streaak / keyhacks Goto Github PK

Based on a blog post and tool by @ozguralp:
https://medium.com/@ozguralp/unauthorized-google-maps-api-key-usage-cases-and-why-you-need-to-care-1ccb28bf21e
And:
https://github.com/ozguralp/gmapsapiscanner/

Hi,
I think it could be useful to add this for HockeyApp key: https://www.allysonomalley.com/2020/01/06/saying-goodbye-to-my-favorite-5-minute-p1/

a lot of times, bugsnag api keys are embedded in page source.

Paypal's access token:

• https://developer.paypal.com/docs/api/get-an-access-token-curl/ :

curl -v https://api.sandbox.paypal.com/v1/oauth2/token \
   -H "Accept: application/json" \
   -H "Accept-Language: en_US" \
   -u "client_id:secret" \
   -d "grant_type=client_credentials"

Access token can be further used to extract data from the PayPal API. More information:

• https://developer.paypal.com/docs/api/overview/#make-rest-api-calls

Hey, it's a great project!
It could be even better if it'd be possible to check creds from the shell.
Writing a tool is easy, but it requires mirroring current README (or only API URLs) into JSON or similar format.

This project includes only API urls and probably won't be used as a seed for any tools.

Example json:

{
   "service": "AWS",
   "description": "Checks AWS keys via IAM API",
   "url": "https://aws/url",
   "expected_status": "200",
   "expected_body?": "{\"key\":\"is_valid\"}"
}

Any idea on how to use DocuSign private key?

Mapbox secret token (super confidential) is something that looked like this: sk.eyJ.... You should add it into your content. Also, there is also a Mapbox public token, looked like this: pk.eyJ... which does not confidential at all, it supposed to be public.

Secret access token started with 'sk.' (secret key)
Public access token started with 'pk.' (public key)
Mapbox

curl -X GET -H 'Content-Type: application/json' -H 'Authorization: Bearer [ACCESS_TOKEN]' 'https://aum.iris.comcast.net/v1.1/user/current'

:)

Google maps API key should be restricted to certain projects. I quote

Restrict your API keys to be used by only the IP addresses, referrer URLs, and mobile apps that need them: By restricting the IP addresses, referrer URLs, and mobile apps that can use each key, you can reduce the impact of a compromised API key. You can specify the hosts and apps that can use each key from the GCP Console Credentials page and then create a new API key with the settings you want, or edit the settings of an existing API key.

Source: https://support.google.com/googleapi/answer/6310037?hl=en

You can test the API key is valid and not restricted using:

https://maps.googleapis.com/maps/api/directions/json?origin=Toronto&destination=Montreal&key=KEY_HERE

If properly restricted, it should return:

"This API project is not authorized to use this API."

Otherwise, it will return proper JSON data with directions and geo coordinates.

Hello, I discovered the leakage of nuxtKey and nuxtKeySecret in the wild. I read the official document and found no way to use it. Do you have a way to use it?

SAS token on Azure can be used to perform sensitive action such as reading storage or uploading file using Blob storage.

"https://myaccount.blob.core.windows.net/?restype=service&comp=properties&sv=2015-04-05&ss=bf&srt=s&st=2015-04-29T22%3A18%3A26Z&se=2015-04-30T02%3A23%3A26Z&sr=b&sp=rw&sip=168.1.5.60-168.1.5.70&spr=https&sig=F%6GRVAZ5Cdj2Pw4tgU7IlSTkWgn7bUkkAg8P6HESXwmf%4B"

https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/storage/common/storage-dotnet-shared-access-signature-part-1.md

we can validate the access using this endpoint
curl -u "USERNAME:ACCESS_KEY" https://api.browserstack.com/automate/plan.json

Format:

Application key: [0-9a-z]{40}
API key: [0-9a-z]{32}

Test:
https://api.datadoghq.com/api/v1/dashboard?api_key=<api_key>&application_key=<application_key>

WPENGINE_APIKEY usually found in:
https://site.com/_wpeprivate/config.json

Verify WPENGINE_APIKEY here:
curl https://api.wpengine.com/1.2/?method=site&account_name=ACCOUNT_NAME&wpe_apikey=WPENGINE_APIKEY

Exploit with:
https://gist.github.com/hateshape/2e671ea71d7c243fac7ebf51fb738f0a

Hi there,
can you please provide more details regarding Mapbox access token exploit.

curl -v -X GET "https://api.sandbox.paypal.com/v1/identity/oauth2/userinfo?schema=paypalv1.1" -H "Content-Type: application/json" -H "Authorization: Bearer [ACCESS_TOKEN]"

I just found an Google recaptcha Secret key in a Site, but I do not know what is the impact and how to exploit more with this key
Please help me!!

https://wakatime.com/api/v1/users/current/projects/?api_key=KEY

(get)

While it is true that this doesn't work currently, restricted keys can be restricted to certain endpoints. It would be really nice not to have to loop through their endpoints to tell if there is a valid key. I will investigate if this is possible.

