Arrowfall - a text RPG with an advanced text chat and multiplayer!

Hey there, I’m bigminiboss, I helped overdrivereplit dev a game named Arrowfall (I did the multiplayer stuff), you can check it out here

AMA if you want?

1 Like

Q: What’s to keep my from just abusing the API? Say for example I make a repl with something like this:

import requests
              "username": env["REPL_OWNER"],
              "gold": gold,
              "silver": silver,
              "copper": copper,
              "battle stats": battle_stats,
              "exp_max": exp_max,
              "token": token,

Or even worse, replacing env["REPL_OWNER"] with someone elses username and changing their stats?

um repl identity, I think, I don’t know if that works though so I’ve asked everyone and anyone to try and hack it :stuck_out_tongue:

edit: this is a formal invitation to try, lol, expose the repl identity vulnerabilities XD

1 Like

Well nothing is stopping me, I can change other players data and my own

oh ok, can you try and hack it please, that would be greatly appreciated since then I can tell replit and they’ll hopefully be able to improve it

1 Like

also I just want to make sure it’s clear I don’t want to ruin anything. I’m actually building my own API (I’ll finish it whenever mongodb works) and I’ve been working on making it so that users can’t just abuse it.

1 Like

hmm, I’m checking the logs and I got 500 errors, not 432 errors which it is supposed to return :sob: I think anyone can hack :frowning: can you tell me how you did it so we can notify replit?

yeah it’s completely fine, I’ve been asking people to hack, I would in fact like to know if you have any other anti-abuse techniques

Literally just ran this:

import requests

url = ""

	"username": "InvisibleOne",
	"gold" : 1000,
	"silver" : 1000,
	"copper": 1000,
	"battle stats": [],
	"exp_max": 100000,
	"token": "value",

x ="{url}/person", json=json)


did it work? DANG IT I can’t believe it just works

Well what’s to stop it? If the API is accepted requests from anywhere it has to serve me

what was the response code? It’s supposed to return 432 when you have an invalid token. I’ve checked the logs and there were no requests return 432 errors, but I also checked the DB and there are no entries with your name, so I have no idea what’s going on

Also someone could probably takedown your api with something like this. Which is really just ddosing it. The only way I know to fix this is rate limiting and blocking IP’s that are making too many requests to your api.

import requests, threading

def attack():
	while True:

threads = []

for i in range(10): # ten threads

for thread in threads:

Oh the response code, 500, but I wasn’t trying to actually change anything, I just wanted to throw some errors

ooh, yeah your probably right… ughh, but the API requires lots of requests to function… argh…

also I can get a valid identity token by using the same process you use to create one and submitting that

really? UGHHHHHHH ARE YOU JOKING I thought the origin repl id prevented that…

EDIT: origin repl id meaning I check what the request’s repl id is, I thought that prevented it…

Well whenever someone who isn’t the owner (or invited) to the repl runs it, like me, replit basically makes a new version of the repl (as a security measure) so the repl id is completely different.

For example if you run os.environ["REPL_ID"] you will see the id for that repl, but I was see a completely different id.

dang it, I found out how you do it

  1. ctrl +c
  2. ctrl + d
  3. copy paste functions
  4. make new token

EDIT: judging by the like, it appears this is true and you have done this and hacked it

1 Like