Call of Duty API Endpoints - Page 3 - NextGenUpdate
Page 3 of 3 First 1 2 3
THREAD: Call of Duty API Endpoints
  1. 09-23-2017, 11:07 AM
    #1
    Tustin's Avatar
    Tustin
    Balls of Steel
    Tustin's Avatar
    Tustin
    Balls of Steel
    5,456
    Posts
    309,946
    Reputation
    May 2008
    NextGenUpdate
    Recently, Activision [Only registered and activated users can see links. ]. I thought it was pretty cool so I decided to see if they used an API. Not only do they use one, but it also requires no authentication (for most of it anyways) which makes it easy to use if you want to integrate directly on your website or application.

    Rather than making a library for this API, I figured it would be easier to just provide the API endpoints used. There aren't many of them right now, but hopefully it gets expanded in the future.

    Resources:

    API URLs:
    IW: [Only registered and activated users can see links. ]
    BO3: [Only registered and activated users can see links. ]

    Platform Identifiers (used for 'platform' parameter):
    PSN - psn
    Xbox Live - xbl
    Steam - steam

    Endpoints:

    User Stats:
    GET platform/{$platform}/gamer/{$username}/profile/ (example: platform/psn/gamer/tustin25/profile/)

    Leaderboards:
    GET platform/{$platform}/time/alltime/type/core/mode/career/page/1/ - returns the first page of lifetime core stats (example: platform/psn/time/alltime/type/core/mode/career/page/1/)

    Quatermaster Inventory (requires authentication):
    Support for BO3 supply drops isn't supported yet. I was hoping you could view anyone's inventory with this but this endpoint requires authentication to view unfortunately. I still need to reverse their authentication flow.
    GET platform/{$platform}/gamer/{$username}/inventory/?c=1506178397083 (example: platform/psn/gamer/tustin25/inventory/?c=1506178397083) not sure what the 'c' param is used for. The value is a unix timestamp but maybe it stands for cache?

    Keys/Salvage/COD Points (requires authentication):
    Again, requires authentication and also doesn't support BO3.
    GET platform/{$platform}/gamer/{$username}/currency/?c=1506178397084 (example: platform/psn/gamer/tustin25/currency/?c=1506178397084) see above endpoint for the 'c' param.

    Purchasing Supply Drop (requires authentication):
    This only purchases a common crate. I'm not too sure what the parameters are for a rare crate and purchasing with COD points.
    POST platform/{$platform}/gamer/{$username}/item/CommonCrate/purchaseWith/keys (example: platform/psn/gamer/tustin25/item/CommonCrate/purchaseWith/keys)

    Opening Supply Drop (requires authentication):
    Again, I've only tested this with common crates.
    POST platform/{$platform}/gamer/{$username}/item/CommonCrate/redeem (example: platform/psn/gamer/tustin25/item/CommonCrate/redeem)


    That's about all for now. Like I said, not enough to make some library for this and I also haven't reversed their auth flow yet so most of these endpoints aren't useful at the moment. Still pretty cool to see all the items you've gotten from supply drops though since I don't think all that data is displayed anywhere currently. Hopefully someone can find the statistics part useful at the very least!
  2. The Following 5 Users Say Thank You to Tustin For This Useful Post:

    , , , ,

  3. 09-29-2017, 03:26 AM
    #21
    Marbella's Avatar
    Marbella
    Keeper
    Marbella's Avatar
    Marbella
    Keeper
    20
    Posts
    230
    Reputation
    Feb 2017
    NextGenUpdate
    Sponsored Links

    Originally Posted by Frosty View Post
    Seems mendi hasn't been playing games since September 2016, and QAM must be a dummy account, considering


    What's interesting about mendi is it seems he's an avid Destiny player - , [Only registered and activated users can see links. ]

    Considering Destiny and COD are by the same publisher...perhaps mendi is QA?
    Yeah i really think he his a QA,strange thing is when QA/Beta players are invited in Treyarch they play on Devkit console.
    I will not investigate more on his PSN since he seem like a legit player who was just a Q.A.

    For the second PSN,he have only two trophys on BO3 but you can see on his profile on the API he played some MP :
    [Only registered and activated users can see links. ]

    He also have "QA" on his PSN.

