Find Secret API-Keys

Aditya Soni
Dec 22, 2019 · 3 min read

Hello everyone, it may be just another blog on how to find API keys, but here I’ll try to give every Information about finding the secret API keys and how to use them to authenticate.

An Application Programming Interface key (API key) is a unique indentifier that is used to authenticate the incoming request and that program or user has known permissions for accessing the non-private user data.

API keys can be found in multiple ways, but the simplest method would be visiting the GitHub page of the desired program or checking the source code.

But it can be a bit of time-consuming, so to save a lot of time. Here is a great tool I would recommend to use:

KeyFinder

It’s easy to install and use

  1. Clone the repo or download it via https://github.com/momenbasel/keyFinder.git
  2. Open Chrome and go to chrome://extensions
  3. Enable “Developer Mode”
  4. Drag and drop the KeyFinder folder

After installing KeyFinder successfully go-to the target website and Click on the keyFinder icon added on the top right corner of chrome and manually add some common keywords used to find API keys so that KeyFinder can crawl in the website and Find the keys. After visiting links, click on the result/s and there you can see the outcomes.

Now what? that’s the main question. API keys can be used to authenticate without the username and password of an individual.

Below are some ways in which particular API keys found on a Bug Bounty Program can be used to check if they are valid and can also be used to Account takeover or extract personal information from the API.

curl -sX POST "https://slack.com/api/auth.test?token=xoxp-TOKEN_HERE&pretty=1"
https://developers.facebook.com/tools/debug/accesstoken/?access_token=ACCESS_TOKEN_HERE&version=v3.2
curl -s -u "user:apikey" https://api.github.com/user
curl -s -H "Authorization: token TOKEN_HERE" "https://api.github.com/users/USERNAME_HERE/orgs"
# Check scope of your api token
curl "https://api.github.com/rate_limit" -i -u "user:apikey" | grep "X-OAuth-Scopes:"
curl -u 'API key:API secret key' --data 'grant_type=client_credentials' 'https://api.twitter.com/oauth2/token'
curl -X "GET" "https://api.sendgrid.com/v3/scopes" -H "Authorization: Bearer SENDGRID_TOKEN-HERE" -H "Content-Type: application/json"

Install awscli, set the access key and secret to environment variables, and execute the following command:

AWS_ACCESS_KEY_ID=xxxx AWS_SECRET_ACCESS_KEY=yyyy aws sts get-caller-identity

AWS credentials’ permissions can be determined using Enumerate-IAM. This gives a broader view of the discovered AWS credentials privileges instead of just checking S3 buckets.

git clone https://github.com/andresriancho/enumerate-iam
cd enumerate-iam
./enumerate-iam.py --access-key AKIA... --secret-key StF0q...
curl -X POST https://api.heroku.com/apps -H "Accept: application/vnd.heroku+json; version=3" -H "Authorization: Bearer API_KEY_HERE"
https://api.instagram.com/v1/users/self/?access_token=ACCESS-TOKEN
curl -H "Authorization: Bearer <ACCESS_TOKEN>" https://api.spotify.com/v1/me
curl https://{subdomain}.zendesk.com/api/v2/tickets.json \
-H "Authorization: Bearer ACCESS_TOKEN"

Reference:
You can find more useful keys here: https://github.com/streaak/keyhacks
https://community.turgensec.com/finding-hidden-api-keys-how-to-use-them/


Secretx is a tool to extract the API keys from each requested URLs.

Usage
python3 secretx.py --list urlList.txt --threads 15

Best of luck everyone. Keep-Hacking!

Feedbacks and edits are welcome

Twitter, Linkedin

If you enjoyed this blog, please click the 👏 button and share it to help others find it.

Cyber Verse

You are under survillence.

Aditya Soni

Written by

Cyber Security Researcher

Cyber Verse

You are under survillence.

More From Medium

More on Bug Bounty from Cyber Verse

More on Bug Bounty from Cyber Verse

More on Hacking from Cyber Verse

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade