store.steampowered.com

[NicklausPark]

store.steampowered.com

Functions

• Sections for listing different functions of the steam store and what they are doing

  Gifting

• Function in the steam store which allows a user to gift games in their inventory to other users/emails

  Notes

• Inventory is managed by inventory items as integers being passed
  • Example: Inventory Item "Item X"
  • Option "Send gift..." calls https://store.steampowered.com/checkout/sendgift/538536983417476401
  • Option "Add to my library..." calls javascript:UnpackGift(%20'538536983417476401'%20);
  • Option "Permanently delete gift..." calls javascript:DeleteGift(%20'538536983417476401'%20);
  • All options are using 538536983417476401 as the itemID
• The full itemID for the "Steam" category seems to be organized using #NumX_NumY_NumZ
  • "X" is the category ID, so all items in a category will start with the same number
  • In the case of the inventory category "Steam", the value is 753
  • In the case of the inventory category "Dota_2", all items start with the value 570
  • "Y" is either a "1" or "6" signifying whether an item is a giftable game, or a sellable item, respectively
  • "Z" is the integer used for the various javascript functions and urls as seen above

[NicklausPark]

GET / HTTP/1.1
Host: store.steampowered.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: browserid=1309865845762761680; _ga=GA1.2.174994300.1528577170; timezoneOffset=-36000,0; cc167.216.21.202=US; recentapps=%7B%22440%22%3A1529385346%2C%22574560%22%3A1528865210%2C%22570%22%3A1528582102%7D; _gid=GA1.2.879986600.1529385349
Connection: close

[NicklausPark]

GET / HTTP/1.1
Host: store.steampowered.com
Connection: close
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: browserid=1309865845762761680; _ga=GA1.2.174994300.1528577170; timezoneOffset=-36000,0; cc167.216.21.202=US; recentapps=%7B%22440%22%3A1529385346%2C%22574560%22%3A1528865210%2C%22570%22%3A1528582102%7D; _gid=GA1.2.879986600.1529385349

[NicklausPark]

GET /public/shared/javascript/shared_global.js?v=UAROLaPIF93_&l=english HTTP/1.1
Host: steamstore-a.akamaihd.net
Connection: close
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36
Accept: */*
Referer: https://store.steampowered.com/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

[NicklausPark]

steam:"<commands>"
Opens Steam with command line arguments, which can be found here.
 Note:  If you forget the closing quote for a steam:"<command>", an assertion failed error will be raised by Steam.exe/BootStrapperApp.cpp.
steam://AddNonSteamGame
steam://advertise/<id>
Opens the store to an application's page.
steam://ackMessage/ackGuestPass/<pass>
Accepts the specified Gift or Guest Pass.
steam://appnews/<id>
Opens up the news page for an app.
steam://backup/<id>
Opens up the Backup Wizard and checks the specified application. If an application is not specified then nothing will be checked.
steam://browsemedia
steam://checksysreqs/<id>
Checks if users computer meets system requirements of app.
steam://connect/<IP or DNS name>[:<port>][/<password>]
Connects the user to the server specified by the IP or DNS name. You don't have to specify anything else to connect to a third party mod server, everything will be automatically detected.
Example: steam://connect/1.0.0.27:27015
Example: steam://connect/:27015
Example: steam://connect/dns.server.com
steam://defrag/<id>
Defragments files of the application.
steam://ExitSteam
Exits the Steam application.
steam://friends/
Opens Friends. These sub-commands are accepted:
add/<id>
Adds user with specified id number
friends/<id>
Shows list of users with whom you recently played
joinchat/<id>
Joins a chat with a specified id number
message/<id>
Send a message
players
Shows table of recent players you've played with
settings/hideoffline
Toggle offline friends from friends list
settings/showavatars
Toggle avatars in friends list
settings/sortbyname
Sorts friends list by name
status/away
Sets status as away
status/busy
Sets status as busy
status/trade
Sets status as looking to trade
status/play
Sets status as looking to play
status/offline
Sets status as offline
status/online
Sets status as online
steam://flushconfig/
Flushes and reloads the configs for each application (beta availability, etc.)
steam://forceinputappid/<id|shortcut name>
Forces the steam controller driver to use the layout for the given game or shortcut, without the need to use the in-game overlay, big picture mode, or even run the application at all.
steam://guestpasses/
Opens up the Guest Passes window.
steam://hardwarepromo/
Tests whether the user has hardware that matches a promotional offer.
Example: steam://hardwarepromo/305 (ATi)
Example: steam://hardwarepromo/609 (nVidia)
steam://install/<id>
Installs an application.
Example: steam://install/8230 installs Sam & Max: Episode 4.
steam://installaddon/<addon>
Installs the specified add-on.
Example: steam://installaddon/halflifehd installs HL High-Def Pack.
Example: steam://installaddon/hl2russian installs HL2 Russian Pack.
steam://musicplayer/<command>
Commands related to the Steam music player.
play
pause
toggleplaypause
playprevious
playnext
togglemute
increasevolume
decreasevolume
toggleplayingrepeatstatus
toggleplayingshuffled
steam://nav/<component>
Opens a Steam window, but doesn't make the Steam window active. Known <component> values:
downloads
games
games/details
games/details/<id>
games/grid
games/list
media
music
tools
steam://open/<component>
Opens a Steam window. Known <component> values:
activateproduct
bigpicture
console
The steam developer console
downloads
friends
games
games/details
games/grid
games/list
largegameslist
minigameslist
main
Your "favorite window".
music
musicplayer
mymedia
news
registerproduct
CD key registration (e.g Prey)
tools
screenshots
servers
settings
steam://openurl/<url>
Opens URL in the system's default web browser.
steam://openurl_external/<url>
steam://paypal/cancel
Cancels an ongoing PayPal transaction.
steam://preload/<id>
Preloads an application.
steam://publisher/<name>
Loads the specified publisher catalogue in the Store. Type the publisher's name in lowercase, e.g. activision or valve.
steam://purchase/<id>
Opens a dialog box to buy an application from Steam.
steam://purchase/subscription/<id>
Opens up a dialog box to buy a subscription to a Steam product/service. None are available yet.
steam://removeaddon/<addon>
Uninstalls the specified add-on.
Example: steam://removeaddon/halflifehd uninstalls HL High-Def Pack
steam://run/<id>
Runs an application. It will be installed if necessary.
steam://runsafe/<id>
Resets CVARs of a Source game.
steam://rungameid/<id>
Same as run, but with support for mods and non-Steam shortcuts.
steam://settings/
Same as steam://open/settings, but also allows for subcommands for each page:
account
friends
interface
ingame
downloads
voice
steam://store/<id>
Opens up the store for an app, if no app is specified then the default one is opened.
steam://subscriptioninstall/<id1>/<id2>/...
Opens a dialog box with a checklist of the games specified allowing you to install them all at once.
steam://support/<params>
Launches the Steam Support utility, and runs all of its tests. Enter a valid support string to filter results.
steam://takesurvey/<id>

