diff --git a/API Key Leak.md b/API Key Leak.md index 8b13789..101e495 100644 --- a/API Key Leak.md +++ b/API Key Leak.md @@ -1 +1,126 @@ +# API Key Leak +The API key is a unique identifier that is used to authenticate requests associated with your project. Some developers might hardcode them or leave it on public shares. + +# Exploit + +**Facebook Access Token** +```bash +curl https://developers.facebook.com/tools/debug/accesstoken/?access_token=ACCESS_TOKEN_HERE&version=v3.2 + +``` +**Github client id and client secret** +```bash +curl 'https://api.github.com/users/whatever?client_id=xxxx&client_secret=yyyy' + +``` +**Twitter (X) API Secret** +```bash +curl -u 'API key:API secret key' --data 'grant_type=client_credentials' 'https://api.twitter.com/oauth2/token' + +``` +**Twitter (X) Bearer Token** +```bash +curl --request GET --url https://api.twitter.com/1.1/account_activity/all/subscriptions/count.json --header 'authorization: Bearer TOKEN' + +``` + +**Gitlab Personal Access Token** +```bash +curl "https://gitlab.example.com/api/v4/projects?private_token=" + +``` +**HockeyApp API Token** +```bash +curl -H "X-HockeyAppToken: ad136912c642076b0d1f32ba161f1846b2c" https://rink.hockeyapp.net/api/2/apps/2021bdf2671ab09174c1de5ad147ea2ba4 + +``` +**IIS Machine Keys** + +That machine key is used for encryption and decryption of forms authentication cookie data and view-state data, and for verification of out-of-process session state identification. + +Requirements: +* machineKey validationKey and decryptionKey +* __VIEWSTATEGENERATOR cookies +* __VIEWSTATE cookies + +Example of a machineKey from https://docs.microsoft.com/en-us/iis/troubleshoot/security-issues/troubleshooting-forms-authentication. +```bash + + +``` + +# Tools +* Is a tool that let you find keys while surfing the web: + +https://github.com/momenbasel/KeyFinder + +* Is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid: + +https://github.com/streaak/keyhacks + +* Find credentials all over the place: + +https://github.com/trufflesecurity/truffleHog +```bash +docker run -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --repo https://github.com/trufflesecurity/test_keys +docker run -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --org=trufflesecurity +trufflehog git https://github.com/trufflesecurity/trufflehog.git +trufflehog github --endpoint https://api.github.com --org trufflesecurity --token GITHUB_TOKEN --debug --concurrency 2 + +``` +* General purpose vulnerability and misconfiguration scanner which also searches for API keys/secrets: + +https://github.com/aquasecurity/trivy + +* Use these templates to test an API token against many API service endpoints: + +https://github.com/projectdiscovery/nuclei-templates +```bash +nuclei -t token-spray/ -var token=token_list.txt + +``` + +* A library for detecting known or weak secrets on across many platforms: + +https://github.com/blacklanternsecurity/badsecrets +```bash +python examples/cli.py --url http://example.com/contains_bad_secret.html +python examples/cli.py eyJhbGciOiJIUzI1NiJ9.eyJJc3N1ZXIiOiJJc3N1ZXIiLCJVc2VybmFtZSI6IkJhZFNlY3JldHMiLCJleHAiOjE1OTMxMzM0ODMsImlhdCI6MTQ2NjkwMzA4M30.ovqRikAo_0kKJ0GVrAwQlezymxrLGjcEiW_s3UJMMCo +python ./badsecrets/examples/blacklist3r.py --viewstate /wEPDwUJODExMDE5NzY5ZGQMKS6jehX5HkJgXxrPh09vumNTKQ== --generator EDD8C9AE +python ./badsecrets/examples/telerik_knownkey.py --url http://vulnerablesite/Telerik.Web.UI.DialogHandler.aspx +python ./badsecrets/examples/symfony_knownkey.py --url https://localhost/ + +``` + +* Secrets Patterns DB: The largest open-source Database for detecting secrets, API keys, passwords, tokens, and more: + +https://github.com/mazen160/secrets-patterns-db + + + + + + + + + + + + + + + + + + + + + + + + + + + +