Fay Posted October 2, 2014 Share Posted October 2, 2014 (edited) https://fayosbot.appspot.com/ Support? I'll probably help people get started but that will be about it. How to integrate into your script you may ask? See the bottom of this post. So you may be thinking "Oh this is just a static page." You are wrong. The java client (script) will pass the current statistics to the server via the api. The server side python code takes this data and adds the new exp gains to the persons record. If it is going to be an open release how will I protect against people just spamming fake exp gains? Read the last line of the tutorial. Things to do: Hiscores Updating users Adding users through GUI Client script for adding data Return from server to client (totaling) On demand script stoping Make pages look prettier User admin Signatures On demand script break Botstuck checker Profiled antiban I'll take recommendations by the way. So if you want something on the things to do list leave a comment. DOWNLOAD Tutorial How to make this function with your script! This is the Adder class to add data into the site. import java.io.IOException; import java.net.URL; import java.net.URLConnection; public class Adder { static String AddData() throws IOException { URL theURL = new URL("https://fayosbot.appspot.com/api/request/create"); //change "fayosbot" to your app name URLConnection uc = theURL.openConnection(); uc.addRequestProperty("secretKey", "!23KeyMaker32!");//hopefully you changed the password, if so change here too. uc.addRequestProperty("name", "Alek"); //gui needs to prompt user for username (case-sensitive) uc.addRequestProperty("exp", "0"); //pass along the exp gained uc.addRequestProperty("time", "5"); //I recommend you run this every 5 minutes, so 5 uc.addRequestProperty("password", "Alek"); //gui needs to prompt user for password (case-sensitive) uc.addRequestProperty("state", "HerbChecking"); //pull your state from the script uc.addRequestProperty("position", Iden.currentPos); //start setting your currentPos and pulling return SourceBuilder.sourceBuilder(uc.getInputStream()); //building the string to get the return } } This is the SourceBuilder class code import java.io.BufferedReader; import java.io.IOException; import java.io.InputStream; import java.io.InputStreamReader; public class SourceBuilder { static String sourceBuilder(InputStream source) throws IOException { BufferedReader in = new BufferedReader(new InputStreamReader(source, "UTF-8")); String inputLine; StringBuilder out = new StringBuilder(); while ((inputLine = in.readLine()) != null) out.append(inputLine); in.close(); return out.toString(); } } This is some very BASIC code to get player position try{ currentPos = getPlayers().myPlayer().getPosition().toString(); }catch (Exception e){ currentPos = "Unknown"; } This is the scheduler class for sending data into the website import java.io.IOException; import java.util.concurrent.Executors; import java.util.concurrent.ScheduledExecutorService; import java.util.concurrent.TimeUnit; public class Scheduler { static int timeInterval = 300; public static void startTimer() { final ScheduledExecutorService service = Executors .newSingleThreadScheduledExecutor(); service.scheduleWithFixedDelay(new Runnable() { public void run() { try { Adder.AddData(); } catch (IOException e) { } } }, 0, timeInterval, TimeUnit.SECONDS); } } The way the site returns data is exp,time so say I had 100 exp and 5 minutes played already: 100,5 I put an update of 20 exp and 1 minute the response would be: 120,6 If someone issues a "SiteKill" command from the website within the last ~5 minutes, the script should halt. The script figures this out by posting the exp and time but instead of getting: 120,6 it would instead get: SiteKill Now I didn't code it but you should add a handler for if "SiteKill" is returned it will halt the script, and log out. Sounds good and makes sense? Edited October 8, 2014 by Fay 2 Link to comment Share on other sites More sharing options...
User Posted October 3, 2014 Share Posted October 3, 2014 If it is going to be an open release how will I protect against people just spamming fake exp gains? Secret key. Wont work. Link to comment Share on other sites More sharing options...
Pug Posted October 3, 2014 Share Posted October 3, 2014 looks like a good idea. Will use this on my site for my scripts if you finish it Link to comment Share on other sites More sharing options...
Fay Posted October 3, 2014 Author Share Posted October 3, 2014 Wont work. Pretty much the way I built it was it would be passed along to the server from the client. Because the clients traffic to the server will be https, reading the key is something that can't be done easily. Then we have replay attacks, someone capturing the https traffic and resending it, while this is possible in a limited time frame, I can easily build a process that would render it useless. All in all, everything is vulnerable, it just takes trial and error to fix it from the ground up. looks like a good idea. Will use this on my site for my scripts if you finish it Neat . If you have any ideas or data I could use that you would like to be built in I would love it. If you have a skype shoot me a message. Also this won't run on your base site unless it is a python webserver. I am building this for Google App Engine sites, free hosting and very scale-able. Link to comment Share on other sites More sharing options...
Swizzbeat Posted October 3, 2014 Share Posted October 3, 2014 Pretty much the way I built it was it would be passed along to the server from the client. Because the clients traffic to the server will be https, reading the key is something that can't be done easily. Then we have replay attacks, someone capturing the https traffic and resending it, while this is possible in a limited time frame, I can easily build a process that would render it useless. All in all, everything is vulnerable, it just takes trial and error to fix it from the ground up. The issue is more so along the lines of someone configuring a valid experience/items gained/time ran/etc. request with bogus data and sending that in. Link to comment Share on other sites More sharing options...
