cdn.scratch.mit.edu/scratchr2/static/__9c6d3f90ec5f8ace6d3e8ea1e684b778__//djangobb_forum/img/feed-icon-small.png "[RSS Feed]")
![[RSS Feed]](http://cdn.scratch.mit.edu/scratchr2/static/__9c6d3f90ec5f8ace6d3e8ea1e684b778__//djangobb_forum/img/feed-icon-small.png "[RSS Feed]"){kind=icon}
- jokebookservice1
-
Scratcher
1000+ posts
What *exact* url in the API sets cloud data
I am aware that this is a duplicate, but please, can you just respond here?
So I am writing some python code to retrieve Cloud Data from my project: e-Coin
This was easy enough using the built-in libraries urllib, json and codecs
My code can already parse the number from the cloud list into a string. Anyway, I would like to now set some output to another project owned by me. If I manage to log in and extract my CSRF token, what exact link (and which HTTP Method) would set Cloud Data?
So I am writing some python code to retrieve Cloud Data from my project: e-Coin
This was easy enough using the built-in libraries urllib, json and codecs
My code can already parse the number from the cloud list into a string. Anyway, I would like to now set some output to another project owned by me. If I manage to log in and extract my CSRF token, what exact link (and which HTTP Method) would set Cloud Data?
- NickyNouse
-
Scratcher
1000+ posts
What *exact* url in the API sets cloud data
It can't be done with http requests alone as far as I know. But since you're using python you should be able to use Dylan's ScratchAPI
Last edited by NickyNouse (June 2, 2016 15:39:30)
- jokebookservice1
-
Scratcher
1000+ posts
What *exact* url in the API sets cloud data
That looks like some kind of request via port 531 to cloud.scratch.mit.edu? Perhaps Dyan can help?
- robinp
-
Scratcher
100+ posts
What *exact* url in the API sets cloud data
That looks like some kind of request via port 531 to cloud.scratch.mit.edu? Perhaps Dyan can help?It's a simple tcp stream on port 531. You can look the source of his api. Talking about how it works is not allowed so I will only explain the the most important part. The sending of the data:
{
"token": A secret token. Is easy to get. See dylan's code
"token2": An out of date hash algo of token (The fact that it's out of date doesn't matter),
"project_id": Id of the project,
"method": "set",
"user": Your username,
}For anyone trying to actually do something like this, check out wireshark.
Last edited by robinp (June 2, 2016 16:11:10)
- jokebookservice1
-
Scratcher
1000+ posts
What *exact* url in the API sets cloud data
Ok. But isn't security through obscurity no security at all?
- jokebookservice1
-
Scratcher
1000+ posts
What *exact* url in the API sets cloud data
Wait, could you give me a line number if it isn't too hard?
- robinp
-
Scratcher
100+ posts
What *exact* url in the API sets cloud data
Ok. But isn't security through obscurity no security at all?There is as much security in there as can be. Only through recompilation of scratch could we figure out how to send the values.
You're better off learning how the entire library works. Me giving you a line number won't help as the code to send the data is segmented into several pieces.
- jokebookservice1
-
Scratcher
1000+ posts
What *exact* url in the API sets cloud data
So if I decompile the swf of the on-line version of the Scratch editor…Ok. But isn't security through obscurity no security at all?There is as much security in there as can be. Only through recompilation of scratch could we figure out how to send the values.
You're better off learning how the entire library works. Me giving you a line number won't help as the code to send the data is segmented into several pieces.
- MegaApuTurkUltra
-
Scratcher
1000+ posts
What *exact* url in the API sets cloud data
What exact link (and which HTTP Method) would set Cloud Data?POST https://scratch.mit.edu/varserver
Last edited by MegaApuTurkUltra (June 2, 2016 19:24:02)
$(".box-head")[0].textContent = "committing AT crimes since $whenever"
- jokebookservice1
-
Scratcher
1000+ posts
What *exact* url in the API sets cloud data
And what would be in the POST, as in what do I have to send to set a value?
- MegaApuTurkUltra
-
Scratcher
1000+ posts
What *exact* url in the API sets cloud data
And what would be in the POST, as in what do I have to send to set a value?I believe projectId, name, value, cloudToken, username. I forget if it's JSON or HTTP name/value format
Also you need projectId, scratchcsrftoken, and scratchsessionsid cookies
(Make sure to include the X-CSRF-Token header too)
$(".box-head")[0].textContent = "committing AT crimes since $whenever"
- jokebookservice1
-
Scratcher
1000+ posts
What *exact* url in the API sets cloud data
Thanks!And what would be in the POST, as in what do I have to send to set a value?I believe projectId, name, value, cloudToken, username. I forget if it's JSON or HTTP name/value format
Also you need projectId, scratchcsrftoken, and scratchsessionsid cookies
(Make sure to include the X-CSRF-Token header too)
- jokebookservice1
-
Scratcher
1000+ posts
What *exact* url in the API sets cloud data
What is the CloudToken?
- Dylan5797
-
Scratcher
1000+ posts
What *exact* url in the API sets cloud data
What is the CloudToken?It is found in https://scratch.mit.edu/projects/:id/cloud-data.js
at the bottom, you will see
$(window).unload( function () {
createCookie('projectId', :id);
$.ajax({
type: 'POST',
url: "/projects/purge-cloud-data/",
data: {token: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"}, <----- this is the token
success: function (data) {},
async:false
});
});Why don't you want to use my API?
Last edited by Dylan5797 (June 3, 2016 01:42:14)
- TheUltimatum
-
Scratcher
1000+ posts
What *exact* url in the API sets cloud data
Wai not?What is the CloudToken?It is found in https://scratch.mit.edu/projects/:id/cloud-data.js
at the bottom, you will see$(window).unload( function () {
createCookie('projectId', :id);
$.ajax({
type: 'POST',
url: "/projects/purge-cloud-data/",
data: {token: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"}, <----- this is the token
success: function (data) {},
async:false
});
});
Why don't you want to use my API?
- MegaApuTurkUltra
-
Scratcher
1000+ posts
What *exact* url in the API sets cloud data
Why don't you want to use my API?Because learning!
$(".box-head")[0].textContent = "committing AT crimes since $whenever"
- jokebookservice1
-
Scratcher
1000+ posts
What *exact* url in the API sets cloud data
Yeah, that. It isn't anything personal or anythingWhy don't you want to use my API?Because learning!
- jokebookservice1
-
Scratcher
1000+ posts
What *exact* url in the API sets cloud data
So, I make a POST request to /varserver with the following data?
projectId - The number in the URL when visiting the target project
name - The name of the cloud variable, including the ‘☁ ’ bit
value - The new value of the cloud variable
cloudToken - as found in the cloud-data.js within the directory of the project
username - “jokebookservice1”
Session cookies:
projectId - doesn't this make it redundant…?
All the cookies you have when you are logged in except for ones beginning with _'s
Headers
X-CSRF-Token as found in any logged in page's sourcre code
Did I miss anything? I'll try and do that now
projectId - The number in the URL when visiting the target project
name - The name of the cloud variable, including the ‘☁ ’ bit
value - The new value of the cloud variable
cloudToken - as found in the cloud-data.js within the directory of the project
username - “jokebookservice1”
Session cookies:
projectId - doesn't this make it redundant…?
All the cookies you have when you are logged in except for ones beginning with _'s
Headers
X-CSRF-Token as found in any logged in page's sourcre code
Did I miss anything? I'll try and do that now
- MegaApuTurkUltra
-
Scratcher
1000+ posts
What *exact* url in the API sets cloud data
projectId - doesn't this make it redundant…?It is redundant but necessary. Without the projectId cookie, Scratch will reject your request.
$(".box-head")[0].textContent = "committing AT crimes since $whenever"
- jokebookservice1
-
Scratcher
1000+ posts
What *exact* url in the API sets cloud data
OkprojectId - doesn't this make it redundant…?It is redundant but necessary. Without the projectId cookie, Scratch will reject your request.
- Discussion Forums
- » Advanced Topics
-
» What *exact* url in the API sets cloud data