search

Pytonballoon810 / Alexa-Device-Management

This repository contains a Python script for managing devices connected to the Amazon Alexa API. The script provides functionality to retrieve and delete entities related to an Amazon Alexa skill.
Apache License 2.0
8 stars 1 forks source link

Alexa API Endpoints changed.. Script need to be updated // Workaround with Burp #3

Open MarcelMertens opened 8 months ago

MarcelMertens commented 8 months ago

Hi, Amazon changed the API endpoints. The GET Devices API is now GraphQL instead of ReST. I managed to bulk delete my Alexa Devices with the help of this here anyway

  1. Install https://portswigger.net/burp/communitydownload and set up the proxy on you iPhone so that you can capture the HTTPS traffic
  2. Run a new live task, you should see all the API calls when using the Alexa App. Here in Germany all the interessting calls are going to eu-api-alexa.amazon.de
  3. With an active live task open your Alexa App, load the devices tab and delete one device.
  4. In Burp go to Proxy -> HTTP history -> Filter -> Filter by search term "legacyAppliance". grafik This should give you a list of all API calls containing "legacyAppliance". Endpoint should be only "https://eu-api-alexa.amazon.de/nexus/v1/graphql"
  5. In the Response Tab get the JSON and get the "applianceId" of all the devices you like to delete (put them into a text file. Every id a new line)
  6. Now change the filter pattern to "/api/phoenix/appliance/" grafik
  7. Now it shows you all the API Calls to the DELETE endpoint (should be only one (step 3)).
  8. Right Click -> Send to Intruder grafik
  9. Go to "Intruder" tab. Here you should see the DELETE Call copied in Step 8.
  10. Go to Payloads Tab, "Simple List" and Load the text file with your applianceIds from Step 5 grafik
  11. Back in the positions tab, change the first line to DELETE /api/phoenix/appliance/§device§ HTTP/1.1 grafik
  12. Hit "Start Attack" in the top right corner. This will delete all your devices in the text file. It take a while (2-3 sec per device), so stay tuned.

I don't know how long the session-token is valid, so there is only a few minutes? between point 3 and 12. The issue is that the DELETE API Endpoint still return "200 OK" even if the token is expired. It simple wont delete the device

I hade to log off / log on in the alexa app to finally get rid off all devices after this process

inverse commented 7 months ago

On the Android app I noticed that session doesn't change there is a csrf token added each time. I'm getting 200 but it's not deleting :/

Pytonballoon810 commented 7 months ago

I'm getting 200 but it's not deleting :/

Had the same problem but played around with it a bit. For me the problem was that I didnt read out the cockied correctly so maybe double check if everything is right

inverse commented 6 months ago

Still no luck :/ Trying to setup a rooted AVD to try again and go with the burpsuite approach. However I am unable to see the response on burpsuite, only requests for some reason :/

image

What am I missing?