Originally posted by @KevinHock in #47

Do you have any idea about interaction with boomerang api. please share resources for it.

SSH private keys can be tested against github.com to see if they are registered against an existing user account. If the key exists the username corresponding to the key will be provided:

$ ssh -i <path to SSH private key> -T [email protected]
Hi <username>! You've successfully authenticated, but GitHub does not provide shell access.

pls provide require info im trying this but giving invalidkeys

https://www.google.com/recaptcha/api/siteverify?secret=your_secret&response=response_string&remoteip=user_ip_address

Here is api doc:

https://openapi.appcenter.ms/

https://docs.microsoft.com/en-us/appcenter/api-docs/

Pusher API Keys are found on the javascript files and I am confused how to exploit them. Can you add them here? Also add how to exploit Amplitude API keys.

here is more info on it https://mandrillapp.com/api/docs/users.JSON.html

Hello,
I have suggestion add apigee client id and secret. With client id and secret, we can gain full access to apigee service of that company who leak id and secret. No regex for hunting client id and secret but there is

curl -I -H 'Content-Type: application/x-www-form-urlencoded' -X POST 'https://company.apigee.net/oauth/accesstoken' -d 'grant_type=client_credentials&client_id=xxx&client_secret=yyy'

Client id always longer than client secret.

{
    "token": "xxx",
    "access_token": "xxx",
    "issued_at": "00000",
    "expires_in": "00000"
}

Access token will look like jwt token, so decode it and find this:

{
  "access_token": "agGEHDkB7WRDYNbVJ1VVbAjzGTi4",
  "audience": "",
  "api_product_list": [
  ],

Use this key as bearer authorization to explore more deep.

But do not always following /oauth/accesstoken endpoint because some company using custom endpoint.
Simple Regex to hunt apigee service of company: .*\.apigee\.net

reference:
https://docs.apigee.com/api-platform/security/oauth/oauth-20-client-credentials-grant-type

https://hackerone.com/reports/716292

Hi,

Easy way to check if found Freshdesk API keys are valid:

curl -v -u [email protected]:test -X GET 'https://domain.freshdesk.com/api/v2/groups/1'

This requires the API key in '[email protected]', pass in 'test' and 'domain.freshdesk.com' to be the instance url of the target. In case you get a 403, try the endpoint api/v2/tickets, which is accessible for all keys.

Hey Streaak :)
So maybe you are interested in adding the stripe live secret token?
More info can be found here: https://stripe.com/docs/keys
It basically allows you to do anything. So its pretty sensitive.
The format is always:
sk_live_34charshere
where the 34charshere part contains 34 characters from a-z A-Z 0-9. There is also a sk_test key but that is only for testing purposes and isnt worth anything.
003random,

It looks like GCM is deprecated, but they are still good for another few days 🤷‍♂️

URL:
https://developers.google.com/cloud-messaging/

Request:
curl -s -X POST --header "Authorization: key=AI..." --header "Content-Type:application/json" 'https://gcm-http.googleapis.com/gcm/send' -d '{"registration_ids":["1"]}'

Based on this report https://hackerone.com/reports/716292
there is an other endpoint to validate & increasing the severity of the found keys

curl -H "x-api-key: █" "https://console.jumpcloud.com/api/systemusers"
curl -H "x-api-key: █" "https://console.jumpcloud.com/api/applications"
curl -H "x-api-key: █" "https://console.jumpcloud.com/api/systems"

Format:

[0-9a-z]{32}-[0-9a-z]{2,5}

Test:

curl --request GET --url 'https://<dc>.api.mailchimp.com/3.0/' --user 'anystring:<API_KEY>' --include

Where <dc> is the second part of the key, after the '-'.

