Message from JavaScript discussions

April 2017

— Stop, could you please describe the changes in the screenshots

— 

They render it directly in a canvas without making any http requests, you have to manually trigger the method which does this or manually trigger the button, both of which require xss

— Ok but there are no input for xss

— Without xss or csrf your options are very limited

— No requrests to forge = no csrf
no xss holes = no running click or any js

— Might still be able to attack the socket with a custom client though

— The issue is running cross domain scripts the server doesn't claim to own, which will be even harder if they have CSP enabled

Message permanent page

— So you would need to roll your own websocket client and game client

— Looking at application data, they have many different keys and nonces, you would have to either do a replay attack or find a way to generate these yourself

Message permanent page

— What exactly does he want to haxxor on agar.io?

— I don't think you can do much beyond injecting local JS and making your own client

— I.e. writing a bot