Watch — Heavenly Sword and Dragon Slaying Sabre 19

CDN bypass demonstration The API returned playingUrl for Heavenly Sword and Dragon Slaying Sabre 19 with issubscriber: false and user_access: deny. The video above plays from Munowatch's own CDN with zero authentication.

Security research evidence Inspect entitlement results, CDN URLs, and the raw API response Access control failed

API response evidence

Endpoint called GET /api/preview/v2/43006/0

User ID used 0 (no user / not logged in)

JWT used Expired Feb 2024 (extracted from APK)

issubscriber false

user_access deny

paid_for YES (premium content)

substatus EXPIRED

serverhost 52

video_name HEAVENLY SWORD DRAGON SLAYING SABER 19 ICE P.mp4

playingUrl returned YES — URL in response

API playingUrl value https://munowatch.co/clips/ELI.mp4

CDN demo stream https://nkuba.b-cdn.net/cleve48/cfr/In.The.Grey.mp4

Finding: The server sets user_access=deny and issubscriber=false but still returns playingUrl in the same response. Subscription is enforced client-side only — any caller with the expired APK JWT can obtain stream URLs without a subscription. Munowatch CDN (b-cdn.net) serves content with no auth required (direct HTTP Range requests succeed with HTTP 206).

{
    "id": 43006,
    "video_title": "Heavenly Sword and Dragon Slaying Sabre 19",
    "description": " Heavenly Sword and Dragon Slaying Sabre took place nearly 100 years after the events of Return of the Condor Heroes in a China ruled by the Mongolian Yuan Dynasty. \r\nLegend said that whoever obtains the Heavenly Sword and Dragon Slaying Saber can rule the world. Zhang Wuji was orphaned at a young age by schemes to discover the secrets of these two weapons. Despite his preference to live a non-violent life, Wuji found himself embroiled in the struggles for power and must fight to save himself and others he loves.",
    "video_name": "HEAVENLY SWORD DRAGON SLAYING SABER 19 ICE P.mp4",
    "filehistory": "",
    "openload": "0",
    "embedurl": "",
    "serverhost": "52",
    "allow_openload": "0",
    "full_video_name": "",
    "duration": "46h 05m",
    "thumbnail": "https://apposters.b-cdn.net/laba/yo/naki/YBv214RDRe8088.jpg",
    "tfilehistory": "",
    "category_id": 5,
    "language_id": 1,
    "recording_date": "2023-11-01",
    "age_id": "PG",
    "location": 1,
    "tab_category_id": 5,
    "series_code": "81689",
    "access": "1",
    "paid_for": "1",
    "new_movie": "1",
    "priority": "No",
    "size": "371.63 MB",
    "create_date": "2023-11-01 15:11:53",
    "schedule_date": "01.11.2023 10:05:09 AM",
    "user_id": 1118356,
    "vj_id": 9,
    "video_status_id": 0,
    "network_id": "41.190.134.203",
    "user_access": "deny",
    "notification": "",
    "secduration": "165900.000000",
    "issubscriber": false,
    "genre": "Series",
    "vjname": "Vj Ice P",
    "trailer_playing_url": "",
    "episodes": 50,
    "episode_state": "NEXT",
    "nxt_eps": "EPS   20",
    "nxt_eps_id": 43007,
    "nxt_eps_title": "Heavenly Sword and Dragon Slaying Sabre 20",
    "nxt_ldur": 0,
    "nxt_playing_url": "https://munowatch.co/clips/ELI.mp4",
    "playingUrl": "https://munowatch.co/clips/ELI.mp4",
    "ldur": 0,
    "session_id": "cb99afb5b31411a57538a97393de0e2e",
    "device": "web",
    "lang_name": "English to Luganda",
    "vjrelease": "3 years ago",
    "mstatus": false,
    "kstatus": "",
    "substatus": "EXPIRED"
}