Message from JavaScript discussions
April 2017
— Might still be able to attack the socket with a custom client though
The issue is running cross domain scripts the server doesn't claim to own, which will be even harder if they have CSP enabled
— So you would need to roll your own websocket client and game client
— Looking at application data, they have many different keys and nonces, you would have to either do a replay attack or find a way to generate these yourself
— What exactly does he want to haxxor on agar.io?
— I don't think you can do much beyond injecting local JS and making your own client
— I.e. writing a bot
— Ok
— NID, HTTP-only
HSID, HTTP-only
SAPISID, SSL-only (some session data or key)
SID, no security
SSID, HTTP-only and SSL-only
_cfduid, HTTP-only and SSL-only
— Those are keys you can target that seem to be secured or otherwise important
— Wut it seems arabic to me lel
— It is session related cryptography and key systems