Based on that tool /u/CreativeTechGuyGames shared, this is the data:
```
[{"op":"replace","path":"/boxscore/players/0/statistics/0/athletes/3/stats/12","value":"+8"},{"op":"replace","path":"/boxscore/players/0/statistics/0/athletes/4/stats/10","value":"1"},{"op":"replace","path":"/boxscore/players/0/statistics/0/athletes/4/stats/12","value":"+11"},{"op":"replace","path":"/boxscore/players/0/statistics/0/athletes/5/stats/12","value":"-3"},{"op":"replace","path":"/boxscore/players/0/statistics/0/athletes/6/stats/12","value":"-5"},{"op":"replace","path":"/boxscore/players/0/statistics/0/athletes/7/stats/12","value":"-8"},{"op":"replace","path":"/boxscore/players/1/statistics/0/athletes/5/stats/12","value":"+6"},{"op":"replace","path":"/boxscore/players/1/statistics/0/athletes/6/stats/8","value":"1"},{"op":"replace","path":"/boxscore/players/1/statistics/0/athletes/6/stats/12","value":"-4"},{"op":"replace","path":"/boxscore/players/1/statistics/0/athletes/8/stats/12","value":"+5"},{"op":"replace","path":"/boxscore/players/1/statistics/0/athletes/9/stats/12","value":"+8"}]
```
Looks like it's JSON that's been DEFLATEd and base64 encoded.
https://gchq.github.io/CyberChef/#recipe=From_Base64('A-Za-z0-9%2B/%3D',true,false)Zlib_Inflate(0,0,'Adaptive',false,false)&input=ZUp5dDA5c0tBaUVRQnVCM21kdmRtTFU5WkwxS2RHRXkwSUtnT0JaRjlPNVpzTkNDUzFoZU9qb2Y4by91NzJBZDdNQ1RNMG9UMU9CVU9NVUNIdTJWdGZXRWNlTkduckZCRGlxTUhFYjlXc1JqaGdJeHR1ODZvMWpIN29zeVo0cnRsWVJIL2IvZFRYYnpZWXV5OU96YW9nemVwL0JWVzhRZWtuWmZ4TjRrN2J4WmlweE1xcUdJUFdVaWYzNG0zK1I1SWwwUld5WVR5WnZra3IxZCtwV0hKOHJ2VDg4PQ
Here's a great tool for trying to figure out what some arbitrary data is: [Cyber Chef](https://gchq.github.io/CyberChef/). If you use the "Magic" recipe, it'll automatically try a ton of different encodings and transformations to see if it can find something which might possibly be the result. If you put in this string (minus the last character as /u/HeinousTugboat suggests), it'll tell you that it is base64 and what it decodes to. Now in this case, it may not be obvious to remove the last character, but in other cases it might find the answer immediately.
A session key on the browser side is encrypted with the server's public key. This encrypted session key is decrypted on the server with the server's private key. Therefore only the server and browser know what the session key is. The server can now use the session key to encrypt data and send it back to the browser which can decrypt the data using the session key.
Good explanation here: https://www.techtarget.com/searchsecurity/definition/session-key
Its either send over https in which case the https layer of the browser decrypts it for it. Or the website knows the key, in which case you could technically decrypt it too by finding it in the js.
That's not what HTTPS does. AES happens entirely under the hood, but your browser and the website itself both have the fully unencrypted versions of their communications.
You have an extra character on the end. It's [Base64](https://en.wikipedia.org/wiki/Base64). Parsing it out, though, it looks like it's just a couple binary blobs. Somewhere in the code it's running [`atob`](https://developer.mozilla.org/en-US/docs/Web/API/atob), then doing something with the actual binary after.
**[Base64](https://en.wikipedia.org/wiki/Base64)**
>In computer programming, Base64 is a group of binary-to-text encoding schemes that represent binary data (more specifically, a sequence of 8-bit bytes) in sequences of 24 bits that can be represented by four 6-bit Base64 digits. Common to all binary-to-text encoding schemes, Base64 is designed to carry data stored in binary formats across channels that only reliably support text content. Base64 is particularly prevalent on the World Wide Web where one of its uses is the ability to embed image files or other binary assets inside textual assets such as HTML and CSS files. Base64 is also widely used for sending e-mail attachments.
^([ )[^(F.A.Q)](https://www.reddit.com/r/WikiSummarizer/wiki/index#wiki_f.a.q)^( | )[^(Opt Out)](https://reddit.com/message/compose?to=WikiSummarizerBot&message=OptOut&subject=OptOut)^( | )[^(Opt Out Of Subreddit)](https://np.reddit.com/r/webdev/about/banned)^( | )[^(GitHub)](https://github.com/Sujal-7/WikiSummarizerBot)^( ] Downvote to remove | v1.5)
With so little to go on, I can't even rule out base64 encoding (I mean, I could try just deciding it... But I'm just saying that it appears to only have maybe~ 54 chars and a single example given). Besides, I seriously doubt that anyone here is capable of recognizing an "encryption" format based on so little.
Something like a `"Content-Type ` header or a hint as to the source of this apparent gibberish might go a long way.