    I had another idea btw,i searched on other plateforms and i found some stuffs :
    [Only registered and activated users can see links. ]

    His xbl tag is : dw-thc-ops3-beta

    The api seam to be broken on steam (can't find anything).

    EDIT : There is also other PSN with lower numbers like QAMLIVE041ps instead of QAMLIVE042ps

    EDIT2 : According to the trophys dates these account was tested when the game was out & for testing Zombies Chronicles i think.
    That's mean you can know when Activision is working on secret stuff like another DLC etc... Since they use these account for every games

    I know that because back when the DLC5 had leaks,a guy from Activision playtest leaked some infos but the post are deleted :
    [Only registered and activated users can see links. ]

    He said he played DLC5 Beta the time around these accounts played it.
    That some pretty cool stuff!

    EDIT 3 : I wrote a miniscript who try PSN of QAMLIVE0XXps,here the list of QA testing accounts who have played BO3 :
    Quoted Message Call of Duty API Endpoints
    QAMLIVE019ps
    QAMLIVE020ps
    QAMLIVE021ps
    QAMLIVE022ps
    QAMLIVE023ps
    QAMLIVE024ps
    QAMLIVE025ps
    QAMLIVE027ps
    QAMLIVE028ps
    QAMLIVE029ps
    QAMLIVE030ps
    QAMLIVE031ps
    QAMLIVE032ps
    QAMLIVE033ps
    QAMLIVE034ps
    QAMLIVE035ps
    QAMLIVE036ps
    QAMLIVE037ps
    QAMLIVE039ps
    QAMLIVE040ps
    QAMLIVE041ps
    QAMLIVE042ps
    QAMLIVE043ps
    QAMLIVE044ps
    QAMLIVE045ps
    QAMLIVE046ps
    QAMLIVE050ps
    EDIT 4 : A little something i found,if you change the numbers of day for the "weekly recap" in IW you can increase from 7 to 10 days or decrease (maybe there is no time limit but a game limit ?) :
    [Only registered and activated users can see links. ]
    Last edited by Marbella; 09-29-2017 at 06:14 AM.

  4. Sponsored Links
  5. The Following 2 Users Say Thank You to Marbella For This Useful Post:

    ,

  6. 09-29-2017, 12:54 PM
    #22
    Tustin's Avatar
    Tustin
    Balls of Steel
    Tustin's Avatar
    Tustin
    Balls of Steel
    5,456
    Posts
    309,946
    Reputation
    May 2008
    NextGenUpdate
    Originally Posted by Marbella View Post
    I will make one tomorrow.

    Another strange thing,the groups ids isn't random,if you create one now you will have like the id 35000 and the next one the id 35001 etc..
    So i have done some research to see if devs have created some test groups to grab some PSN of 3arc.

    The first real group is this one :
    [Only registered and activated users can see links. ]

    Which have ID 96,a strange thing is if you put a slash at the end of the link like that :
    [Only registered and activated users can see links. ]

    It give you a blank page,also the majority of page id behind 96 are blank pages,but some group show them up if you put a / at the end of the link or /members so i wrote a little soft to see the dev groups.
    So i wrote some code who test for the first 100 groups id here it is :
    Code:
    let request = require("request");
    let interval = 1 * 500; // Lowing the interval can get you ip banned
    
    for (i = 0; i < 100; i++) {
        setTimeout(function (i) {
            console.log("trying on " + i);
            // I ran the code on <groupid> with backslash,without backslash and with members,it seem like /member give the best results
            request.get("https://www.callofduty.com/api/sso/cod/title/bo3/psn/teams/" + i + "/members", function (err, resp, body) {
                if (body !== "") {
                    console.log(resp.request.uri.href);
                }
            });
        }, interval * i, i);;
    }

    Like the comment explain,i ran test on /groupid without backslash,with backslash and /members and /members/

    And here is the three dev group i found,i think the other one was deleted during game developpement :
    [Only registered and activated users can see links. ]
    [Only registered and activated users can see links. ]
    [Only registered and activated users can see links. ]

