search

M3ikShizuka / instagram-private-api

#instagram #private #api #signin #reverse #web #encrypt #decrypt #deobfuscate #session #PWD_INSTAGRAM_BROWSER
18 stars 4 forks source link

readme

Instagram private API

Descripion

This is algorithm for encrypting data before sending login request.

Usage

Sign in (instagram private web API version)

Script signinEncryptData.js contain code, which generate post data for sign in request.
You can input you data in call of function generatePostDataForSignIn() run index.html (on web server, for prevent block by CORS policy) and you will get post data for your sign in request.
You must extract the sessionid from the response header (field " Set-Cookie: sessionid=...") this will be your authorized session. You must insert a sessionid in field cookie for every http request that needs to be authorized.
WARNING
if you're using fetch or something else that doesn't have access to HttpOnly cookie fileds, then you need enable use cookie and session. Read more here

  1. Do request to any instagram.com page(ex: https://www.instagram.com/accounts/login/).
    Get params from response header: ``` ig-set-password-encryption-web-key-id: ... ig-set-password-encryption-web-pub-key: ... ig-set-password-encryption-web-key-version: ... ``` OR
    from html (GET request to any page ex: https://www.instagram.com/accounts/login/):
    HTML response ex: ```html ... ... ```
  2. Process the data using the algorithm described in signinEncryptData.js.
    The following cryptographic algorithms and libraries are used:
    • AES-GCM-256
    • NaCL crypto_box seal (Curve25519, Salsa20, Poly1305). crypto_box is curve25519xsalsa20poly1305, a particular combination of Curve25519, Salsa20, and Poly1305 specified in "Cryptography in NaCl".
  3. Sing in post request with postData Minimal expected headers for success authorization request. ```json url: "https://www.instagram.com/accounts/login/ajax/", // <=== Sign in API url headers: { "Host": "www.instagram.com", "Content-Type": "application/x-www-form-urlencoded", "X-CSRFToken": csrftoken, // <=== csrftoken "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36" }, body: postData // <=== Data obtained at the second stage. ``` Get sessionid from response Set-Cookie sessionid in header. It's your authorized session. WARNING Set-Cookie: sessionid is HttpOnly. Read more here. ```json Success response: // Header: Set-Cookie: sessionid=...; Domain=.instagram.com; expires=Sat, 10-Jul-2021 13:51:39 GMT; HttpOnly; Max-Age=31536000; Path=/; Secure // Body: { "user": true, "userId": ..., "authenticated": true, "oneTapPrompt": true, "status": "ok" } ```