Fay Posted October 3, 2014 Author Share Posted October 3, 2014 (edited) The issue is more so along the lines of someone configuring a valid experience/items gained/time ran/etc. request with bogus data and sending that in. I understand that and anyone is more than welcome to try but without knowing the client secret they are not getting anywhere. https://fayosbot.appspot.com/api/request/create?name=Fay&exp=50000&time=69 Edit: Even if they know the client secret they still have to guess the name of the header being requested because they can't get it from the HTTPS traffic. !23KeyMaker32! That is the key, if someone can successfully submit a the above link I'll buy them VIP. Take a screenshot of the return if you do get it and post it here. If it is correct you win. Edited October 3, 2014 by Fay Link to comment Share on other sites More sharing options...
Swizzbeat Posted October 3, 2014 Share Posted October 3, 2014 I understand that and anyone is more than welcome to try but without knowing the client secret they are not getting anywhere. https://fayosbot.appspot.com/api/request/create?name=Fay&exp=50000&time=69 Then how do you accept incoming requests from script writers? You obviously have to configure the key on the the client and then send that in the request. My point is that if I was using your API I could send whatever data I wanted as long as I had your authentication code (which ever script writer would). 1 Link to comment Share on other sites More sharing options...
Fay Posted October 3, 2014 Author Share Posted October 3, 2014 Then how do you accept incoming requests from script writers? You obviously have to configure the key on the the client and then send that in the request. My point is that if I was using your API I could send whatever data I wanted as long as I had your authentication code (which ever script writer would). My bad for being ambiguous. Every script writer would need to change the key to something that they want the password to be. If they leave it default they will be open to the abuse. 2 Link to comment Share on other sites More sharing options...
TheScrub Posted October 3, 2014 Share Posted October 3, 2014 just a quick suggestion from an old osbot user https://fayosbot.app...p=50000&time=69 is not safe you should use http post so it's not in the url also with your python backend is that passing the data to a sql and if so is this got a timeout to stop overloading your server??? 1 Link to comment Share on other sites More sharing options...
Fay Posted October 3, 2014 Author Share Posted October 3, 2014 just a quick suggestion from an old osbot user https://fayosbot.app...p=50000&time=69 is not safe you should use http post so it's not in the url also with your python backend is that passing the data to a sql and if so is this got a timeout to stop overloading your server??? Yep it was more or less for quick testing. Can you explain why it would not be safe though? I mean if I am locking it down anyways it doesn't matter if they can read the data passed to it. It is actually a Google Datastore. Overloading shouldn't be a problem. If so I can force it to only allow updates every 5 minutes per account. Link to comment Share on other sites More sharing options...
TheScrub Posted October 3, 2014 Share Posted October 3, 2014 Yep it was more or less for quick testing. Can you explain why it would not be safe though? I mean if I am locking it down anyways it doesn't matter if they can read the data passed to it. it's easier for a script kiddie to add "Junk" data if you use a query string with http get while if you have http post the fields are hidden there are still ways of adding false data into it but it takes abit more effort than a regular script kiddie would be willing to put effort in Link to comment Share on other sites More sharing options...
Fay Posted October 3, 2014 Author Share Posted October 3, 2014 it's easier for a script kiddie to add "Junk" data if you use a query string with http get while if you have http post the fields are hidden there are still ways of adding false data into it but it takes abit more effort than a regular script kiddie would be willing to put effort in Using wireshark the user does not actually receive the full url they can only see http://prntscr.com/4sq3h7 on the client hello. Even if they get the full url like I provided above they can't submit data without the client secret (passed through request header also hidden). I understand fully with what you are talking about but even a experience hacker would have no luck blowing up his stats. This is because he would have to first decrypt the ssl traffic (RSA 2048bit). Then still be alive by the time that cracking was finished. Honestly there is no need to change it other than making it looks a little bit prettier for the scripter. I will change it but it isn't a security hole. 1 Link to comment Share on other sites More sharing options...
Swizzbeat Posted October 3, 2014 Share Posted October 3, 2014 (edited) Using wireshark the user does not actually receive the full url they can only see http://prntscr.com/4sq3h7 on the client hello. Even if they get the full url like I provided above they can't submit data without the client secret (passed through request header also hidden). I understand fully with what you are talking about but even a experience hacker would have no luck blowing up his stats. This is because he would have to first decrypt the ssl traffic (RSA 2048bit). Then still be alive by the time that cracking was finished. Honestly there is no need to change it other than making it looks a little bit prettier for the scripter. I will change it but it isn't a security hole. Unless the hackers from the NSA You should also add a timeout to any request packets sent. It doesn't matter how good your encryption is (could be some alien shit idc) because anyone who intercepts the packet can resend it as many times as they want. It's a major security flaw in a lot of website login forms ;) Edited October 3, 2014 by Swizzbeat Link to comment Share on other sites More sharing options...
Fay Posted October 3, 2014 Author Share Posted October 3, 2014 Unless the hackers from the NSA You should also add a timeout to any request packets sent. It doesn't matter how good your encryption is (could be some alien shit idc) because anyone who intercepts the packet can resend it as many times as they want. It's a major security flaw in a lot of website login forms Timeout is auto handled by SSL . It tracks back to my last response. It is near impossible to replay it. Link to comment Share on other sites More sharing options...
Swizzbeat Posted October 3, 2014 Share Posted October 3, 2014 Timeout is auto handled by SSL . It tracks back to my last response. It is near impossible to replay it. I didn't know that, pretty solid. Link to comment Share on other sites More sharing options...