Docs are here:
https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html
https://docs.gitlab.com/ee/api/README.html#personal-access-tokens

curl https://gitlab.example.com/api/v4/projects?private_token=<your_access_token>

Format:

CLIENT_ID: [0-9a-z\-]{36}
CLIENT_SECRET: [0-9A-Za-z\+\=]{40,50}
TENANT_ID: [0-9a-z\-]{36}

Test:

curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d 'client_id=<CLIENT_ID>&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default&client_secret=<CLIENT_SECRET>&grant_type=client_credentials' 'https://login.microsoftonline.com/<TENANT_ID>/oauth2/v2.0/token'

Geo location

curl https://api.ipstack.com/{ip_address}?access_key={keyhere}

Documentation: https://ipstack.com/documentation
Pricing: https://ipstack.com/product

Free tier only up to 10K requests per month.

Needs custom token, and API key.

1. obtain ID token and refresh token from custom token and API key: curl -s -XPOST -H 'content-type: application/json' -d '{"custom_token":":custom_token"}' 'https://www.googleapis.com/identitytoolkit/v3/relyingparty/verifyCustomToken?key=:api_key'
2. exchange ID token for auth token: curl -s -XPOST -H 'content-type: application/json' -d '{"idToken":":id_token"}' https://www.googleapis.com/identitytoolkit/v3/relyingparty/verifyCustomToken?key=:api_key'

Detection:

app id / client secret: sq0[a-z]{3}-[0-9A-Za-z-_]{22,43}
auth token: EAAA[a-zA-Z0-9]{60}

Test App id & client secret:

curl "https://squareup.com/oauth2/revoke" -d '{"access_token":"[RANDOM_STRING]","client_id":"[APP_ID]"}'  -H "Content-Type: application/json" -H "Authorization: Client [CLIENT_SECRET]"

Valid:

empty

Not valid:

{
  "message": "Not Authorized",
  "type": "service.not_authorized"
}

Test Auth token:

curl https://connect.squareup.com/v2/locations -H "Authorization: Bearer [AUHT_TOKEN]"

Valid:

{"locations":[{"id":"CBASELqoYPXr7RtT-9BRMlxGpfcgAQ","name":"Coffee \u0026 Toffee SF","address":{"address_line_1":"1455 Market Street","locality":"San Francisco","administrative_district_level_1":"CA","postal_code":"94103","country":"US"},"timezone":"America/Los_Angeles"........

Not valid:

{"errors":[{"category":"AUTHENTICATION_ERROR","code":"UNAUTHORIZED","detail":"This request could not be authorized."}]}

They've switched to Firebase.

GCM endpoint FCM endpoint

gcm-http.googleapis.com/gcm/ fcm.googleapis.com/fcm/
gcm-xmpp.googleapis.com fcm-xmpp.googleapis.com
android.clients.google.com/gcm/send fcm.googleapis.com/fcm/send
android.apis.google.com/*/send fcm.googleapis.com/fcm/send
android.googleapis.com/gcm/send fcm.googleapis.com/fcm/send

Deprecated endpoints on the left. New Firebase ones are on the right.

Hi,

Based on your work in this repo, I wrote a small bash script in order to make our life easier and save our precious time :)

Here it is:
https://github.com/gwen001/pentest-tools/blob/master/testkeys.sh

I don't have valid and invalid keys for all services (and it's alot of copy/paste xD) so feel free to ping me if something goes wrong.

Thank you :)

Hey
If you can provide a POC about
google_client_key: '{}',
google_client_id: '{}',
Would be appreciated <3

Hi,

Is it possible to add a way to verify the validity of Accengage leaked acc_partner_id, acc_private_key and acc_sender_id? I don't think there's another way to verify via a web service though, but only via their SDK.

https://docs.accengage.com/display/AND/Section+2+-+SDK+Integration

Please refer to Section 2.1.4.

Thanks!

how to exploit it as we dont have app_id

I found google client id and client secret hardcoded in android app in a BB program.How can confirm/show that the client secret and id are working?

//load some data to make sure it is work
curl "https://api.mapbox.com/geocoding/v5/mapbox.places/Los%20Angeles.json?access_token=ACCESS_TOKEN"

//note
Header. A literal value of either pk (public token), sk (secret token), or tk (temporary token).

If you ever found hubspot key, try sending request to following

Get all owner:

https://api.hubapi.com/owners/v2/owners?hapikey={keyhere}

Get all contact details:

https://api.hubapi.com/contacts/v1/lists/all/contacts/all?hapikey={keyhere}

I've started this work cleaning up the ToC in #44 however after doing so I noticed there's further work to be done to remove duplicates (github personal access tokens, for example), and provide document references on further items. I'm happy to tackle this soon but raising this with help wanted in case somebody else would like to take it on.