Discuss Scratch
- Discussion Forums
- » Advanced Topics
- » What *exact* url in the API sets cloud data
- jokebookservice1
- Scratcher
1000+ posts
What *exact* url in the API sets cloud data
I am aware that this is a duplicate, but please, can you just respond here?
So I am writing some python code to retrieve Cloud Data from my project: e-Coin
This was easy enough using the built-in libraries urllib, json and codecs
My code can already parse the number from the cloud list into a string. Anyway, I would like to now set some output to another project owned by me. If I manage to log in and extract my CSRF token, what exact link (and which HTTP Method) would set Cloud Data?
So I am writing some python code to retrieve Cloud Data from my project: e-Coin
This was easy enough using the built-in libraries urllib, json and codecs
My code can already parse the number from the cloud list into a string. Anyway, I would like to now set some output to another project owned by me. If I manage to log in and extract my CSRF token, what exact link (and which HTTP Method) would set Cloud Data?
- NickyNouse
- Scratcher
1000+ posts
What *exact* url in the API sets cloud data
It can't be done with http requests alone as far as I know. But since you're using python you should be able to use Dylan's ScratchAPI
Last edited by NickyNouse (June 2, 2016 15:39:30)
- jokebookservice1
- Scratcher
1000+ posts
What *exact* url in the API sets cloud data
That looks like some kind of request via port 531 to cloud.scratch.mit.edu? Perhaps Dyan can help?
- robinp
- Scratcher
100+ posts
What *exact* url in the API sets cloud data
It's a simple tcp stream on port 531. You can look the source of his api. Talking about how it works is not allowed so I will only explain the the most important part. The sending of the data: That looks like some kind of request via port 531 to cloud.scratch.mit.edu? Perhaps Dyan can help?
{
"token": A secret token. Is easy to get. See dylan's code
"token2": An out of date hash algo of token (The fact that it's out of date doesn't matter),
"project_id": Id of the project,
"method": "set",
"user": Your username,
}
For anyone trying to actually do something like this, check out wireshark.
Last edited by robinp (June 2, 2016 16:11:10)
- jokebookservice1
- Scratcher
1000+ posts
What *exact* url in the API sets cloud data
Ok. But isn't security through obscurity no security at all?
- jokebookservice1
- Scratcher
1000+ posts
What *exact* url in the API sets cloud data
Wait, could you give me a line number if it isn't too hard?
- robinp
- Scratcher
100+ posts
What *exact* url in the API sets cloud data
There is as much security in there as can be. Only through recompilation of scratch could we figure out how to send the values. Ok. But isn't security through obscurity no security at all?
You're better off learning how the entire library works. Me giving you a line number won't help as the code to send the data is segmented into several pieces.
- jokebookservice1
- Scratcher
1000+ posts
What *exact* url in the API sets cloud data
So if I decompile the swf of the on-line version of the Scratch editor…There is as much security in there as can be. Only through recompilation of scratch could we figure out how to send the values. Ok. But isn't security through obscurity no security at all?
You're better off learning how the entire library works. Me giving you a line number won't help as the code to send the data is segmented into several pieces.
- MegaApuTurkUltra
- Scratcher
1000+ posts
What *exact* url in the API sets cloud data
POST h What exact link (and which HTTP Method) would set Cloud Data?ttps://scratch.mit.edu/varserver
Last edited by MegaApuTurkUltra (June 2, 2016 19:24:02)
$(".box-head")[0].textContent = "committing AT crimes since $whenever"
- jokebookservice1
- Scratcher
1000+ posts
What *exact* url in the API sets cloud data
And what would be in the POST, as in what do I have to send to set a value?
- MegaApuTurkUltra
- Scratcher
1000+ posts
What *exact* url in the API sets cloud data
I believe projectId, name, value, cloudToken, username. I forget if it's JSON or HTTP name/value format And what would be in the POST, as in what do I have to send to set a value?
Also you need projectId, scratchcsrftoken, and scratchsessionsid cookies
(Make sure to include the X-CSRF-Token header too)
$(".box-head")[0].textContent = "committing AT crimes since $whenever"
- jokebookservice1
- Scratcher
1000+ posts
What *exact* url in the API sets cloud data
Thanks!I believe projectId, name, value, cloudToken, username. I forget if it's JSON or HTTP name/value format And what would be in the POST, as in what do I have to send to set a value?
Also you need projectId, scratchcsrftoken, and scratchsessionsid cookies
(Make sure to include the X-CSRF-Token header too)
- jokebookservice1
- Scratcher
1000+ posts
What *exact* url in the API sets cloud data
What is the CloudToken?
- Dylan5797
- Scratcher
1000+ posts
What *exact* url in the API sets cloud data
It is found in What is the CloudToken?https://scratch.mit.edu/projects/:id/cloud-data.js
at the bottom, you will see
$(window).unload( function () {
createCookie('projectId', :id);
$.ajax({
type: 'POST',
url: "/projects/purge-cloud-data/",
data: {token: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"}, <----- this is the token
success: function (data) {},
async:false
});
});
Why don't you want to use my API?
Last edited by Dylan5797 (June 3, 2016 01:42:14)
- TheUltimatum
- Scratcher
1000+ posts
What *exact* url in the API sets cloud data
Wai not?It is found in What is the CloudToken?https://scratch.mit.edu/projects/:id/cloud-data.js
at the bottom, you will see$(window).unload( function () {
createCookie('projectId', :id);
$.ajax({
type: 'POST',
url: "/projects/purge-cloud-data/",
data: {token: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"}, <----- this is the token
success: function (data) {},
async:false
});
});
Why don't you want to use my API?
- MegaApuTurkUltra
- Scratcher
1000+ posts
What *exact* url in the API sets cloud data
Because learning! Why don't you want to use my API?
$(".box-head")[0].textContent = "committing AT crimes since $whenever"
- jokebookservice1
- Scratcher
1000+ posts
What *exact* url in the API sets cloud data
Yeah, that. It isn't anything personal or anythingBecause learning! Why don't you want to use my API?
- jokebookservice1
- Scratcher
1000+ posts
What *exact* url in the API sets cloud data
So, I make a POST request to /varserver with the following data?
projectId - The number in the URL when visiting the target project
name - The name of the cloud variable, including the ‘☁ ’ bit
value - The new value of the cloud variable
cloudToken - as found in the cloud-data.js within the directory of the project
username - “jokebookservice1”
Session cookies:
projectId - doesn't this make it redundant…?
All the cookies you have when you are logged in except for ones beginning with _'s
Headers
X-CSRF-Token as found in any logged in page's sourcre code
Did I miss anything? I'll try and do that now
projectId - The number in the URL when visiting the target project
name - The name of the cloud variable, including the ‘☁ ’ bit
value - The new value of the cloud variable
cloudToken - as found in the cloud-data.js within the directory of the project
username - “jokebookservice1”
Session cookies:
projectId - doesn't this make it redundant…?
All the cookies you have when you are logged in except for ones beginning with _'s
Headers
X-CSRF-Token as found in any logged in page's sourcre code
Did I miss anything? I'll try and do that now
- MegaApuTurkUltra
- Scratcher
1000+ posts
What *exact* url in the API sets cloud data
It is redundant but necessary. Without the projectId cookie, Scratch will reject your request. projectId - doesn't this make it redundant…?
$(".box-head")[0].textContent = "committing AT crimes since $whenever"
- jokebookservice1
- Scratcher
1000+ posts
What *exact* url in the API sets cloud data
OkIt is redundant but necessary. Without the projectId cookie, Scratch will reject your request. projectId - doesn't this make it redundant…?
- Discussion Forums
- » Advanced Topics
- » What *exact* url in the API sets cloud data