search

kulinacs / htb

Python API Wrapper for hackthebox.eu
ISC License
8 stars 3 forks source link

HTB API Change? #3

Closed hobnobpirate closed 5 years ago

hobnobpirate commented 5 years ago

I think the HTB API might have changed. All of my calls are failing:

>>> from htb import HTB
>>> htb = HTB("REDACTED")
>>> htb.get_machines()
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/Users/hnp/Projects/htb-research/htb/htb/__init__.py", line 173, in get_machines
    return requests.get(self.BASE_URL + self._auth('/machines/get/all/')).json()
  File "/Users/hnp/Projects/htb-research/.venv/lib/python3.7/site-packages/requests/models.py", line 897, in json
    return complexjson.loads(self.text, **kwargs)
  File "/usr/local/Cellar/python/3.7.3/Frameworks/Python.framework/Versions/3.7/lib/python3.7/json/__init__.py", line 348, in loads
    return _default_decoder.decode(s)
  File "/usr/local/Cellar/python/3.7.3/Frameworks/Python.framework/Versions/3.7/lib/python3.7/json/decoder.py", line 337, in decode
    obj, end = self.raw_decode(s, idx=_w(s, 0).end())
  File "/usr/local/Cellar/python/3.7.3/Frameworks/Python.framework/Versions/3.7/lib/python3.7/json/decoder.py", line 355, in raw_decode
    raise JSONDecodeError("Expecting value", s, err.value) from None
json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)

It appears to be an API change due to the 404 error:

>>> api_token = "REDACTED"
>>> r = requests.get("https://www.hackthebox.eu/api/machines/get/all/?api_token=" + api_token)
>>> r
<Response [404]>
kulinacs commented 5 years ago

Looks like it, unit tests are failing as well. Will need to check out the changes and modify accordingly.

kulinacs commented 5 years ago

New cookies added (?):

XSRF-TOKEN hackthebox_session

Wouldn't surprise me if the 404 is the XSRF protection kicking in

Edit:

Curl seems to work fine: curl -X POST https://hackthebox.eu/api/stats/global -L

kulinacs commented 5 years ago

Looks like the User Agent is being blocked from python-requests.

kulinacs commented 5 years ago

I'll go ahead and make the User-Agent change, but it's quite possible the administrators are blocking usage to the API due to a large volume of requests. In the future, it's possible users of the API will have to set the User-Agent themselves to avoid bans.

kulinacs commented 5 years ago

Fixed.