In the second part, we’ll take a look at the requests we intercepted thanks to Fiddler, and see if Aks.fm implemented some sort of security (tokens, checksums, etc)
Understanding the request headers and parameters
Here is the request we’ll analyze :
POST /authorize HTTP/1.1 X-Api-Version: 0.8 Host: api.ask.fm:443 X-Client-Type: android_3.8.1 Accept: application/json; charset=utf-8 X-Access-Token: .4WspnFnDpwQNevsbXIEExPDgJZDM Accept-Encoding: identity Authorization: HMAC a9f98b69f649e0c96240cc6e36980da96f308cea Content-Type: application/x-www-form-urlencoded; charset=UTF-8 User-Agent: Dalvik/2.1.0 (Linux; U; Android 6.0.1; GT-N7100 Build/MOB30R) Connection: Keep-Alive Content-Length: 186 json {"did":"84a2b70bfae4ae65","guid":"84a2b70bfae4ae65","pass":"password123lol","rt":"4","ts":"1471967146","uid":"JohnDoe"}
As we can see , there are lots of interesting headers here. I’ll not make you wait and explain directly what I deducted from my tests :
Read more “How I reverse-engineered the Ask.fm API – Part 2”