Professional Documents
Culture Documents
Finding Hidden API Keys & How To Use Them - Sumit Jain - Medium
Finding Hidden API Keys & How To Use Them - Sumit Jain - Medium
Finding Hidden API Keys & How To Use Them - Sumit Jain - Medium
Hi Everyone,
My Name is Sumit Jain .This time i going to talk about how to find hidden API Keys &
how to use them.
APIs are the keys to an organization’s databases, so it’s essential to control who has
access to them. Industry-standard authentication and authorization mechanisms such as
OAuth/OpenID Connect, in conjunction with Transport Layer Security (TLS), are
crucial.
When APIs are open to the public, they face the challenge of determining if incoming
requests should be trusted. Is the request a customer? Or is it an attacker? In some cases,
even if the API detects and successfully denies an untrusted request, the API may
nevertheless allow the potentially malicious user to try again — and again and again and
again. This kind of security oversight may allow attackers to attempt to playback or
replay a legitimate user request until they are successful. Counter measures against these
brute force attacks include rate-limiting policies to throttle requests, two-factor
authentication, or a short-lived access token facilitated by OAuth
momenbasel/keyFinder
keyFinder is chrome exstenion that searches the DOM for any embedd
script link, as script tag may contain keys for…
github.com
Installation
1. Download or Clone it via https://github.com/momenbasel/KeyFinder.git
Now You can go to your target & visit pages. The extensions will automatically capture
hidden/public api keys.
In the Search field you can add your manual keywords to find api keys
After visiting links , Click on Result/s & you can see the outcomes
Now the Most interesting part, you found some keys and don’t know what to do further.
Read it till last line :)
So below the details shows ways in which particular API keys found on a Bug Bounty
Program can be used, to check if they are valid
curl “https://api.mapbox.com/geocoding/v5/mapbox.places/Los%20Angeles.json?
access_token=ACCESS_TOKEN"
streaak/keyhacks
KeyHacks shows ways in which particular API keys found on a Bug
Bounty Program can be used, to check if they are valid…
github.com
Thank you