OP 08 August, 2020 - 10:37 PM
Digest auth. I am sure we have all heard of it but there is a new form taking center stage. Punchh Digest auth better known as pch-digest-auth is a form of authentication in which requires a web request to punchh.api to recieve a set of SHA2-256 Hashed DeviceID's to perform a request. I've recently been breaking my back trying to find a bypass or a way around this sort of auth. I have concluded that decompiling the application in which contains this sort of authentication reveals a few secrets to the user. Below me you can find the information in which I obtained by decompiling Dairy Queen. ![[Image: OSmuOrc.png]](https://i.imgur.com/OSmuOrc.png)
. This info might seem confusing at first but fear not because to access Punchh API Documents you need full business authentication including LLC, Drivers Liscense, SSN, DOB, etc. I have instead come across other support forums which contains little hints as how to access this api. A needed variable for accessing an API like this is "Location_key". Formatted in JSON you can hint that in the picture "secretKey" is our variable "Location_key". There is yet another key needed to access the api and of course that is the API Key. The only difficulty I am having is to find the needed URL for this exchange as well as the post data. I have set myself upon a mission rather to sneak into Punchh's API Documents and really crack down on this method of Digest-Auth. This will require some hard work and dedication but I will not be back until I have completed this. Wish me luck C.to and I will be back with a bypass very soon, mark my words! 
![[Image: bXABN2d.gif]](https://i.imgur.com/bXABN2d.gif)
CLICK ME
![[Image: tGHNWQR.png]](https://i.imgur.com/tGHNWQR.png)
![[Image: Z8rHRHx.png]](https://i.imgur.com/Z8rHRHx.png)
. This info might seem confusing at first but fear not because to access Punchh API Documents you need full business authentication including LLC, Drivers Liscense, SSN, DOB, etc. I have instead come across other support forums which contains little hints as how to access this api. A needed variable for accessing an API like this is "Location_key". Formatted in JSON you can hint that in the picture "secretKey" is our variable "Location_key". There is yet another key needed to access the api and of course that is the API Key. The only difficulty I am having is to find the needed URL for this exchange as well as the post data. I have set myself upon a mission rather to sneak into Punchh's API Documents and really crack down on this method of Digest-Auth. This will require some hard work and dedication but I will not be back until I have completed this. Wish me luck C.to and I will be back with a bypass very soon, mark my words!
CLICK ME 