.png)
4 years ago
254 BOOK THIS SPACE FOR AD
ARTICLE AD
I was getting lots of requests and msg on Whatsapp, LinkedIn, Twitter about the source code analysis, and exploitation of API Keys. So I will share my approach and also some blogs and writeups which you can refer to get a clear understanding.
So whenever we think of source code analysis, one thing which comes to my mind is how can I check thousands line of code manually. It’s not impossible but it’s time-consuming. So when I started learning about this Source Code Analysis, I asked Aditya Shende (Follow him on Twitter for tips on Bug Hunting) regarding this and he explained to me that try to use some keywords and focus on searching .js file (Don't look min.js).
But now the problem is there are many .js file and I am very lazy to search all so what to do???
Then I came across Manas Harsh’s Blog and got to know about one tool
Secret Finder-It is a python script based on LinkFinder, written to discover sensitive data like API keys, access token, authorizations, jwt,..etc in JavaScript files. This tool scrapes the js data from a particular domain and gives you output on the terminal on the basis of keywords defined in its regex.
$ git clone https://github.com/m4ll0k/SecretFinder.git secretfinder
$ cd secretfinder
$ python -m pip install -r requirements.txt or pip install -r requirements.txt
$ python SecretFinder.py
python3 SecretFinder.py -i https://example.com/ -e
python3 SecretFinder.py -i https://example.com/1.js -o results.html
python3 SecretFinder.py -i https://example.com/1.js -o cli
So after doing Github recon and Source Code Analysis we sometimes get API Keys. Now we need to check if it is vulnerable or not. So for this, we can use Gmapsapiscanner
Gmapsapiscanner- is used for determining whether a leaked/found Google Maps API Key is vulnerable to unauthorized access by other applications or not.
Some Blogs you can refer:
One Negative point about this tool is it is not checking JavaScript API.So, in that case, use this
Source-Developer.Google Documentations
<!DOCTYPE html><html>
<head>
<title>Simple Map</title>
<script src="https://polyfill.io/v3/polyfill.min.js?features=default"></script>
<script
src="https://maps.googleapis.com/maps/api/js?key=YOUR_API_KEY&callback=initMap&libraries=&v=weekly"
defer
></script>
<link rel="stylesheet" type="text/css" href="./style.css" />
<script src="./app.js"></script>
</head>
<body>
<div id="map"></div>
</body>
</html>
For some more Key Hacks you can check here -https://github.com/streaak/keyhacks
Thanks for Reading
You can also enroll for my Bug Hunting Training(Syllabus: Bugcrowd’s VRT Book)
For any quick query or getting in touch with me, You can follow me on
LinkedIn- www.linkedin.com/in/tushars25
Instagram- https://www.instagram.com/th3g3nt3lm4n/
Bengali (Bangladesh) · 
English (United States) ·