Originally Posted by
tr3k
Love it! How were you able to access the profile endpoint?
The bug is profile-dependent. I had some help from a family member with an account that wasn't affected.
Originally Posted by
tr3k
Do you get the header values from other XHR endpoints on the same server while loading the retrocredit page?
Yes, if you go for the first option (send your own POST request), you just navigate to the broken retroclaim page.
You'll see the bearer token returned by the endpoint I mentioned.
The login cookie is ubiquitous, you can just copy it from the Developer Tools, for example.
Originally Posted by
tr3k
How do you generate the "recaptcha" header (or is it constant and can be reused)?
The captcha works just fine, even with the bug. So you can just go to the (broken) retroclaim page, complete the captcha and copy the token.
You just have to be quick because it's only valid for a short time (as you can see on the website).
Originally Posted by
tr3k
A Tampermonley script (or just js for dev console) would make this even better. I might try if this works.
The simplest option is to mock the profile endpoint. Then the retroclaim page just starts working as usual and there's no need to dig up any tokens.
I don't know if you can do that using Tampermonkey. I guess you probably can?
I'm not even sure if the values returned by the profile endpoint are actually used for anything (in the context of the retro-claim page), probably dummy values would be fine, as long as you're keeping the format intact.
A Tampermonkey script would definitely be a better option than people installing their own root certificates...
Maybe you can do something with this:
https://stackoverflow.com/questions/...37265#72137265