    You can see only two PSN :
    mendicantca
    QAMLIVE042ps

    They seem to be some dev PSN (or maybe beta testers ?),can't look atm since my PS4 is on another room but maybe they play sometimes dev games like BO3 had "Northwood" at beta secret name.
    Originally Posted by Frosty View Post
    Seems mendi hasn't been playing games since September 2016, and QAM must be a dummy account, considering


    What's interesting about mendi is it seems he's an avid Destiny player - , [Only registered and activated users can see links. ]

    Considering Destiny and COD are by the same publisher...perhaps mendi is QA?
    There's quite a few QAMLIVE(\d{2,3})ps accounts if you search "QAMLIVE" on the Playstation app. I checked a few and none of them show any recent activity but maybe in the next few weeks we might see some of them hop on WW2 or something.

    EDIT: Whoops, I just saw Marbella's last reply about all the accounts!
    Last edited by Tustin; 09-29-2017 at 12:56 PM.

  7. The Following User Says Thank You to Tustin For This Useful Post:


  8. 09-29-2017, 03:54 PM
    #23
    Tustin's Avatar
    Tustin
    Balls of Steel
    Tustin's Avatar
    Tustin
    Balls of Steel
    5,456
    Posts
    309,946
    Reputation
    May 2008
    NextGenUpdate
    I just got around to looking at the auth flow for the site and it's really simple. No captcha or csrf token checks at the moment. Here's a basic example of the login script:
    Code:
    <?php
    
    $data = [
        "username" => "[Only registered and activated users can see links. ]",
        "remember_me" => "true",
        "password" => "p@55w0rd"
    ];
    $curl = curl_init();
    curl_setopt_array($curl, array(
        CURLOPT_RETURNTRANSFER => 1,
        CURLOPT_URL => 'https://profile.callofduty.com/do_login?new_SiteId=cod',
        CURLOPT_POST => true,
        CURLOPT_POSTFIELDS => http_build_query($data),
        CURLOPT_HTTPHEADER => [
            'Content-Type: application/x-www-form-urlencoded',
            'Cookie: AMCVS_0FB367C2524450B90A490D4C%40AdobeOrg=1; __utmt_dd8c0908a9be2688b4eb1ba01b8aabf5=1; ACT_SSO_LOCALE=en_US; ATVI_VISITOR_ID=anon-1506714328364-0.6579939320381232; __utma=229673283.1064438501.1506714327.1506714327.1506714327.1; __utmb=229673283.3.10.1506714327; __utmc=229673283; __utmz=229673283.1506714327.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); redirectUrl="https://my.callofduty.com/"; SSO_REDIRECTED_AT_LOGIN="https://my.callofduty.com/"; atkn=""; rtkn=""; agegate=""; country=""; mbox=check#true#1506714393|session#775b52c8450c413bb876bdec89fca133#1506716193|PC#775b52c8450c413bb876bdec89fca133.20_32#1514490333; AMCV_0FB367C2524450B90A490D4C%40AdobeOrg=1099438348%7CMCIDTS%7C17439%7CMCMID%7C07047275907769086351423327957578528689%7CMCAAMLH-1507319133%7C9%7CMCAAMB-1507319133%7CcIBAx_aQzFEHcPoEv0GwcQ%7CMCOPTOUT-1506721533s%7CNONE%7CMCAID%7CNONE%7CMCSYNCSOP%7C411-17446%7CvVersion%7C2.1.0; new_SiteId=cod; comid=cod; s_dfa=activision.prd; s_ppvl=https%253A%2F%2Fmy.callofduty.com%2Fiw%2Flogin%2C57%2C57%2C769%2C1600%2C769%2C1600%2C900%2C1%2CL; s_cc=true; s_ppv=callofduty%253Asso-callofduty%253Alogin%2C93%2C93%2C1169%2C1600%2C769%2C1600%2C900%2C1%2CL; gpv_c8=callofduty%3Asso-callofduty%3Alogin; s_nr=1506714342609-New; s_sq=%5B%5BB%5D%5D',
        ],
        CURLOPT_COOKIEJAR => realpath('cookies.txt'),
        CURLOPT_HEADER => true
    ));
    $resp = curl_exec($curl);
    var_dump($resp);
    I don't know what the cookie header is for, but the login will fail without it. It doesn't seem to be unique because I tried logging in multiple times using it and it worked each time. Maybe someone else can give this a try and see if it works for them too. If it works, you should see a bunch of Set-Cookie headers get output in the var_dump.
  9. 12-21-2017, 08:57 PM
    #24
    Tustin's Avatar
    Tustin
    Balls of Steel
    Tustin's Avatar
    Tustin
    Balls of Steel
    5,456
    Posts
    309,946
    Reputation
    May 2008
    NextGenUpdate
    I was looking around a bit more, and found something interesting:
    https://profile.callofduty.com/cod/userInfo/<base64 string>

