SlowAES Bypass the test cookie NodeMcu

By

SlowAES Library for Esp8266 (NodeMCU)

Hello embedded friends, this article is about the web-scrapping protection slowAES (aes.js). If you want to get a web page with nodeMCU HttpClient and your response is different from what you see when browse it a browser and your response like below :

<html>

<body>
	
	<script type="text/javascript" src="/aes.js"></script>
	<script>
		function toNumbers(d) {
			var e = [];
			d.replace(/(..)/g, function(d) {
				e.push(parseInt(d, 16))
			});
			return e
		}

		function toHex() {
			for (var d = [], d = 1 == arguments.length && 
			arguments[0].constructor == Array ? arguments[0] : 
			arguments, e = "", f = 0; f < d.length; f++) e += 
			(16 > d[f] ? "0" : "") + d[f].toString(16);
			return e.toLowerCase()
		}
		var a = toNumbers("f655ba9d09a112d4968c63579db590b4"),
			b = toNumbers("98344c2eee86c3994890592585b49f80"),
			c = toNumbers("a76ce883a42eb6e9fff3e05d9cc6c7e5");
		document.cookie = "__test=" + toHex(slowAES.decrypt(c, 2, a, b)) + 
		"; expires=Thu, 31-Dec-37 23:55:55 GMT; path=/";
		location.href = "http://www.namazvakitleri.site/i=1";
	</script>
	<noscript>
		This site requires Javascript to work, please enable
Javascript in your browser or use a browser with Javascript support
</noscript>

</body>

</html>

 Then, this means your page protected by slowaes protection to prevent web-scraping, robot actions.

What is slowAES protection?

When you get that kind of a web page, your browser (if it's your first visit) gets the code above first, and run this javascript code to generate a cookie called __test and some encrypted value in it. This value generally depends on your ip address. And js set this cookie on your browser and redirect browser the page you requested, plus a query string i, or attempt in some systems. The second request done with the cookie set before, server check if the cookie set and correct view the page you actually wanted to see.


How to bypass slowAES by NodeMcu?

First step : get the page with HttpClient
HttpClient http;
WiFiClient wfc;
String web = "http://example.com/";
http.begin(web,wfc);
String payload = http.getString();
then you have the java code like above in payload var.

Second step: obtain a,b,c values in code.
/* getting abc vars */
int loc = payload.indexOf("var a=toNumbers(");
String temp = payload.substring(loc, temp.length());
temp.replace("var a=toNumbers(\"", "");
String a = temp.substring(0, 32);

temp.replace(a + "\"),b=toNumbers(\"", "");
String b = temp.substring(0, 32);

temp.replace(b + "\"),c=toNumbers(\"", "");
String c = temp.substring(0, 32);

Third step: Installing slowAES library
On the menu click Tools, Manage Libraries..., type slowAES

slowaes library installation on arduino ide


and click Install.

Fouth step: getting test cookie value with slowAES library.

include the library header file

#include <slowAES.h>
obtaining __test cookie value :

  uint8_t aNums[16];
  uint8_t bNums[16];
  uint8_t cNums[16];

  toNumbers(a.c_str(), aNums);
  toNumbers(b.c_str(), bNums);
  toNumbers(c.c_str(), cNums);

  uint8_t finalCookie[33];
  slowAES _slowAES;
  uint8_t resNums[16];
  _slowAES.decrypt(cNums, aNums, bNums, resNums);
  toHex(resNums, finalCookie);
  String str = (char *)finalCookie;
now you have test cookie's value in str var.


Fifth step: the second call of the page:

  web = web + "?i=1";
  http.begin(wfc, web);
  String fullCookieStr = "__test=" + str;
  http.addHeader("Cookie", fullCookieStr, true);
  http.addHeader("Host", "www.example.com", true);
  http.addHeader("Connection", "Keep-Alive", true);

 
  payload = http.getString();
  Serial.println(payload);

That's cool you have the page content in payload variable. You can do what ever you want with it.



Comments

Post a Comment

You can share your experience, or ask anything about the topic, Let's write ;)

Popular posts from this blog

How does P10 Led Panel Work? | Working Principle and calculations

By
Image
  P10 Led Panel 32x16 consist of 512 leds. There are  2 connectors, called  Hub1.2  (8x12 male header) and 5v power connector. Hub1.2 placed left side of the board shown in image below is input, right one is the connector to connect another p10 panels input. Pin definition of Hub1.2  is shown in image.  ENABLE pin  is the pin which allows you to control the panel is working state or stop state. Panel enables when it is driven a HIGH signal, When it is driven low it does not matter another pin states, panel stops working. A, B are row selectors, this pins represent a 2 bit binary number allow you to select one of four rows in a sequence. Selecting a row means that, the leds on the selected row are powering their anod pins. There are 16 rows in total(A1-A16), and they are in a group of 4. Each group of rows are represented with the same color in the images below. Look at the table, driving A and B with a LOW signal means selecting rows labelled A1,A5,A9 and A13.  B A Selected rows
Read more

How to Drive DHT sensor without Library

By
Image
 Let's code! Expalantions are in the code area. Happy Coding! /* * DHT 11 driving without library * * http://en.devrelerim.com * Author : Hakan OZMEN (hakkanr@gmail.com) * Date : 30.03.2021 * * You can change or share all / or same part of * this code. Free of charge! :) */ uint8_t data [ 5 ] ; // to save our 8bit * 5 data void setup ( ) { Serial . begin ( 115200 ) ; } /* *  This function count an 8bit integer value *  while given signal is not changed *  no need to measure time counting is also *  need time ;) */ uint8_t expectedSignal ( bool level ) {   uint8_t count = 0 ;   while ( digitalRead ( 2 ) == level ) count ++ ;   return count ; } void loop ( ) { delay ( 2000 ) ; // wait 2 secs for sensor to initialize Serial . println ( "----------------------" ) ; pinMode ( 2 , INPUT_PULLUP ) ; // Standard is HIGH delay ( 1000 ) ; pinMode ( 2 , OUTPUT ) ; // make pin 2 output digitalWrite ( 2 , LO
Read more

Working Principle of DHT Sensors and Analysis with Logic Analyzer

By
Image
 What's inside DHT11 sensor , I've removed the plastic case and what I saw is :     There is a resistive type humidity measurement component, a NTC to measure temperature and a 8 bit microcontroller and it uses single-wire serial interface to communicate  with other systems. Measurement range 0-50 °C in temp and 20-90%RH in humidity. Accuracy for temp is ±2°C, ±5%RH for humidity, and last information about it is resolution is 1.          What about the power? it can work between 3v and 5.5V, this means you can use it 3.3v boards and also 5v boards. Communication Process      This is the part I like the most !     - One communication process is about 4ms.     - Data format : 8bit Humidity (integer part) 8bit Humidity (decimal Part) 8bit Temp (integer part) 8bit Temp (decimal Part) 8bit checksum totally we have 40 bits of data to deal with. Let's look at the signal on data pin with logic analyzer     There are two timing maker pairs A1 to A2 (at the same point B1),
Read more