[This is a follow up to the first AJAX Login Control Hacker's Challenge. You will find more details and instructions there.]
Well, so far, the hackers are not doing so well. Here are some numbers. Out of ~517 downloads, ~108 accounts created on the test site, and ~617 page views over the past two weeks, the AJAX Login Control has yet to be cracked. Yes, I know, those aren't great numbers... but hey, at least there is some indication that the armour is being tested.
Okay. So, I've decided to cut you hackers a little slack. Give you a few little hints, if you will. As a matter of fact, I'm going to do all the hard work and provide the raw data that is transmitted during a successful login of the sample user, hacker@snipgen.com.
VerifyUserLogin : The first AJAX request.
POST
{"request":{"__type":"snip.SaltRequest","username":"hacker@snipgen.com"}}
RESPONSE
{"__type":"snip.SaltResponse","salt":"EIyMXOyus3TRGnP/MiWwhQ==","challenge":"wzLrnbxWivzNkbMPvksw8A==","success":true}
Login : The second AJAX request
POST
{"request":{"__type":"snip.LoginRequest","username":"hacker@snipgen.com","passwordHMAC":"ERkSrTM8EeD2rIzwE8TyxiPJyo8=","createCookie":false}}
RESPONSE
{"__type":"snip.LoginResponse","status":1}
$100 Award Remains
There it is. I've spilled the beans. And here's the best part. The $100 cash award to the first succesful hacker remains.
Once again, good luck and game on.