[QUESTION] Using X-PIN as the PIN cookie and vice versa
Posted: Thu May 25, 2023 9:54 pmBackground:
Let's say I have a script that does some work over the API. All is well and dandy, but let's say I also want to do something onsite. The following questions plague me:
- Can I legally take the X-PIN value returned by the API on login, and set my "pin" cookie in my browser equal to that?
- Can I legally do the inverse - take the pin cookie set in my browser (not a header - this is a cookie that is set rather than a header like X-Pin) and use it as the value for X-Pin in an API request?
- The previous two questions dealt with me clicking buttons in a browser by hand. Let's say I don't want to do that - instead of a browser, can I use cURL or python requests to simulate the above - i.e., make an API request, get the X-PIN, and then send an HTTP request with the cookie set to that value (or vice versa)? (Of course, this assumes the User-Agent appropriately self-IDs and all other relevant script rules are followed)
These are all legality questions, not technical - assume that everything I describe works as described (I will admit I ran some limited testing, and it seems to work as described) - my question is solely whether or not it is legal to build a script around.
My reasoning why I think it would be legal:
- While consulting with one of the mods (in a non-official capacity), we decided to check if this works on a technical level - it does. I can get an X-Pin from the API, put it as my cookie, and it authenticates just fine. Same works in reverse - the pin cookie from the browser authenticates API requests like any other pin. Now, if everything was done with a header, that would be easy, but it's not - the X-Pin header is very clearly for API use, while the pin cookie is very clearly for browser use. If giving the value of one to the other was illegal, then why would the two codepaths point to the same place?
- The pin cookie and the x-pin header are both similarly named (Identically so, once I remembered while proofreading this that X- is the standard prefix for any site-mandated oddball HTTP headers) and provide the same purpose - I imagine the primary reason for distinguishing them is for ease of use (it is much harder to have an unmodified browser send a header than it is to have it store and send a cookie; similarly, it is much harder to write a script that keeps track of cookies as opposed to having it send a header) rather than to make two separate authentication systems for API vs browser. This ties into my mention that both of them check the same value at the end of the day.
- The pin cookie and the x-pin header both provide the same purpose - authentication. It's sole purpose in life is to prove that I can log into the nation I want access to. If this is all it does, then what does it matter what form it comes in? While I have not tried setting cookies for the API or using Burp Suite to send an X-Pin header (in my defense, it's 1am as I write this, so my testing isn't that thorough), I would not be surprised if it authenticated successfully if I tried.
My reasons for hesitancy:
- Interacting the site-side html in any way via script, especially less standard ones like this, makes me wary in the best of times.
- While I believe that making a request via python requests/cURL would be fine because I can set the User-Agent, my browser is manual and as such ships a standard User-Agent - my concern is that if the API request is registered as a bot, and then the pin from that API request is also used siteside with a browser User-Agent, it might in some cases (I imagine this would depend heavily on the mods bot-detection tools/investigative process, which as a lowly gameplayer I am not privy to) lead someone to believe it's still a bot, operating in what the FAQ calls "stealth mode" - even if it really is me, clicking with my mouse and keyboard - at the helm of all siteside requests done in this manner.
While I honestly can't see any compelling reason it would be outright illegal in-and-of itself, I figured better be safe than sorry and wanted to clarify if this behavior is acceptable at all, and if so, if doing it might cause me headaches down the line.
TL;DR:
Is it legal to use the X-PIN to set the pin cookie in a browser/requestside script, or vice versa?
Let's say I have a script that does some work over the API. All is well and dandy, but let's say I also want to do something onsite. The following questions plague me:
- Can I legally take the X-PIN value returned by the API on login, and set my "pin" cookie in my browser equal to that?
- Can I legally do the inverse - take the pin cookie set in my browser (not a header - this is a cookie that is set rather than a header like X-Pin) and use it as the value for X-Pin in an API request?
- The previous two questions dealt with me clicking buttons in a browser by hand. Let's say I don't want to do that - instead of a browser, can I use cURL or python requests to simulate the above - i.e., make an API request, get the X-PIN, and then send an HTTP request with the cookie set to that value (or vice versa)? (Of course, this assumes the User-Agent appropriately self-IDs and all other relevant script rules are followed)
These are all legality questions, not technical - assume that everything I describe works as described (I will admit I ran some limited testing, and it seems to work as described) - my question is solely whether or not it is legal to build a script around.
My reasoning why I think it would be legal:
- While consulting with one of the mods (in a non-official capacity), we decided to check if this works on a technical level - it does. I can get an X-Pin from the API, put it as my cookie, and it authenticates just fine. Same works in reverse - the pin cookie from the browser authenticates API requests like any other pin. Now, if everything was done with a header, that would be easy, but it's not - the X-Pin header is very clearly for API use, while the pin cookie is very clearly for browser use. If giving the value of one to the other was illegal, then why would the two codepaths point to the same place?
- The pin cookie and the x-pin header are both similarly named (Identically so, once I remembered while proofreading this that X- is the standard prefix for any site-mandated oddball HTTP headers) and provide the same purpose - I imagine the primary reason for distinguishing them is for ease of use (it is much harder to have an unmodified browser send a header than it is to have it store and send a cookie; similarly, it is much harder to write a script that keeps track of cookies as opposed to having it send a header) rather than to make two separate authentication systems for API vs browser. This ties into my mention that both of them check the same value at the end of the day.
- The pin cookie and the x-pin header both provide the same purpose - authentication. It's sole purpose in life is to prove that I can log into the nation I want access to. If this is all it does, then what does it matter what form it comes in? While I have not tried setting cookies for the API or using Burp Suite to send an X-Pin header (in my defense, it's 1am as I write this, so my testing isn't that thorough), I would not be surprised if it authenticated successfully if I tried.
My reasons for hesitancy:
- Interacting the site-side html in any way via script, especially less standard ones like this, makes me wary in the best of times.
- While I believe that making a request via python requests/cURL would be fine because I can set the User-Agent, my browser is manual and as such ships a standard User-Agent - my concern is that if the API request is registered as a bot, and then the pin from that API request is also used siteside with a browser User-Agent, it might in some cases (I imagine this would depend heavily on the mods bot-detection tools/investigative process, which as a lowly gameplayer I am not privy to) lead someone to believe it's still a bot, operating in what the FAQ calls "stealth mode" - even if it really is me, clicking with my mouse and keyboard - at the helm of all siteside requests done in this manner.
While I honestly can't see any compelling reason it would be outright illegal in-and-of itself, I figured better be safe than sorry and wanted to clarify if this behavior is acceptable at all, and if so, if doing it might cause me headaches down the line.
TL;DR:
Is it legal to use the X-PIN to set the pin cookie in a browser/requestside script, or vice versa?