== Hacking Obopay

Goal: automated posting of payments to another person using pay-by-text service [[http://obopay.com|Obopay]]

Strategy: Multi-step curl form POSTs with faked user-agent.

Status: **Mission Accomplished**


=== 0 Env
<code>
$ alias curlzilla='curl --user-agent "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1"'
</code>

=== 1 Casual visit

wap.obopay.com redirects to http://wap.obopay.com/SmartPath/wap?app=obopay
<code>
curlzilla "http://wap.obopay.com/SmartPath/wap?app=obopay"
</code>

On this page is the sessid I think
<code>
<form  action='http://wap.obopay.com/SmartPath/wap?app=obopay&amp;c=&amp;sid=obopay-1174080208662&amp;crt=REGISTER'  method='post'  >
</code>

From above: sid=obopay-1174080208662

So
<code>
export SID=sid=obopay-1174080208662
</code>


=== 2 Login

PPPPPPPPPP = your phone #
XXXX = your PIN

<code>
curlzilla -d "TEXTBOX1=PPPPPPPPPP&TEXTBOX2=XXXX&submit-MAINMENU-Submit=Submit" "http://wap.obopay.com/SmartPath/wap?app=obopay&c=&sid=$SID&crt=REGISTER"
</code>

=== 3 'Send money'
<code>
curlzilla "http://wap.obopay.com/SmartPath/wap?app=obopay&c=&sid=$SID&crt=MAINMENU&NEXT=PAY&aid=SENDMONEY"
</code>

=== 4 Input recipient details
<code>
curlzilla -d "TEXTBOX1=9282745257&TEXTBOX2=1&TEXTBOX3=00&TEXTBOX4=test&TEXTBOX5=1371&submit-CONFIRM-Next=Next" "http://wap.obopay.com/SmartPath/wap?app=obopay&c=&sid=$SID&crt=PAY"
</code>

=== 5 Confirm
<code>
curlzilla -d "POSTDATA=submit-RESULT-Send=Send" "http://wap.obopay.com/SmartPath/wap?app=obopay&c=&sid=$SID&crt=CONFIRM"
</code>


=== 6 Bask in success

I will be going to the Brooklyn Brewery with my referrals.