Closed Verequies closed 1 year ago
@Verequies try adding baseHref=$url
replace $url with the origin of the domain. For cors issue it looks like an Access control origin issue. You might need to add the origin to allow request from the new iframe domain or localhost depending on if its development. You can also use a proxy https://www.npmjs.com/package/local-cors-proxy instead. Hope this helps.
Thanks for the suggestions. Unfortunately adding baseHref actually causes more issues. The cors proxy didn't help much either, that or I didn't configure it correctly.
The page I am trying to bypass is the PSN Sign In page here.
Is there someway to change the "Origin" and "Referer" Headers? This is my current Express code:
import express from "express";
import createIframe from "node-iframe";
import request from "request";
import cors from "cors";
export default (iframe, http) => {
iframe.use(createIframe);
iframe.disable("x-powered-by");
iframe.use((req, res, next) => {
console.info(req.url);
if (req.url.substring(0,11) == "/clientlibs") {
request("https://my.account.sony.com" + req.url).on("response", response => {
delete response.headers["X-Frame-Options"];
}).pipe(res);
} else if (req.url == "/signin") {
res.createIframe({
url: "https://my.account.sony.com/central/signin/?response_type=token&scope=capone%3Areport_submission%2Ckamaji%3Agame_list%2Ckamaji%3Aget_account_hash%2Cuser%3Aaccount.get%2Cuser%3Aaccount.profile.get%2Ckamaji%3Asocial_get_graph%2Ckamaji%3Augc%3Adistributor%2Cuser%3Aaccount.identityMapper%2Ckamaji%3Amusic_views%2Ckamaji%3Aactivity_feed_get_feed_privacy%2Ckamaji%3Aactivity_feed_get_news_feed%2Ckamaji%3Aactivity_feed_submit_feed_story%2Ckamaji%3Aactivity_feed_internal_feed_submit_story%2Ckamaji%3Aaccount_link_token_web%2Ckamaji%3Augc%3Adistributor_web%2Ckamaji%3Aurl_preview&client_id=656ace0b-d627-47e6-915c-13b259cd06b2&redirect_uri=https%3A%2F%2Fmy.playstation.com%2Fauth%2Fresponse.html%3FrequestID%3Dexternal_request_8d29914e-eeb5-4fdd-8323-219c827e2944%26baseUrl%3D%2F%26targetOrigin%3Dhttps%3A%2F%2Fmy.playstation.com%26excludeQueryParams%3Dtrue&smcid=web%3Amy-playstation&tp_console=true&ui=pr&cid=d205938f-a2cd-4950-8805-90e918f4c6c9&error=login_required&error_code=4165&no_captcha=false#/signin/ca?entry=ca",
});
} else {
request("https://my.account.sony.com/central/signin" + req.url).on("response", response => {
delete response.headers["x-frame-options"];
}).pipe(res);
}
});
}
@Verequies I thought it was a Fetch api request or script, on that note the proxy could do the trick unless they are blocking all urls outside of the domain. You might need to add the port for the proxy option configuration from the Sony website. Theres also an inline script configuration to help with cors issues for js scripts. I can look more into this tomorrow. I would try to submit the form headlessly and see if you get a response.
@Verequies you are welcome if you have any other questions feel free to send away. I appreciate the details in the message and screenshots.
That'd be great thanks if you do end up looking at it. I did try proxies such as 'cors-anywhere' but they pretty much ended up giving the same result as my code above.
I'll have a look at the inline configuration. What do you mean exactly by "submit the form headlessly"?.
No worries, I can supply as much detail as required. Here's a picture of the Developer network/console window.
I'm also a bit confused why the '/clientlibs/8e55e6688no17781d9c37979996560a' relative link drops the 3000 port from the URL and also changes the protocol to https which causes it to fail.
The API allows the origin to be "https://my.account.sony.com" in the "Access-Control-Allow-Origin" header.
For submitting headless I would inspect the network request that is outgoing when you submit the form with the dev tools. After getting the url and params a basic curl on your machine for a test.
curl --location --request POST 'https://my.account.sony.com/central/signin/?response_type=token&scope=capone%3Areport_submission%2Ckamaji%3Agame_list%2Ckamaji%3Aget_account_hash%2Cuser%3Aaccount.get%2Cuser%3Aaccount.profile.get%2Ckamaji%3Asocial_get_graph%2Ckamaji%3Augc%3Adistributor%2Cuser%3Aaccount.identityMapper%2Ckamaji%3Amusic_views%2Ckamaji%3Aactivity_feed_get_feed_privacy%2Ckamaji%3Aactivity_feed_get_news_feed%2Ckamaji%3Aactivity_feed_submit_feed_story%2Ckamaji%3Aactivity_feed_internal_feed_submit_story%2Ckamaji%3Aaccount_link_token_web%2Ckamaji%3Augc%3Adistributor_web%2Ckamaji%3Aurl_preview&client_id=656ace0b-d627-47e6-915c-13b259cd06b2&redirect_uri=https%3A%2F%2Fmy.playstation.com%2Fauth%2Fresponse.html%3FrequestID%3Dexternal_request_8d29914e-eeb5-4fdd-8323-219c827e2944%26baseUrl%3D%2F%26targetOrigin%3Dhttps%3A%2F%2Fmy.playstation.com%26excludeQueryParams%3Dtrue&smcid=web%3Amy-playstation&tp_console=true&ui=pr&cid=d205938f-a2cd-4950-8805-90e918f4c6c9&error=login_required&error_code=4165&no_captcha=false#/signin/ca?entry=ca' \
--header 'Content-Type: application/json' \
--data-raw '{
"email": "Ping",
"password": 12312312
}'
The body params need to be updated and the submission might be different, the above is just an example. When I meant by headless making the request without the UI.
Adding config: { inline: { script: true } }
seems to have fixed the clientlibs link issue or at least its not appearing in the network monitor now. However the loading circle doesn't go away now which is interesting.
I have a feeling that if the relative links were going through the iframe instead it may all work. I have it printing out the url to the console so you can see the relative requests.
@Verequies where you able to get passed the connection issue on the initial page? .
Sonys authentication security is done in a rollup process which made reverse engineering really tricky .I think its currently setup to prevent all auth outside of the initial Sony website. A easy way to see if the CORS is tied to local machines is to test it on a server outside of your local machine. https://client-api.arkoselabs.com/fc/gt2/public_key/7D857050-F609-4F6A-AF63-CD04DE665FFE
is the main auth endpoint.
I haven't managed to get passed it yet. Currently I'm trying to figure out how to modify the stream for the kekka.js file. That way I can add 'https://localhost:3000/' before the URL requests to the API and handle them with the Express server.
@Verequies if you manage to get past that you have some really solid reverse engineering skills. Let me know if you do, I am interested in the final outcome for this. I am not surprised Sony handles security in this fashion, I have yet to hear any of their services being hacked for awhile now.
@j-mendez I was indeed able to bypass the security and successfully login. I ended up not using 'node-iframe' and wrote my own proxy. At the moment I'm just cleaning up some broken code, but after that I can commit it to a repository and share the current state of it with you privately. Can send you an email.
Sorry its taking me a while to get back to you. I have some university assessment that I need to do work on first.
I'm trying to put a sign-in page in an iframe. While this is somewhat working, the page isn't fully loading due to loading assets via a relative URL. The sign-in page is also making requests to an external API which is giving CORS SAMEORIGIN issues. I can work around the asset loading issues for the most part using request and deleting the 'X-Frame-Options' header, but cannot figure out how to bypass the API requests.
Is there a way I can work around this?