Update API Key Leak.md

This commit is contained in:
Mehdi 2023-08-23 14:53:35 +03:30 committed by GitHub
parent b30f8e60c4
commit d2cca01039
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -1 +1,126 @@
# API Key Leak
The API key is a unique identifier that is used to authenticate requests associated with your project. Some developers might hardcode them or leave it on public shares.
# Exploit
**Facebook Access Token**
```bash
curl https://developers.facebook.com/tools/debug/accesstoken/?access_token=ACCESS_TOKEN_HERE&version=v3.2
```
**Github client id and client secret**
```bash
curl 'https://api.github.com/users/whatever?client_id=xxxx&client_secret=yyyy'
```
**Twitter (X) API Secret**
```bash
curl -u 'API key:API secret key' --data 'grant_type=client_credentials' 'https://api.twitter.com/oauth2/token'
```
**Twitter (X) Bearer Token**
```bash
curl --request GET --url https://api.twitter.com/1.1/account_activity/all/subscriptions/count.json --header 'authorization: Bearer TOKEN'
```
**Gitlab Personal Access Token**
```bash
curl "https://gitlab.example.com/api/v4/projects?private_token=<your_access_token>"
```
**HockeyApp API Token**
```bash
curl -H "X-HockeyAppToken: ad136912c642076b0d1f32ba161f1846b2c" https://rink.hockeyapp.net/api/2/apps/2021bdf2671ab09174c1de5ad147ea2ba4
```
**IIS Machine Keys**
That machine key is used for encryption and decryption of forms authentication cookie data and view-state data, and for verification of out-of-process session state identification.
Requirements:
* machineKey validationKey and decryptionKey
* __VIEWSTATEGENERATOR cookies
* __VIEWSTATE cookies
Example of a machineKey from https://docs.microsoft.com/en-us/iis/troubleshoot/security-issues/troubleshooting-forms-authentication.
```bash
<machineKey validationKey="87AC8F432C8DB844A4EFD024301AC1AB5808BEE9D1870689B63794D33EE3B55CDB315BB480721A107187561F388C6BEF5B623BF31E2E725FC3F3F71A32BA5DFC" decryptionKey="E001A307CCC8B1ADEA2C55B1246CDCFE8579576997FF92E7" validation="SHA1" />
```
# Tools
* Is a tool that let you find keys while surfing the web:
https://github.com/momenbasel/KeyFinder
* Is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid:
https://github.com/streaak/keyhacks
* Find credentials all over the place:
https://github.com/trufflesecurity/truffleHog
```bash
docker run -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --repo https://github.com/trufflesecurity/test_keys
docker run -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --org=trufflesecurity
trufflehog git https://github.com/trufflesecurity/trufflehog.git
trufflehog github --endpoint https://api.github.com --org trufflesecurity --token GITHUB_TOKEN --debug --concurrency 2
```
* General purpose vulnerability and misconfiguration scanner which also searches for API keys/secrets:
https://github.com/aquasecurity/trivy
* Use these templates to test an API token against many API service endpoints:
https://github.com/projectdiscovery/nuclei-templates
```bash
nuclei -t token-spray/ -var token=token_list.txt
```
* A library for detecting known or weak secrets on across many platforms:
https://github.com/blacklanternsecurity/badsecrets
```bash
python examples/cli.py --url http://example.com/contains_bad_secret.html
python examples/cli.py eyJhbGciOiJIUzI1NiJ9.eyJJc3N1ZXIiOiJJc3N1ZXIiLCJVc2VybmFtZSI6IkJhZFNlY3JldHMiLCJleHAiOjE1OTMxMzM0ODMsImlhdCI6MTQ2NjkwMzA4M30.ovqRikAo_0kKJ0GVrAwQlezymxrLGjcEiW_s3UJMMCo
python ./badsecrets/examples/blacklist3r.py --viewstate /wEPDwUJODExMDE5NzY5ZGQMKS6jehX5HkJgXxrPh09vumNTKQ== --generator EDD8C9AE
python ./badsecrets/examples/telerik_knownkey.py --url http://vulnerablesite/Telerik.Web.UI.DialogHandler.aspx
python ./badsecrets/examples/symfony_knownkey.py --url https://localhost/
```
* Secrets Patterns DB: The largest open-source Database for detecting secrets, API keys, passwords, tokens, and more:
https://github.com/mazen160/secrets-patterns-db