Takes a survey.
Example: steam://takesurvey/1
steam://uninstall/<id>
Deletes the specified apps' cache files.
steam://UpdateFirmware
Opens the Steam Controller firmware update screen.
steam://updatenews/<id>
Opens the news about the latest updates for an app.
steam://url/<named page>
Opens a special, named web pages:
ChatBanListAdmin/...
CommentNotifications
CommunityFilePage/<id>
Opens a Workshop/Greenlight submission.
CommunityFriendsThatPlay/<id>
CommunityGroupSearch/<search term>
CommunityHome/
CommunitySearch/
DownloadsSupportInfo
GameHub/<app ID>
GroupEventsPage/<id>
GroupSteamIDPage/<id>
GroupSteamIDAdmin/<id>
LeaveGroupPage
LegalInformation
PrivacyPolicy
SSA
SteamIDAchievementsPage/<id>
SteamIDControlPage
SteamIDEditPage
SteamIDFriendsPage
SteamIDLoginPage/<pass>
Opens the internal automatic sign in page. It won't work unless the correct one-time password is specified.
SteamIDMyProfile
SteamIDPage/<id>
SteamWorkshop
SteamWorkshopPage/<id>
SteamGreenlight
Store
StoreAccount
StoreAppPage/<app ID>
Storefront
StoreFrontPage
Opens store homepage in Steam store tab.
SupportFrontPage
Opens support.steampowered.com in your default browser.
steam://validate/<id>
Validates the local files of an app.

[NicklausPark]

https://www.computerworld.com/article/2492409/desktop-apps/the-steam-url-protocol-can-be-abused-to-exploit-vulnerabilities-in-games--researchers-s.html

[NicklausPark]

http://www.blackhat.com/presentations/bh-dc-08/McFeters-Rios-Carter/Presentation/bh-dc-08-mcfeters-rios-carter.pdf

[CarrotShaver]

Gift

1st Item Test Send Result:

POST /checkout/sendgiftsubmit/ HTTP/1.1
Host: store.steampowered.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://store.steampowered.com/checkout/sendgift/538536983417472551
X-Requested-With: XMLHttpRequest
X-Prototype-Version: 1.7
Content-type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 381
Cookie: steamCountry=US%7Ca3cce1138d6d8dcdef42fbbf27211952; browserid=1383051128130025803; sessionid=87ba1ce1701610956a25a8e1; timezoneOffset=-36000,0; app_impressions=374040@1_4_4__1314|360430@1_4_4__1314|414340@1_4_4__1314|543900@1_4_4__1314|677120@1_4_4__1314|323190@1_4_4__1314|460930@1_4_4__1314|587620@1_4_4__1314|759190@1_4_4__1314|360430@1_4_4__1314|374040@1_4_4__1314|274520@1_4_4__1314|381210@1_4_4__1314|414340@1_4_4__1314|379020@1_4_4__1314|263740@1_4_4__1315|341800@1_4_4__1315|22230@1_4_4__1315|529950@1_4_4__1315|203650@1_4_4__1315|580820@1_4_4__1315|209080@1_4_4__1315|270450@1_4_4__1315|580170@1_4_4__1314|527230@1_4_4__1314|686260@1_4_4__1314|592580@1_4_4__1314|275850@1_4_4__1314|635260@1_4_4__1314|331690@1_4_4__1314|252690@1_4_4__1314|299740@1_4_4__1314; steamLogin=76561198052289971%7C%7CC7B127ED6241957DE6771861E4979893DD6384F0; steamLoginSecure=76561198052289971%7C%7C8D791AAA03898568201218F1681D2C2416917DE4; steamMachineAuth76561198052289971=30ADA43C5085976790363676A983DC3EEEF351B3
DNT: 1
Connection: close

GifteeAccountID=880943935&GifteeEmail=&GifteeName=steam%3A%2F%2Fadvertise%2F252950&GiftMessage=%5C%5C%5C%5C%7B%7B7*7%7D%7D%5C%7B%5C%7B7*7%5C%7D%5C%7D%0A%0A&GiftSentiment=Best%20Wishes&GiftSignature=80CHARACTERTESTSTRINGxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxEND&ScheduledSendOnDate=0&GiftGID=538536983417472551&SessionID=87ba1ce1701610956a25a8e1&IsReschedule=false