Skip to content

Instantly share code, notes, and snippets.

@tangoabcdelta

tangoabcdelta/Audit Trail, WAA, Secure Authenticated Persistent ID.md

Created June 23, 2025 03:25
Show Gist options
  • Save tangoabcdelta/acb591abc0f66c97750a79a89ab0d7cb to your computer and use it in GitHub Desktop.
Save tangoabcdelta/acb591abc0f66c97750a79a89ab0d7cb to your computer and use it in GitHub Desktop.
Download ZIP
Audit Trail and WAA and SAPISID - Secure Authenticated Persistent ID
Raw
Audit Trail, WAA, Secure Authenticated Persistent ID.md

Audit Trail and Secure Authenticated Persistent ID

curl 'https://waa-pa.xx.google.com/$rpc/xx.xx.v1.Waa/Create' \
  -H 'Accept: */*' \
  -H 'Accept-Language: en-GB-oxendict,en-US;q=0.9,en;q=0.8' \
  -H 'Authorization: SAPISIDHASH 1750645628_xx SAPISID1PHASH 1750645628_xxx SAPISID3PHASH 1750645628_xxx' \
  --data-raw '["/<app-name-hased>"]'
  • The Authorization header you're seeing, specifically the SAPISIDHASH, is part of Google's internal authentication mechanism.
  • The curl command is making a POST request to a Google internal API endpoint.
  • This verifies if a request is coming from a logged-in, legitimate user.

📦 Request Details

  • Headers:

    • Authorization: Uses SAPISIDHASH and related tokens, which are typically used for authenticated Google services.
    • Content-Type: application/json+protobuf: This is set when the payload is a hybrid of JSON and Protocol Buffers.
    • X-Goog-Api-Key and X-Goog-AuthUser: Used for identifying the client and user context.
    • Origin and Referer: Suggest the request is coming from a legitimate app e.g. Google Docs

  • Cookies: Contains a large number of Google authentication and session cookies to handle logged-in user session.

  • Payload:

    ["/<app-name>"]

    This app-name is passed as a JSON array with a single string in an encoded or obfuscated identifier.

⚠️ Important Notes

  • This request is part of a backend operation triggered by a Google Suites App to:
  • Create a new instance of a doc or note and an activity log.
  • Sync or register a user action.
  • Log or audit a user event.
  • The presence of multiple SAPISIDHASH, SAPISID1PHASH, etc., suggests multi-layered or experimental authentication.
  • protobuf has been used here.

🔍 Purpose

  • This is a WAA endpoint google.internal.xxx.v1.waa/Create
  • This is used for Web & App Activity)
  • This is part of an internal Google API.
  • The Create method is used to create a new resource or an audit record.

🔐 What is SAPISIDHASH?

SAPISIDHASH is a token-based authentication scheme used by Google services. This is especially used for internal or undocumented APIs to authenticate browser-based requests.

It’s derived from:

  • A cookie called SAPISID (Secure Authenticated Persistent ID).
  • The current timestamp.
  • The origin of the request (e.g., https://<app name>.google.com).

🧮 How It Works (Simplified)

  1. Client-side JavaScript (in the browser) computes a hash like this:

    SAPISIDHASH = timestamp + "_" + SHA1(timestamp + " " + SAPISID + " " + origin)

  2. This hash is sent in the Authorization header:

    Authorization: SAPISIDHASH <timestamp>_<hash>

  3. Google’s backend verifies the hash using the same method and the SAPISID cookie.

🧪 Why Use This?

  • It prevents CSRF (Cross-Site Request Forgery) by tying the request to a specific origin.
  • It ensures the request is coming from a real browser session with valid cookies.
  • It’s used in internal APIs that are not meant to be accessed directly by third-party clients.

Todo

  • Analyze what the payload string represents
  • Add a visual breakdown of the hash construction
  • Replicate this behavior in a script or a tool
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment