Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Using Chrome Developer Tools to hack your way into concerts

Amy Nguyen
March 21, 2018
Technology
0
490

Using Chrome Developer Tools to hack your way into concerts

Chrome Developer Tools is magical. It lets you record network traffic, step through code, modify the DOM, and more! To learn when we would use each of these features, I'll walk you through my adventures trying to trick Taylor Swift’s website into giving me concert tickets. Instead of reading through all of the JS files in her site and scrolling through hundreds of useless network activity logs, I learned how to use XHR breakpoints, filter network activity by type and domain, and recreate requests with CURL. I'll show you all of these tools and a few other tricks, and by the end of this talk, you will know how to reverse engineer any website and manipulate it to do your bidding.

Amy Nguyen

March 21, 2018
Tweet

More Decks by Amy Nguyen

See All by Amy Nguyen
Big Red Button (Chatbots SG Nov 2019)
amyngyn
0
110
Big Red Button (WWCode CONNECT Asia 2019)
amyngyn
0
190
Algorithms in the real world (NUS Friday Hacks)
amyngyn
0
160
Mischief managed: Project management for engineers (Building Upwards 2018)
amyngyn
2
1k
How to break up with your vendor
amyngyn
0
460
Using Chrome Developer Tools to hack your way into concerts (builderscon tokyo)
amyngyn
1
1.2k
Using Chrome Developer Tools to get what you want (Nike Tech Talks)
amyngyn
0
210
Big Red Button: How Stripe Automates Incident Management (SF Women in Infrastructure)
amyngyn
1
1.4k
Building Developer Tools Your Coworkers Won't Hate (J on the Beach 2018)
amyngyn
0
190

Other Decks in Technology

See All in Technology
NAB Show 2023 動画技術関連レポート / NAB Show 2023 Report
cyberagentdevelopers
PRO
1
130
ユーザーストーリーマッピング
kawaguti
PRO
4
860
net/http/httptest.Server のアプローチをテスト戦略に活用する / Go Conference 2023
k1low
7
930
Microsoft Startup Tech Meetup #0 : Kikuchi
hikiroku
1
100
株式会社オプティム_採用会社紹介資料 / optim-recruit
optim
0
9.5k
競プロ作問を支える技術
tsutaj
0
240
Head toward Java 20 and Java 21
line_developers
PRO
0
240
AI in Action
charmichokshi
0
170
Semantic Kernel を使って ChatGPT Plugins をアプリに組み込んでみよう
okazuki
0
110
モノリスからの脱却に向けた 物流システムリプレイスの概要紹介 / Towards Decentralized Logistics System Replacement from Monolithic Structure
yumayabe
0
290
Web Intelligence and Visual Media Analytics
weblyzard
PRO
1
3.3k
CDK + ecspressoでお手軽コンテナ3分クッキング
yoyoyopg
0
120

Featured

See All Featured
Done Done
chrislema
178
15k
The Web Native Designer (August 2011)
paulrobertlloyd
78
2.3k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
25
5.3k
How To Stay Up To Date on Web Technology
chriscoyier
779
250k
Three Pipe Problems
jasonvnalue
89
9.1k
JazzCon 2018 Closing Keynote - Leadership for the Reluctant Leader
reverentgeek
176
9.4k
Producing Creativity
orderedlist
PRO
335
38k
Rebuilding a faster, lazier Slack
samanthasiow
70
7.7k
Designing with Data
zakiwarfel
92
4.3k
A better future with KSS
kneath
230
16k
Building Flexible Design Systems
yeseniaperezcruz
315
35k
Building a Scalable Design System with Sketch
lauravandoore
451
31k

Transcript

  1. Amy Nguyen @amyngyn JSConf AU 2018
    Using Chrome Developer Tools
    to hack your way into concerts

    View Slide

  2. Amy Nguyen @amyngyn JSConf AU 2018
    Using Chrome Developer Tools
    to hack your way into concerts
    please don't actually use this information

    View Slide

  3. Amy Nguyen @amyngyn JSConf AU 2018
    The Setup
    ● Swifties is selling tickets to Taylor Swift's concert!
    ● The users who watch her music video the most will be
    first in line to buy tickets.
    ● How can we convince Swifties that we have watched
    the music video more times than we have?
    ● (Based on a true story!)

    View Slide

  4. Amy Nguyen @amyngyn JSConf AU 2018
    Please raise your hand if you or
    someone near you can't read the
    screen! We can increase the font size!

    View Slide

  5. Amy Nguyen @amyngyn JSConf AU 2018

    View Slide

  6. Amy Nguyen @amyngyn JSConf AU 2018
    Can we watch the video faster?
    ● Check out the YouTube IFrame Player API!
    ● Open the Console tab and enter this code:
    var data = {
    event: 'command',
    func: 'setPlaybackRate',
    args: [2, true]
    };
    var message = JSON.stringify(data);
    $("#player")[0].contentWindow.postMessage(message, '*');

    View Slide

  7. Amy Nguyen @amyngyn JSConf AU 2018
    Can we figure out how the site is communicating
    with the server?
    ● Open the Network tab!
    ● Filter by domain and by XHR
    domain:127.0.0.1
    ● Check out the Initiator column for a stacktrace
    ● Look at both the response and the request data

    View Slide

  8. Amy Nguyen @amyngyn JSConf AU 2018

    View Slide

  9. Amy Nguyen @amyngyn JSConf AU 2018

    View Slide

  10. Amy Nguyen @amyngyn JSConf AU 2018

    View Slide

  11. Amy Nguyen @amyngyn JSConf AU 2018
    Can we repeat requests to the server?
    ● Select "Replay XHR" from the menu to repeat the exact
    same request!

    View Slide

  12. Amy Nguyen @amyngyn JSConf AU 2018
    Can we make our own requests to the server?
    ● Copy the request as a cURL command and try
    changing it!

    View Slide

  13. Amy Nguyen @amyngyn JSConf AU 2018
    Can we send a valid request to the server?
    ● There's something we're missing.
    ● Where is that ID coming from?
    ● To the Sources tab for debugging!

    View Slide

  14. Amy Nguyen @amyngyn JSConf AU 2018
    Can we put this all together?
    ● Why can't we get a successful response?
    ● Let's step back and look at the whole timeline of what
    happens in the lifecycle of our video viewing.

    View Slide

  15. Amy Nguyen @amyngyn JSConf AU 2018
    Can we automate our solution?
    1. Get a unique ID from the Swifties server.
    2. Send a request to the start endpoint.
    3. Send a request to the count endpoint.
    4. Repeat!

    View Slide

  16. Amy Nguyen @amyngyn JSConf AU 2018
    Can we prevent us from happening?
    ● CAPTCHAs
    ● Randomize the DOM
    ● Input validation and detection
    ● Shadow banning

    View Slide

  17. Amy Nguyen @amyngyn JSConf AU 2018
    What happened in the end?
    ● I didn't get shadow banned!
    ● I got a high priority position in the sale.
    ● I forgot that I'd have to pay money at some point.
    ● I got offered an internship at TicketMaster??????
    ● I got to give this talk!

    View Slide

  18. Amy Nguyen @amyngyn JSConf AU 2018
    It's all about asking questions and being curious.
    ● Can we watch the video faster?
    ● Can we figure out how the site is communicating with the server?
    ● Can we repeat requests to the server?
    ● Can we make our own requests to the server?
    ● Can we send a valid request to the server?
    ● Can we put this all together?
    ● Can we automate our solution?
    ● Can we prevent us from happening?

    View Slide

  19. Amy Nguyen @amyngyn JSConf AU 2018
    It's all about asking questions and being curious.
    ● Can we watch the video faster? Execute code in the console
    ● Can we figure out how the site is communicating with the server?
    Filtering out information and debugging intentionally
    ● Can we repeat requests to the server? Replay XHR
    ● Can we make our own requests to the server? Copy as cURL
    ● Can we send a valid request to the server? Request parameters
    ● Can we put this all together? Perseverance!
    ● Can we automate our solution? Scripting
    ● Can we prevent us from happening? Keep asking questions!

    View Slide

  20. Amy Nguyen @amyngyn JSConf AU 2018
    Thanks!
    ● Homepage: amynguyen.net
    ● Twitter: @amyngyn
    ● Slides: speakerdeck.com/amyngyn
    ● Code: github.com/amyngyn/swifties
    ● Blog post: here (or at medium.com/@amyngyn)
    ● Stripe is hiring: stripe.com/jobs

    View Slide