15

I am trying to simulate google+ button.In Somepart of code at LINK,It converts the session id into Some kinda hash.What i found is session id name is SAPISID and the converted hash name is SAPISIDHASH , Can anyone tell me which part of code does the hash part . Any help will be appreciated.i have spent 6 hours straight , still no clue :(

For Example VUOyLIU22fNPz2ko/AbGsxW03_WHoGjaJq is SAPISID and f17aa630b9b9a105dad437b0fedcafe429f6fca2 is SAPISIDHASH . In php i tried all kind of hash..nothing matches.

user2449384
  • 173
  • 1
  • 5
  • The hash is 40 chars of hex digits, so it's probably a [SHA-1 hash](http://en.wikipedia.org/wiki/SHA-1) of some data. Exactly *what* data is anybody's guess... – maerics Jun 03 '13 at 23:21
  • Not only is it anybody's guess... but it meant they went out of their way to make sure nobody would be able to guess it. – djechlin Jun 03 '13 at 23:23
  • ripemd160 also 40 characters.. i have tried all the hash.. the code does some symbol replace i guess.. so need to find what it does – user2449384 Jun 03 '13 at 23:24
  • ... hunting this duck as well – Dave Thomas Aug 17 '15 at 17:26

2 Answers2

51

VICTORY! Well for me at least . The SAPISIDHASH I was looking for was the one in the API console. Automation for rather large job, totally legitimate. The one I found was a SHA1 on the current JavaScript milliseconds timestamp plus your current SAPISID from your cookie plus the domain origin. In order for my request to work I had to include the following headers in the request:

Authorization:SAPISIDHASH 1439879298823_<hidden sha1 hash value>

and:

X-Origin:https://console.developers.google.com

The first header I assume tells the server your timestamp and your SHA1 value. The second (breaks if you don't include it) tells it the origin to use in the SHA1 algorithm. I found the algorithm by digging through and debugging the hell out of tons of minified JS NOTE there are spaces appended between the values. The psuedo code is basically:

sha1(new Date().getTime() + ' ' + SAPISID + ' ' + origin);

That is at least how I got my SAPISIDHASH value in my use case here in 2015 (few years later I know)... different from yours but maybe I will help some other young good hacker out there one day.

Zombo
  • 1
  • 62
  • 391
  • 407
Dave Thomas
  • 3,667
  • 2
  • 33
  • 41
8

All credits to Dave Thomas.

I just want to clarify that for the X-Origin, or Origin, you do not include the "X-Origin:" or "Origin:"

Here is one example :

public class SAPISIDHASH {

    public static void main(String [] args) {

        String sapisid = "b4qUZKO4943exo9W/AmP2OAZLWGDwTsuh1";
        String origin = "https://hangouts.google.com";
        String sapisidhash = "1447033700279" + " " + sapisid + " " + origin;
        System.out.println("SAPISID:\n"+ hashString(sapisidhash));
        System.out.println("Expecting:");
        System.out.println("38cb670a2eaa2aca37edf07293150865121275cd");

    }

    private static String hashString(String password)
    {
        String sha1 = "";
        try
        {
            MessageDigest crypt = MessageDigest.getInstance("SHA-1");
            crypt.reset();
            crypt.update(password.getBytes("UTF-8"));
            sha1 = byteToHex(crypt.digest());
        }
        catch(NoSuchAlgorithmException e)
        {
            e.printStackTrace();
        }
        catch(UnsupportedEncodingException e)
        {
            e.printStackTrace();
        }
        return sha1;
    }

    private static String byteToHex(final byte[] hash)
    {
        Formatter formatter = new Formatter();
        for (byte b : hash)
        {
            formatter.format("%02x", b);
        }
        String result = formatter.toString();
        formatter.close();
        return result;
    }
}

source for sha1 in Java : Java String to SHA1

aks
  • 554
  • 6
  • 8