Finding Exposed Sensitive API Keys in JS Files

2 days ago 11

BOOK THIS SPACE FOR AD

ARTICLE AD

Image by Storyset on Freepik

Today we are going to learn :

How to find exposed API Tokens in .JS files?

Exposed API Tokens pose a risk to the companies because It can provide Unauthorised Access to Company Database or Paid Service.

It is also a common Security Vulnerability that occurs because of some poor security practice of the development team.

Why does exposed API Keys pose a dangerous risk?

Exposed Token is like an Entry pass to malicious actors. They can use it to gain Unauthorized Access.

If the API Token provides access to some kind of service like AWS or GitHub , Payment Gateways attackers can exploit them , leading to financial loss or gain.

If the API Token is used to access some kind of Database Access then It is a big problem for a company.

Now , Let’s Start With some techniques to Find Exposed API Tokens :

You can use Google Dorks to find the API Token.

For Ex.

site:example.com filetype:js apiKey

There are various dorks you can find on the Internet.

You can do a simple search to find API tokens in public repositories by using the following keywords :

"apiKey"
"Bearer"
"token"
"Authorization"

For Manual Testing you need to visit .js endpoint of web application and then Inspect it for API keys.

Because of the manual mode it is a time consuming process but I am going to give you a demonstration to automate it.

Tools Required For Automation :

1. Subfinder or any other subdomain enumeration tool

https://github.com/projectdiscovery/subfinder

2. Katana by Projectdiscovery

https://github.com/projectdiscovery/katana

3. httpx to sort live subdomains

https://github.com/projectdiscovery/httpx

4. Mantra : To Find API Keys , Secrets.

https://github.com/brosck/mantra

Download above Tools in your workstation.

Now we will move to the next step. Follow these steps carefully :

Use Subfinder to gather Subdomain on your target and save into a file using following commandsubfinder -d redacted.com -o redact.txt

2. Use httpx to sort out live domains from redact.txt into a new file

httpx -dL redact.txt -o livered.txt

3. Use Katana For Crawling the .js file endpoints and save them into a file by using :

katana -u livered.txt | grep ".js$" | tee redactjs

4. Use Mantra by Piping the output of redactjs file to Mantra by using the following command :

cat redactjs | mantra

The Following is the screenshot of my scan on the actual Target. I didn’t get any API Tokens but I got an easy way to find Sensitive info in js files.

Image by Author

You can use the above tools to automate your bug bounty to some extent rather than burning out constantly using manual methods.

So I hope you will implement this method in your arsenal.

Happy Hunting !!

Read Entire Article