From 88aa7c9789bc9d7c10e54a270563780b59272b75 Mon Sep 17 00:00:00 2001 From: PinkDev1 <5990@protonmail.com> Date: Mon, 25 Jan 2021 04:34:40 +0000 Subject: [PATCH] Added commands for testing Mapbox API Tokens --- API Key Leaks/README.md | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/API Key Leaks/README.md b/API Key Leaks/README.md index 221eefd..0bf5e25 100644 --- a/API Key Leaks/README.md +++ b/API Key Leaks/README.md @@ -18,6 +18,7 @@ - [Gitlab Personal Access Token](#gitlab-personal-access-token) - [HockeyApp API Token](#hockeyapp-api-token) - [Auth Bypass using pre-published Machine Key](#auth-bypass-using-pre-published-machine-key) + - [Mapbox API Token](#Mapbox-API-Token) ## Tools @@ -121,9 +122,20 @@ $ AspDotNetWrapper.exe --decryptDataFilePath C:\DecryptedText.txt ``` +### Mapbox API Token +A Mapbox API Token is a JSON Web Token (JWT). If the header of the JWT is `sk`, jackpot. If it's `pk` or `tk`, it's not worth your time. +``` +#Check token validity +curl "https://api.mapbox.com/tokens/v2?access_token=YOUR_MAPBOX_ACCESS_TOKEN" + +#Get list of all tokens associated with an account. (only works if the token is a Secret Token (sk), and has the appropiate scope) +curl "https://api.mapbox.com/tokens/v2/MAPBOX_USERNAME_HERE?access_token=YOUR_MAPBOX_ACCESS_TOKEN" +``` + ## References * [Finding Hidden API Keys & How to use them - Sumit Jain - August 24, 2019](https://medium.com/@sumitcfe/finding-hidden-api-keys-how-to-use-them-11b1e5d0f01d) * [Private API key leakage due to lack of access control - yox - August 8, 2018](https://hackerone.com/reports/376060) * [Project Blacklist3r - November 23, 2018 - @notsosecure](https://www.notsosecure.com/project-blacklist3r/) -* [Saying Goodbye to my Favorite 5 Minute P1 - Allyson O'Malley - January 6, 2020](https://www.allysonomalley.com/2020/01/06/saying-goodbye-to-my-favorite-5-minute-p1/) \ No newline at end of file +* [Saying Goodbye to my Favorite 5 Minute P1 - Allyson O'Malley - January 6, 2020](https://www.allysonomalley.com/2020/01/06/saying-goodbye-to-my-favorite-5-minute-p1/) +* [Mapbox API Token Documentation](https://docs.mapbox.com/help/troubleshooting/how-to-use-mapbox-securely/)