Home

Poking around with ChatGPT

As a software engineer, I enjoy looking into the inner workings of websites. Today, I had some fun exploring Nubank's site. Upon inspecting the frontend, I noticed a call to https://prod-global-webapp-proxy.nubank.com.br/api/discovery, which provided a collection of various endpoints.

However, I stumbled upon some endpoints with peculiar formats, like this one: https://prod-global-webapp-proxy.nubank.com.br/api/proxy/AJxL5LBUC2Tx4PB-W6VD1SEIOd2xp14EDQ.aHR0cHM6Ly9wcm9kLWdsb2JhbC1hdXRoLm51YmFuay5jb20uYnIvYXBpL3Rva2Vu.

Endpoints
Endpoints

Curious to decipher its meaning, I asked ChatGPT to decode the cryptic string AJxL5LBUC2Tx4PB-W6VD1SEIOd2xp14EDQ.aHR0cHM6Ly9wcm9kLWdsb2JhbC1hdXRoLm51YmFuay5jb20uYnIvYXBpL3Rva2Vu.

It turns out that the first half is probably a token, and the second half is a Base64-encoded URL: https://prod-global-auth.nubank.com.br/api/token

ChatGPT
ChatGPT

I tried to see what were behind these URLs, but nothing came out.

$ curl https://prod-global-webapp-proxy.nubank.com.br/api/proxy/AJxL5LBUC2Tx4PB-W6VD1SEIOd2xp14EDQ.aHR0cHM6Ly9wcm9kLWdsb2JhbC1hdXRoLm51YmFuay5jb20uYnIvYXBpL3Rva2Vu
{"error":"Forbidden"}

$ curl https://prod-global-auth.nubank.com.br/api/token
curl: (35) LibreSSL/3.3.6: error:1401E412:SSL routines:CONNECT_CR_FINISHED:sslv3 alert bad certificate

I then played a little bit with the proxy.

$ curl -v https://prod-global-webapp-proxy.nubank.com.br/api/proxy/hello-world
...
< HTTP/2 500
...
{}

Then I asked myself what if I injected some random URL?

>>> base64.b64encode(b"https://google.com")
b'aHR0cHM6Ly9nb29nbGUuY29t'

$ curl -v https://prod-global-webapp-proxy.nubank.com.br/api/proxy/aHR0cHM6Ly9nb29nbGUuY29t
...
< HTTP/2 500
...
{}

OK, not so good. What if I added a token?

$ curl https://prod-global-webapp-proxy.nubank.com.br/api/proxy/token.aHR0cHM6Ly9nb29nbGUuY29t
{"error":"Forbidden"}

What if the second part was not in base64?

$ curl -v https://prod-global-webapp-proxy.nubank.com.br/api/proxy/token.notbase64
...
< HTTP/2 500
...
{}

What if the second part was encoded in base 64, but was not a URL?

>>> base64.b64encode(b"not a url")
b'bm90IGEgdXJs'

$ curl https://prod-global-webapp-proxy.nubank.com.br/api/proxy/token.bm90IGEgdXJs
{"error":"Forbidden"}

The next question arises: Does the proxy initiate requests? Regardless, I must retire for the night. We can pick up on this topic at a later time, as long as I'm not feeling lazy.