    This endpoint takes a base64 encoded string that, when decoded, gives a string in this format:
    5xxx986xxxx078xxx83:1515116063709:85xxx71742xxx42a 8xxxce61dxxx4acc

    The string seems to be in this format:
    <accountID>:<login time as unix timestamp>:<some unknown md5 hash>

    I couldn't figure out what the hash is exactly. I tried username, email, and password but it doesn't seem to match those. I'm only guessing it's MD5, but it could be salted, multiple rounds of MD5, or just something else entirely. I figure if you can find out what this hash is, you can fetch the userinfo for any account you want since this endpoint isn't locked behind authentication.
  10. 12-21-2017, 09:16 PM
    #25
    Hydrogen's Avatar
    Hydrogen
    H20 Formula
    Hydrogen's Avatar
    Hydrogen
    H20 Formula
    5,369
    Posts
    91,350
    Reputation
    Aug 2015
    NextGenUpdate
    Originally Posted by Tustin View Post
    I was looking around a bit more, and found something interesting:
    https://profile.callofduty.com/cod/userInfo/<base64 string>

    This endpoint takes a base64 encoded string that, when decoded, gives a string in this format:
    5xxx986xxxx078xxx83:1515116063709:85xxx71742xxx42a 8xxxce61dxxx4acc

    The string seems to be in this format:
    <accountID>:<login time as unix timestamp>:<some unknown md5 hash>

    I couldn't figure out what the hash is exactly. I tried username, email, and password but it doesn't seem to match those. I'm only guessing it's MD5, but it could be salted, multiple rounds of MD5, or just something else entirely. I figure if you can find out what this hash is, you can fetch the userinfo for any account you want since this endpoint isn't locked behind authentication.
    Can't you just decode it with Hashcat, or it's to the point where you would need to reverse the whole thing manually?
  11. 12-21-2017, 09:19 PM
    #26
    Tustin's Avatar
    Tustin
    Balls of Steel
    Tustin's Avatar
    Tustin
    Balls of Steel
    5,456
    Posts
    309,946
    Reputation
    May 2008
    NextGenUpdate
    Originally Posted by Hydrogen View Post
    Can't you just decode it with Hashcat, or it's to the point where you would need to reverse the whole thing manually?
    You could try to crack it but I'm far too lazy to set all of that up. For all I know it could just be some randomly generated hash that can't be generated yourself.
  12. The Following User Says Thank You to Tustin For This Useful Post:


  13. 12-21-2017, 09:30 PM
    #27
    Hydrogen's Avatar
    Hydrogen
    H20 Formula
    Hydrogen's Avatar
    Hydrogen
    H20 Formula
    5,369
    Posts
    91,350
    Reputation
    Aug 2015
    NextGenUpdate
    Originally Posted by Tustin View Post
    You could try to crack it but I'm far too lazy to set all of that up. For all I know it could just be some randomly generated hash that can't be generated yourself.
    Isn't MD5 like two to the 128th power? or something near that, lol. Eh, I have close friends from LeakBase that could try decoding it for you, not sure how'd you want to try that though.
  14. 10-10-2018, 09:20 AM
    #28
    KilioZ's Avatar
    KilioZ
    Gobble
    KilioZ's Avatar
    KilioZ
    Gobble
    1
    Posts
    10
    Reputation
    Sep 2018
    NextGenUpdate
    Hey, Black Ops 4 Stats is online !

    [Only registered and activated users can see links. ]
    I look for new API on BO4 !
Page 3 of 3 First 1 2 3

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •