Simple Tips for Bug Bounty Beginners: Finding API Key Leakage Vulnerabilities
During a time when businesses heavily rely on APIs (Application Programming Interfaces) to enhance user experience and functionality, the security of these APIs becomes paramount. However, even the most reputable companies are not immune to vulnerabilities that can cost a lot of money.
In this article, we delve into the methodology to discover an API key leakage vulnerability.
API key leakage refers to the exposure of API keys, which are secret tokens used to authenticate and authorize access to APIs. When exposed, these keys can be exploited by malicious actors to gain unauthorized access to sensitive data or resources, leading to a range of security threats such as data breaches, financial losses, and service disruptions.
All the above consequences are highly likely if the API key can be exploited for DDoS attacks.
For example, many API services are not free of cost. Staticmap API costs $2 per 1000 requests from an API key. So if an attacker decides to exploit a public Google Maps API key to send requests continuously for, let’s say 5000 requests per minute, it will cost the company around $15,000 per day. Obviously, a vulnerability like this has to be patched soon.
We will come to the vulnerability-fixing part at this write-up's end.
Discovery:
API keys are usually found in JavaScript files and can be discovered using various tools. Trufflehog is one of the popular tools for this purpose and can be added as a browser extension.
Once we find a public API key in the JS file, we can test what are the APIs that can be accessed using the key.
There are a lot of APIs to test such as Custom Search API, Staticmap API, Streetview API, Directions API, Geocode API, Distance Matrix API, Find Place From Text API, Autocomplete API, Elevation API, Timezone API, Nearest Roads API, Geolocation API, Traveled API, Speed Limit-Roads API, Place Details API, Nearby Search-Places API, Text Search-Places API, Places Photo API, Playable Locations API etc.
But for the sake of simplicity, let’s take an example of how to test the Google Maps Staticmap API:
1. The URL for Google Maps staticmap endpoint is https://maps.googleapis.com/maps/api/staticmap
2. We need to add certain parameters to this URL by appending a question mark (?), referencing each and assigning value to each parameter, and separating each parameter with an ampersand (&) symbol. For eg:
center=45%2C10
zoom=14
size=400x400
key=**********
(follow the same practice as above and do not reveal publicly available API keys in bug bounty writeups!)
The API call looks something like what is shown below:
https://maps.googleapis.com/maps/api/staticmap¢er=45%2C10&zoom=14&size=400x400&key=**********
If the API is accessible using the above link, then it means that the API Key is vulnerable to attacks.
Impact and Remediation:
Public exposure of API keys poses significant risks to the infrastructure and finances of websites. With access to APIs, malicious hackers can generate a high volume of requests, leading to excessive usage charges and potential service disruptions. Even further, this can also lead to compromise of user privacy and loss of reputation for the organization.
However, this can be avoided by taking the below steps:
1. Restrict API key usage to specific applications, APIs, websites, IP addresses, or HTTP referrers to prevent misuse.
2. Enable API key restrictions in the settings by utilizing Google Cloud Console to set application restrictions based on HTTP referrers or IP addresses, ensuring that the API key is only accessible from trusted sources.
3. Regularly monitor API key usage to detect any unusual activity and set up alerts for potential security incidents.
4. Periodically rotate API keys to mitigate the risk of exposure or compromise, thereby enhancing security.
5. Treat API keys as sensitive information and avoid sharing them in publicly accessible code repositories. Use secure methods for storing and transmitting keys.
6. Consider implementing a server-side proxy to make API requests, ensuring that the API key remains confidential on the server side.
7. Stay updated on best practices and security recommendations provided by Google and other API providers to enhance API key security.
Bonus: Implement rate limiting to stop malicious users from bombarding the server with requests and to prevent them from carrying out attacks on the server.
At the end of the day, organizations need to prioritize API security and implement stringent measures to protect sensitive information from exploitation.
_____________
Also, check out this whey protein powder from Avvatar, have personally tried it and highly recommended one:
Avvatar Malai Kulfi Whey Protein
Also, check out this exciting t-shirt for hackers from Zazzle: https://www.zazzle.com/t_shirt_for_hackers-256942901301145422
