Source Code Analysis and API Keys Exploitations

4 years ago 278
BOOK THIS SPACE FOR AD
ARTICLE AD

Tushar Verma

Image for post

Image for post

I was getting lots of requests and msg on Whatsapp, LinkedIn, Twitter about the source code analysis, and exploitation of API Keys. So I will share my approach and also some blogs and writeups which you can refer to get a clear understanding.

Image for post

Image for post

Google Images

So whenever we think of source code analysis, one thing which comes to my mind is how can I check thousands line of code manually. It’s not impossible but it’s time-consuming. So when I started learning about this Source Code Analysis, I asked Aditya Shende (Follow him on Twitter for tips on Bug Hunting) regarding this and he explained to me that try to use some keywords and focus on searching .js file (Don't look min.js).

But now the problem is there are many .js file and I am very lazy to search all so what to do???

Image for post

Image for post

Then I came across Manas Harsh’s Blog and got to know about one tool

Secret Finder-It is a python script based on LinkFinder, written to discover sensitive data like API keys, access token, authorizations, jwt,..etc in JavaScript files. This tool scrapes the js data from a particular domain and gives you output on the terminal on the basis of keywords defined in its regex.

$ git clone https://github.com/m4ll0k/SecretFinder.git secretfinder
$ cd secretfinder
$ python -m pip install -r requirements.txt or pip install -r requirements.txt
$ python SecretFinder.py

python3 SecretFinder.py -i https://example.com/ -e

python3 SecretFinder.py -i https://example.com/1.js -o results.html

python3 SecretFinder.py -i https://example.com/1.js -o cli

So after doing Github recon and Source Code Analysis we sometimes get API Keys. Now we need to check if it is vulnerable or not. So for this, we can use Gmapsapiscanner

Gmapsapiscanner- is used for determining whether a leaked/found Google Maps API Key is vulnerable to unauthorized access by other applications or not.

Some Blogs you can refer:

1-https://medium.com/bugbountywriteup/unauthorized-google-maps-api-key-usage-cases-and-why-you-need-to-care-1ccb28bf21e

2-https://medium.com/bugbountywriteup/google-maps-api-not-the-key-bugs-that-i-found-over-the-years-781840fc82aa

One Negative point about this tool is it is not checking JavaScript API.So, in that case, use this

Source-Developer.Google Documentations

<!DOCTYPE html>
<html>
<head>
<title>Simple Map</title>
<script src="https://polyfill.io/v3/polyfill.min.js?features=default"></script>
<script
src="https://maps.googleapis.com/maps/api/js?key=YOUR_API_KEY&callback=initMap&libraries=&v=weekly"
defer
></script>
<link rel="stylesheet" type="text/css" href="./style.css" />
<script src="./app.js"></script>
</head>
<body>
<div id="map"></div>
</body>
</html>

For some more Key Hacks you can check here -https://github.com/streaak/keyhacks

Thanks for Reading

You can also enroll for my Bug Hunting Training(Syllabus: Bugcrowd’s VRT Book)

For any quick query or getting in touch with me, You can follow me on

LinkedIn- www.linkedin.com/in/tushars25

Instagram- https://www.instagram.com/th3g3nt3lm4n/

Twitter-https://twitter.com/e11i0t_4lders0n

Read Entire Article