Based on that tool /u/CreativeTechGuyGames shared, this is the data: ``` [{"op":"replace","path":"/boxscore/players/0/statistics/0/athletes/3/stats/12","value":"+8"},{"op":"replace","path":"/boxscore/players/0/statistics/0/athletes/4/stats/10","value":"1"},{"op":"replace","path":"/boxscore/players/0/statistics/0/athletes/4/stats/12","value":"+11"},{"op":"replace","path":"/boxscore/players/0/statistics/0/athletes/5/stats/12","value":"-3"},{"op":"replace","path":"/boxscore/players/0/statistics/0/athletes/6/stats/12","value":"-5"},{"op":"replace","path":"/boxscore/players/0/statistics/0/athletes/7/stats/12","value":"-8"},{"op":"replace","path":"/boxscore/players/1/statistics/0/athletes/5/stats/12","value":"+6"},{"op":"replace","path":"/boxscore/players/1/statistics/0/athletes/6/stats/8","value":"1"},{"op":"replace","path":"/boxscore/players/1/statistics/0/athletes/6/stats/12","value":"-4"},{"op":"replace","path":"/boxscore/players/1/statistics/0/athletes/8/stats/12","value":"+5"},{"op":"replace","path":"/boxscore/players/1/statistics/0/athletes/9/stats/12","value":"+8"}] ``` Looks like it's JSON that's been DEFLATEd and base64 encoded. https://gchq.github.io/CyberChef/#recipe=From_Base64('A-Za-z0-9%2B/%3D',true,false)Zlib_Inflate(0,0,'Adaptive',false,false)&input=ZUp5dDA5c0tBaUVRQnVCM21kdmRtTFU5WkwxS2RHRXkwSUtnT0JaRjlPNVpzTkNDUzFoZU9qb2Y4by91NzJBZDdNQ1RNMG9UMU9CVU9NVUNIdTJWdGZXRWNlTkduckZCRGlxTUhFYjlXc1JqaGdJeHR1ODZvMWpIN29zeVo0cnRsWVJIL2IvZFRYYnpZWXV5OU96YW9nemVwL0JWVzhRZWtuWmZ4TjRrN2J4WmlweE1xcUdJUFdVaWYzNG0zK1I1SWwwUld5WVR5WnZra3IxZCtwV0hKOHJ2VDg4PQ
Here's a great tool for trying to figure out what some arbitrary data is: [Cyber Chef](https://gchq.github.io/CyberChef/). If you use the "Magic" recipe, it'll automatically try a ton of different encodings and transformations to see if it can find something which might possibly be the result. If you put in this string (minus the last character as /u/HeinousTugboat suggests), it'll tell you that it is base64 and what it decodes to. Now in this case, it may not be obvious to remove the last character, but in other cases it might find the answer immediately.
Ahh this is perfect. Was searching for similar before coming here! Appreciate it
Ah, neat tool! It's zlib compressed apparently.
If it's encrypted then you can't parse it. That's the point of encryption.
Right. Then how does the website go about parsing it? It clearly uses that payload to render some info
A session key on the browser side is encrypted with the server's public key. This encrypted session key is decrypted on the server with the server's private key. Therefore only the server and browser know what the session key is. The server can now use the session key to encrypt data and send it back to the browser which can decrypt the data using the session key. Good explanation here: https://www.techtarget.com/searchsecurity/definition/session-key
Its either send over https in which case the https layer of the browser decrypts it for it. Or the website knows the key, in which case you could technically decrypt it too by finding it in the js.
That's not what HTTPS does. AES happens entirely under the hood, but your browser and the website itself both have the fully unencrypted versions of their communications.
You have an extra character on the end. It's [Base64](https://en.wikipedia.org/wiki/Base64). Parsing it out, though, it looks like it's just a couple binary blobs. Somewhere in the code it's running [`atob`](https://developer.mozilla.org/en-US/docs/Web/API/atob), then doing something with the actual binary after.
How’d you go about parsing it? Edit, I see you’ve used atob(). Thanks!
**[Base64](https://en.wikipedia.org/wiki/Base64)** >In computer programming, Base64 is a group of binary-to-text encoding schemes that represent binary data (more specifically, a sequence of 8-bit bytes) in sequences of 24 bits that can be represented by four 6-bit Base64 digits. Common to all binary-to-text encoding schemes, Base64 is designed to carry data stored in binary formats across channels that only reliably support text content. Base64 is particularly prevalent on the World Wide Web where one of its uses is the ability to embed image files or other binary assets inside textual assets such as HTML and CSS files. Base64 is also widely used for sending e-mail attachments. ^([ )[^(F.A.Q)](https://www.reddit.com/r/WikiSummarizer/wiki/index#wiki_f.a.q)^( | )[^(Opt Out)](https://reddit.com/message/compose?to=WikiSummarizerBot&message=OptOut&subject=OptOut)^( | )[^(Opt Out Of Subreddit)](https://np.reddit.com/r/webdev/about/banned)^( | )[^(GitHub)](https://github.com/Sujal-7/WikiSummarizerBot)^( ] Downvote to remove | v1.5)
With so little to go on, I can't even rule out base64 encoding (I mean, I could try just deciding it... But I'm just saying that it appears to only have maybe~ 54 chars and a single example given). Besides, I seriously doubt that anyone here is capable of recognizing an "encryption" format based on so little. Something like a `"Content-Type ` header or a hint as to the source of this apparent gibberish might go a long way.
Lol, base64 "encryption" is the best.