Skip to content

Instantly share code, notes, and snippets.

Last active Aug 29, 2015
What would you like to do? Data Spelunking

Playing around, I noticed that send a lot of unnecessary data in their XHR/AJAX calls - much of which isn't even rendered on the client side by your browser. Some of this is semi-private information about users and their orders, including orders marked as "VIP" or those which require you to "level up".

You can run the below Python code, which will create a orders.json file on your machine. This seems to be a dump of all currently open orders, but I haven't dug very deep into the dataset. I believe if you send a POST request to the /orders/{id}/transaction endpoint, you will actually receive the sender's shipping address. I also noticed the following query parameters you can append to endpoints:

  • ?limit=50
  • ?offset=0
  • ?country=
  • ?amount=
  • ?hide=

The output seems to be around 1000 orders, but this might just be the current number of open orders that exist. Interesting data to sift through, nonetheless (setting up an automated scraper/crawler to trend this data over time would be very cool).

Note: This code uses my API authorization key, which I assume Purse will likely shutdown fairly quickly. To grab and use your own, login to then execute the following JS from your Developer Tools > Console:

prompt(' Authorization Token:', 'JWT ' + document.cookie.replace(/(?:(?:^|.*;\s*)purse_token\s*\=\s*([^;]*).*$)|^.*$/, "$1"));

Copy/paste this to replace the 'Authorization:' value in (you'll quickly see where it goes).

If you're having any trouble running this code, you might want to give the following a try from your terminal:

sudo pip install requests simplejson

All code tested running Mac OS X Yosemite 10.10.4

import requests, simplejson
url = ''
headers = {'Content-Type': 'application/json', 'Authorization': 'JWT eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6InVtbWphY2tzb250ZXN0IiwidXNlcl9pZCI6NDM5MTYsImlwIjoiMTczLjI0Ny4yMDUuOSIsInIiOiJ3Q2VhTERMVCIsImV4cCI6MTQzODMyNTM1MCwiZW1haWwiOiJuby1yZXBseUB1bW1qYWNrc29uLmNvbSJ9.jz4jAeQmEPQ8-f-Atm9XKI9hXIuh8mMmdPlMRTZNnIw'}
r = requests.get(url, headers=headers)
with open('orders.json', 'w') as output:
output.write(simplejson.dumps(simplejson.loads(r.content), indent=4, sort_keys=True))
print 'Saved to orders.json!'
Copy link

mrkent commented Jul 31, 2015

If you are able to pull data that's not public, we'd be happy to reward a bounty :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment