Hey there, I’m bigminiboss, I helped overdrivereplit dev a game named Arrowfall (I did the multiplayer stuff), you can check it out here
AMA if you want?
1 Like
Q: What’s to keep my from just abusing the API? Say for example I make a repl with something like this:
import requests
requests.post(
"https://ArrowFall-Server.bigminiboss.repl.co/person",
json={
"username": env["REPL_OWNER"],
"gold": gold,
"silver": silver,
"copper": copper,
"battle stats": battle_stats,
"exp_max": exp_max,
"token": token,
},
)
Or even worse, replacing env["REPL_OWNER"] with someone elses username and changing their stats?
um repl identity, I think, I don’t know if that works though so I’ve asked everyone and anyone to try and hack it 
edit: this is a formal invitation to try, lol, expose the repl identity vulnerabilities XD
1 Like
Well nothing is stopping me, I can change other players data and my own
oh ok, can you try and hack it please, that would be greatly appreciated since then I can tell replit and they’ll hopefully be able to improve it
1 Like
also I just want to make sure it’s clear I don’t want to ruin anything. I’m actually building my own API (I’ll finish it whenever mongodb works) and I’ve been working on making it so that users can’t just abuse it.
1 Like
hmm, I’m checking the logs and I got 500 errors, not 432 errors which it is supposed to return 
I think anyone can hack 
can you tell me how you did it so we can notify replit?
yeah it’s completely fine, I’ve been asking people to hack, I would in fact like to know if you have any other anti-abuse techniques
Literally just ran this:
import requests
url = "https://ArrowFall-Server.bigminiboss.repl.co"
json={
"username": "InvisibleOne",
"gold" : 1000,
"silver" : 1000,
"copper": 1000,
"battle stats": [],
"exp_max": 100000,
"token": "value",
},
x = requests.post(f"{url}/person", json=json)
print(x)
did it work? DANG IT I can’t believe it just works
Well what’s to stop it? If the API is accepted requests from anywhere it has to serve me
what was the response code? It’s supposed to return 432 when you have an invalid token. I’ve checked the logs and there were no requests return 432 errors, but I also checked the DB and there are no entries with your name, so I have no idea what’s going on
Also someone could probably takedown your api with something like this. Which is really just ddosing it. The only way I know to fix this is rate limiting and blocking IP’s that are making too many requests to your api.
import requests, threading
def attack():
while True:
print("running")
requests.post("https://ArrowFall-Server.bigminiboss.repl.co/person")
threads = []
for i in range(10): # ten threads
threads.append(threading.Thread(target=attack))
for thread in threads:
thread.start()
Oh the response code, 500, but I wasn’t trying to actually change anything, I just wanted to throw some errors
ooh, yeah your probably right… ughh, but the API requires lots of requests to function… argh…
also I can get a valid identity token by using the same process you use to create one and submitting that
really? UGHHHHHHH ARE YOU JOKING I thought the origin repl id prevented that…
EDIT: origin repl id meaning I check what the request’s repl id is, I thought that prevented it…
Well whenever someone who isn’t the owner (or invited) to the repl runs it, like me, replit basically makes a new version of the repl (as a security measure) so the repl id is completely different.
For example if you run os.environ["REPL_ID"] you will see the id for that repl, but I was see a completely different id.
dang it, I found out how you do it
- ctrl +c
- ctrl + d
- copy paste functions
- make new token
EDIT: judging by the like, it appears this is true and you have done this and hacked it
1 Like