Message from JavaScript discussions

April 2017

— Might still be able to attack the socket with a custom client though


The issue is running cross domain scripts the server doesn't claim to own, which will be even harder if they have CSP enabled

— So you would need to roll your own websocket client and game client

— Looking at application data, they have many different keys and nonces, you would have to either do a replay attack or find a way to generate these yourself

Message permanent page

— What exactly does he want to haxxor on

— I don't think you can do much beyond injecting local JS and making your own client

— I.e. writing a bot

— Ok

— NID, HTTP-only
SAPISID, SSL-only (some session data or key)
SID, no security
SSID, HTTP-only and SSL-only
_cfduid, HTTP-only and SSL-only

Message permanent page

— Those are keys you can target that seem to be secured or otherwise important

— Wut it seems arabic to me lel

— It is session related cryptography and key systems