Skip to content

Tips-Discord/ZugToken

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

ZugToken

A vulnerability exists in the legacy game-analysis WebSocket endpoint that allows a user to perform unlimited server-side Stockfish analysis Game Review (CAPS calculation) on arbitrary PGNs, bypassing standard quotas.

The backend fails to validate that the authorization token generated for a specific game matches the PGN and Game UUID submitted in the WebSocket payload. By obtaining an authorization token for a single, valid game, an attacker can reuse that token to analyze any other game on the platform.

Usage

  1. Analyze any game normally and copy its Game ID.
  2. Replace ANALYZED_GAME with that Game ID.
  3. Add your Chess.com cookies to COOKIES.
  4. Install the required dependencies.
  5. Run the script:
python .\main.py "12345678"

Replace 12345678 with the target game ID you want to analyze.

After the script finishes:

  • A JSON file containing the analysis data should appear in the same directory as the Python script.
  • The analyzed game may display an accuracy score if the request succeeded.

Example

Example of analyzed games from a random Chess.com profile:

Example analyzed games

Disclaimer

This code is provided strictly for educational and archival purposes only.

About

Chess.com unlimited analysis (server side) for free tier!

Topics

Resources

License

Stars

60 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages