└── README.md /README.md: -------------------------------------------------------------------------------- 1 |

2 | 3 |

4 |
5 | 6 | KeyHacks shows ways in which particular API keys found on a Bug Bounty Program can be used, to check if they are valid. 7 | 8 | @Gwen001 has scripted the entire process available here and it can be found [here](https://github.com/gwen001/pentest-tools/blob/master/keyhacks.sh) 9 | 10 | # Table of Contents 11 | 12 | - [ABTasty API Key](#ABTasty-API-Key) 13 | - [Algolia API key](#Algolia-API-key) 14 | - [Amplitude API Keys](#Amplitude-API-Keys) 15 | - [Asana Access token](#Asana-Access-Token) 16 | - [AWS Access Key ID and Secret](#AWS-Access-Key-ID-and-Secret) 17 | - [Azure Application Insights APP ID and API Key](#Azure-Application-Insights-APP-ID-and-API-Key) 18 | - [Bing Maps API Key](#Bing-Maps-API-Key) 19 | - [Bit.ly Access token](#Bitly-Access-token) 20 | - [Branch.io Key and Secret](#BranchIO-Key-and-Secret) 21 | - [BrowserStack Access Key](#BrowserStack-Access-Key) 22 | - [Buildkite Access token](#Buildkite-Access-token) 23 | - [ButterCMS API Key](#ButterCMS-API-Key) 24 | - [Calendly API Key](#Calendly-API-Key) 25 | - [CircleCI Access Token](#CircleCI-Access-Token) 26 | - [Cypress record key](#Cypress-record-key) 27 | - [DataDog API key](#DataDog-API-key) 28 | - [Delighted API key](#Delighted-api-key) 29 | - [Deviant Art Access Token](#Deviant-Art-Access-Token) 30 | - [Deviant Art Secret](#Deviant-Art-Secret) 31 | - [Dropbox API](#Dropbox-API) 32 | - [Facebook Access Token](#Facebook-Access-Token) 33 | - [Facebook AppSecret](#Facebook-AppSecret) 34 | - [Firebase](#Firebase) 35 | - [Firebase Cloud Messaging (FCM)](#Firebase-Cloud-Messaging) 36 | - [FreshDesk API Key](#FreshDesk-API-key) 37 | - [Github client id and client secret](#Github-client-id-and-client-secret) 38 | - [GitHub private SSH key](#GitHub-private-SSH-key) 39 | - [Github Token](#Github-Token) 40 | - [Gitlab personal access token](#Gitlab-personal-access-token) 41 | - [Google Cloud Service Account credentials](#Google-Cloud-Service-Account-credentials) 42 | - [Google Maps API key](#Google-Maps-API-key) 43 | - [Google Recaptcha key](#Google-Recaptcha-key) 44 | - [Heroku API key](#Heroku-API-key) 45 | - [HubSpot API key](#Hubspot-API-key) 46 | - [Instagram Access Token](#Instagram-Access-Token) 47 | - [Instagram Basic Display API](#Instagram-Basic-Display-API-Access-Token) 48 | - [Instagram Graph API](#Instagram-Graph-Api-Access-Token) 49 | - [Ipstack API Key](#Ipstack-API-Key) 50 | - [Iterable API Key](#Iterable-API-Key) 51 | - [JumpCloud API Key](#JumpCloud-API-Key) 52 | - [Keen.io API Key](#Keenio-API-Key) 53 | - [LinkedIn OAUTH](#LinkedIn-OAUTH) 54 | - [Lokalise API Key](#Lokalise-API-Key) 55 | - [Loqate API Key](#Loqate-API-key) 56 | - [MailChimp API Key](#MailChimp-API-Key) 57 | - [MailGun Private Key](#MailGun-Private-Key) 58 | - [Mapbox API key](#Mapbox-API-Key) 59 | - [Microsoft Azure Tenant](#Microsoft-Azure-Tenant) 60 | - [Microsoft Shared Access Signatures (SAS)](#Microsoft-Shared-Access-Signatures-(SAS)) 61 | - [New Relic Personal API Key (NerdGraph)](#New-Relic-Personal-API-Key-(NerdGraph)) 62 | - [New Relic REST API](#New-Relic-REST-API) 63 | - [NPM token](#NPM-token) 64 | - [Pagerduty API token](#Pagerduty-API-token) 65 | - [Paypal client id and secret key](#Paypal-client-id-and-secret-key) 66 | - [Pendo Integration Key](#Pendo-Integration-Key) 67 | - [PivotalTracker API Token](#PivotalTracker-API-Token) 68 | - [Razorpay API key and secret key](#Razorpay-keys) 69 | - [Salesforce API key](#Salesforce-API-key) 70 | - [SauceLabs Username and access Key](#SauceLabs-Username-and-access-Key) 71 | - [SendGrid API Token](#SendGrid-API-Token) 72 | - [Slack API token](#Slack-API-token) 73 | - [Slack Webhook](#Slack-Webhook) 74 | - [Sonarcloud](#Sonarcloud-Token) 75 | - [Spotify Access Token](#Spotify-Access-Token) 76 | - [Square](#Square) 77 | - [Stripe Live Token](#Stripe-Live-Token) 78 | - [Travis CI API token](#Travis-CI-API-token) 79 | - [Twilio Account_sid and Auth token](#Twilio-Account_sid-and-Auth-token) 80 | - [Twitter API Secret](#Twitter-API-Secret) 81 | - [Twitter Bearer token](#Twitter-Bearer-token) 82 | - [Visual Studio App Center API Token](#Visual-Studio-App-Center-API-Token) 83 | - [WakaTime API Key](#WakaTime-API-Key) 84 | - [WeGlot Api Key](#weglot-api-key) 85 | - [WPEngine API Key](#WPEngine-API-Key) 86 | - [YouTube API Key](#YouTube-API-Key) 87 | - [Zapier Webhook Token](#Zapier-Webhook-Token) 88 | - [Zendesk Access token](#Zendesk-Access-Token) 89 | - [Zendesk API key](#Zendesk-api-key) 90 | 91 | 92 | # Detailed Information 93 | 94 | ## [Slack Webhook](https://api.slack.com/incoming-webhooks) 95 | 96 | If the below command returns `missing_text_or_fallback_or_attachments`, it means that the URL is valid, any other responses would mean that the URL is invalid. 97 | ``` 98 | curl -s -X POST -H "Content-type: application/json" -d '{"text":""}' "https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX" 99 | ``` 100 | 101 | ## [Slack API token](https://api.slack.com/web) 102 | ``` 103 | curl -sX POST "https://slack.com/api/auth.test?token=xoxp-TOKEN_HERE&pretty=1" 104 | ``` 105 | 106 | ## [SauceLabs Username and access Key](https://wiki.saucelabs.com/display/DOCS/Account+Methods) 107 | ``` 108 | curl -u USERNAME:ACCESS_KEY https://saucelabs.com/rest/v1/users/USERNAME 109 | ``` 110 | 111 | ## Facebook AppSecret 112 | 113 | You can generate access tokens by visiting the URL below. 114 | 115 | ``` 116 | https://graph.facebook.com/oauth/access_token?client_id=ID_HERE&client_secret=SECRET_HERE&redirect_uri=&grant_type=client_credentials 117 | ``` 118 | 119 | ## Facebook Access Token 120 | ``` 121 | https://developers.facebook.com/tools/debug/accesstoken/?access_token=ACCESS_TOKEN_HERE&version=v3.2 122 | ``` 123 | 124 | ## [Firebase](https://firebase.google.com/) 125 | Requires a **custom token**, and an **API key**. 126 | 127 | 1. Obtain ID token and refresh token from custom token and API key: `curl -s -XPOST -H 'content-type: application/json' -d '{"token":":custom_token","returnSecureToken":True}' 'https://identitytoolkit.googleapis.com/v1/accounts:signInWithCustomToken?key=:api_key'` 128 | 2. Exchange ID token for auth token: `curl -s -XPOST -H 'content-type: application/json' -d '{"idToken":":id_token"}' https://www.googleapis.com/identitytoolkit/v3/relyingparty/verifyCustomToken?key=:api_key'` 129 | 130 | ## [Github Token](https://developer.github.com/v3/) 131 | ``` 132 | curl -s -u "user:apikey" https://api.github.com/user 133 | curl -s -H "Authorization: token TOKEN_HERE" "https://api.github.com/users/USERNAME_HERE/orgs" 134 | # Check scope of your api token 135 | curl "https://api.github.com/rate_limit" -i -u "user:apikey" | grep "X-OAuth-Scopes:" 136 | ``` 137 | 138 | ## [Github client id and client secret](https://developer.github.com/v3/#oauth2-keysecret) 139 | ``` 140 | curl 'https://api.github.com/users/whatever?client_id=xxxx&client_secret=yyyy' 141 | ``` 142 | 143 | ## [Firebase Cloud Messaging](https://firebase.google.com/docs/cloud-messaging) 144 | 145 | Reference: https://abss.me/posts/fcm-takeover 146 | 147 | ``` 148 | curl -s -X POST --header "Authorization: key=AI..." --header "Content-Type:application/json" 'https://fcm.googleapis.com/fcm/send' -d '{"registration_ids":["1"]}' 149 | ``` 150 | 151 | ## GitHub private SSH key 152 | 153 | SSH private keys can be tested against github.com to see if they are registered against an existing user account. If the key exists the username corresponding to the key will be provided. ([source](https://github.com/streaak/keyhacks/issues/2)) 154 | 155 | ``` 156 | $ ssh -i -T git@github.com 157 | Hi ! You've successfully authenticated, but GitHub does not provide shell access. 158 | ``` 159 | 160 | ## [Twilio Account_sid and Auth token](https://www.twilio.com/docs/iam/api/account) 161 | ``` 162 | curl -X GET 'https://api.twilio.com/2010-04-01/Accounts.json' -u ACCOUNT_SID:AUTH_TOKEN 163 | ``` 164 | 165 | ## [Twitter API Secret](https://developer.twitter.com/en/docs/basics/authentication/guides/bearer-tokens.html) 166 | ``` 167 | curl -u 'API key:API secret key' --data 'grant_type=client_credentials' 'https://api.twitter.com/oauth2/token' 168 | ``` 169 | 170 | ## [Twitter Bearer token](https://developer.twitter.com/en/docs/accounts-and-users/subscribe-account-activity/api-reference/aaa-premium) 171 | ``` 172 | curl --request GET --url https://api.twitter.com/1.1/account_activity/all/subscriptions/count.json --header 'authorization: Bearer TOKEN' 173 | ``` 174 | 175 | ## [HubSpot API key](https://developers.hubspot.com/docs/methods/owners/get_owners) 176 | 177 | Get all owners: 178 | ``` 179 | https://api.hubapi.com/owners/v2/owners?hapikey={keyhere} 180 | ``` 181 | Get all contact details: 182 | ``` 183 | https://api.hubapi.com/contacts/v1/lists/all/contacts/all?hapikey={keyhere} 184 | 185 | ``` 186 | 187 | ## [Deviant Art Secret](https://www.deviantart.com/developers/authentication) 188 | ``` 189 | curl https://www.deviantart.com/oauth2/token -d grant_type=client_credentials -d client_id=ID_HERE -d client_secret=mysecret 190 | ``` 191 | 192 | ## [Deviant Art Access Token](https://www.deviantart.com/developers/authentication) 193 | ``` 194 | curl https://www.deviantart.com/api/v1/oauth2/placebo -d access_token=Alph4num3r1ct0k3nv4lu3 195 | ``` 196 | 197 | ## [Pendo Integration Key](https://help.pendo.io/resources/support-library/api/index.html?bash#authentication) 198 | ``` 199 | curl -X GET https://app.pendo.io/api/v1/feature -H 'content-type: application/json' -H 'x-pendo-integration-key:KEY_HERE' 200 | curl -X GET https://app.pendo.io/api/v1/metadata/schema/account -H 'content-type: application/json' -H 'x-pendo-integration-key:KEY_HERE' 201 | ``` 202 | 203 | ## [SendGrid API Token](https://docs.sendgrid.com/api-reference) 204 | ``` 205 | curl -X "GET" "https://api.sendgrid.com/v3/scopes" -H "Authorization: Bearer SENDGRID_TOKEN-HERE" -H "Content-Type: application/json" 206 | ``` 207 | 208 | ## [Square](https://squareup.com/) 209 | **Detection:** 210 | 211 | App id/client secret: `sq0[a-z]{3}-[0-9A-Za-z\-_]{22,43}` 212 | Auth token: `EAAA[a-zA-Z0-9]{60}` 213 | 214 | **Test App id & client secret:** 215 | ``` 216 | curl "https://squareup.com/oauth2/revoke" -d '{"access_token":"[RANDOM_STRING]","client_id":"[APP_ID]"}' -H "Content-Type: application/json" -H "Authorization: Client [CLIENT_SECRET]" 217 | ``` 218 | 219 | Response indicating valid credentials: 220 | ``` 221 | empty 222 | ``` 223 | 224 | Response indicating invalid credentials: 225 | ``` 226 | { 227 | "message": "Not Authorized", 228 | "type": "service.not_authorized" 229 | } 230 | ``` 231 | 232 | **Test Auth token:** 233 | ``` 234 | curl https://connect.squareup.com/v2/locations -H "Authorization: Bearer [AUHT_TOKEN]" 235 | ``` 236 | 237 | Response indicating valid credentials: 238 | ``` 239 | {"locations":[{"id":"CBASELqoYPXr7RtT-9BRMlxGpfcgAQ","name":"Coffee \u0026 Toffee SF","address":{"address_line_1":"1455 Market Street","locality":"San Francisco","administrative_district_level_1":"CA","postal_code":"94103","country":"US"},"timezone":"America/Los_Angeles"........ 240 | ``` 241 | 242 | Response indicating invalid credentials: 243 | ``` 244 | {"errors":[{"category":"AUTHENTICATION_ERROR","code":"UNAUTHORIZED","detail":"This request could not be authorized."}]} 245 | ``` 246 | 247 | ## [Dropbox API](https://www.dropbox.com/developers/documentation/http/documentation) 248 | ``` 249 | curl -X POST https://api.dropboxapi.com/2/users/get_current_account --header "Authorization: Bearer TOKEN_HERE" 250 | ``` 251 | 252 | ## [AWS Access Key ID and Secret](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html) 253 | 254 | Install [awscli](https://aws.amazon.com/cli/), set the [access key and secret to environment variables](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html), and execute the following command: 255 | ``` 256 | AWS_ACCESS_KEY_ID=xxxx AWS_SECRET_ACCESS_KEY=yyyy aws sts get-caller-identity 257 | ``` 258 | 259 | AWS credentials' permissions can be determined using [Enumerate-IAM](https://github.com/andresriancho/enumerate-iam). 260 | This gives broader view of the discovered AWS credentials privileges instead of just checking S3 buckets. 261 | 262 | ``` 263 | git clone https://github.com/andresriancho/enumerate-iam 264 | cd enumerate-iam 265 | ./enumerate-iam.py --access-key AKIA... --secret-key StF0q... 266 | ``` 267 | 268 | ## [Lokalise API Key](https://app.lokalise.com/api2docs/curl/#resource-authentication) 269 | ```curl --request GET \ 270 | --url https://api.lokalise.com/api2/projects/ \ 271 | --header 'x-api-token: [API-KEY-HERE]' 272 | ``` 273 | 274 | ## [MailGun Private Key](https://documentation.mailgun.com/en/latest/api_reference.html) 275 | ``` 276 | curl --user 'api:YOUR_API_KEY' "https://api.mailgun.net/v3/domains" 277 | ``` 278 | 279 | ## [FreshDesk API Key](https://developers.freshdesk.com/api/#getting-started) 280 | ``` 281 | curl -v -u user@yourcompany.com:test -X GET 'https://domain.freshdesk.com/api/v2/groups/1' 282 | This requires the API key in 'user@yourcompany.com', pass in 'test' and 'domain.freshdesk.com' to be the instance url of the target. In case you get a 403, try the endpoint api/v2/tickets, which is accessible for all keys. 283 | 284 | ``` 285 | ## [JumpCloud API Key](https://docs.jumpcloud.com/1.0/authentication-and-authorization/authentication-and-authorization-overview) 286 | 287 | #### [v1](https://docs.jumpcloud.com/1.0/systemusers) 288 | ``` 289 | List systems: 290 | curl -H "x-api-key: APIKEYHERE" "https://console.jumpcloud.com/api/systems" 291 | curl -H "x-api-key: APIKEYHERE" "https://console.jumpcloud.com/api/systemusers" 292 | curl -H "x-api-key: APIKEYHERE" "https://console.jumpcloud.com/api/applications" 293 | ``` 294 | 295 | #### [v2](https://docs.jumpcloud.com/2.0/systems/list-the-associations-of-a-system) 296 | 297 | ``` 298 | List systems: 299 | curl -X GET https://console.jumpcloud.com/api/v2/systems/{System_ID}/memberof \ 300 | -H 'Accept: application/json' \ 301 | -H 'Content-Type: application/json' \ 302 | -H 'x-api-key: {API_KEY}' 303 | ``` 304 | 305 | ## Microsoft Azure Tenant 306 | Format: 307 | ``` 308 | CLIENT_ID: [0-9a-z\-]{36} 309 | CLIENT_SECRET: [0-9A-Za-z\+\=]{40,50} 310 | TENANT_ID: [0-9a-z\-]{36} 311 | ``` 312 | Verification: 313 | ``` 314 | curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d 'client_id=&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default&client_secret=&grant_type=client_credentials' 'https://login.microsoftonline.com//oauth2/v2.0/token' 315 | ``` 316 | 317 | ## [Microsoft Shared Access Signatures (SAS)](https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/storage/common/storage-dotnet-shared-access-signature-part-1.md) 318 | 319 | The following powershell can be used to test a Shared Access Signature Token: 320 | ```powershell 321 | static void UseAccountSAS(string sasToken) 322 | { 323 | // Create new storage credentials using the SAS token. 324 | StorageCredentials accountSAS = new StorageCredentials(sasToken); 325 | // Use these credentials and the account name to create a Blob service client. 326 | CloudStorageAccount accountWithSAS = new CloudStorageAccount(accountSAS, "account-name", endpointSuffix: null, useHttps: true); 327 | CloudBlobClient blobClientWithSAS = accountWithSAS.CreateCloudBlobClient(); 328 | 329 | // Now set the service properties for the Blob client created with the SAS. 330 | blobClientWithSAS.SetServiceProperties(new ServiceProperties() 331 | { 332 | HourMetrics = new MetricsProperties() 333 | { 334 | MetricsLevel = MetricsLevel.ServiceAndApi, 335 | RetentionDays = 7, 336 | Version = "1.0" 337 | }, 338 | MinuteMetrics = new MetricsProperties() 339 | { 340 | MetricsLevel = MetricsLevel.ServiceAndApi, 341 | RetentionDays = 7, 342 | Version = "1.0" 343 | }, 344 | Logging = new LoggingProperties() 345 | { 346 | LoggingOperations = LoggingOperations.All, 347 | RetentionDays = 14, 348 | Version = "1.0" 349 | } 350 | }); 351 | 352 | // The permissions granted by the account SAS also permit you to retrieve service properties. 353 | ServiceProperties serviceProperties = blobClientWithSAS.GetServiceProperties(); 354 | Console.WriteLine(serviceProperties.HourMetrics.MetricsLevel); 355 | Console.WriteLine(serviceProperties.HourMetrics.RetentionDays); 356 | Console.WriteLine(serviceProperties.HourMetrics.Version); 357 | } 358 | ``` 359 | 360 | ## [New Relic Personal API Key (NerdGraph)](https://docs.newrelic.com/docs/apis/nerdgraph/get-started/introduction-new-relic-nerdgraph#endpoint) 361 | 362 | ``` 363 | curl -X POST https://api.newrelic.com/graphql \ 364 | -H 'Content-Type: application/json' \ 365 | -H 'API-Key: YOUR_API_KEY' \ 366 | -d '{ "query": "{ requestContext { userId apiKey } }" } ' 367 | ``` 368 | 369 | ## [New Relic REST API](https://docs.newrelic.com/docs/apis/rest-api-v2/application-examples-v2/list-your-app-id-metric-timeslice-data-v2) 370 | 371 | ``` 372 | curl -X GET 'https://api.newrelic.com/v2/applications.json' \ 373 | -H "X-Api-Key:${APIKEY}" -i 374 | ``` 375 | 376 | If valid, test further to see if it's an [admin key](https://docs.newrelic.com/docs/apis/get-started/intro-apis/types-new-relic-api-keys#admin) 377 | 378 | ## [Heroku API key](https://devcenter.heroku.com/articles/platform-api-quickstart) 379 | ``` 380 | curl -X POST https://api.heroku.com/apps -H "Accept: application/vnd.heroku+json; version=3" -H "Authorization: Bearer API_KEY_HERE" 381 | ``` 382 | ## [Mapbox API key](https://docs.mapbox.com/api/) 383 | 384 | Mapbox secret keys start with `sk`, rest start with `pk` (public token), `sk` (secret token), or `tk` (temporary token). 385 | 386 | ``` 387 | curl "https://api.mapbox.com/geocoding/v5/mapbox.places/Los%20Angeles.json?access_token=ACCESS_TOKEN" 388 | 389 | #Check token validity 390 | curl "https://api.mapbox.com/tokens/v2?access_token=YOUR_MAPBOX_ACCESS_TOKEN" 391 | 392 | #Get list of all tokens associated with an account. (only works if the token is a Secret Token (sk), and has the appropiate scope) 393 | curl "https://api.mapbox.com/tokens/v2/MAPBOX_USERNAME_HERE?access_token=YOUR_MAPBOX_ACCESS_TOKEN" 394 | ``` 395 | 396 | ## [Salesforce API key](https://developer.salesforce.com/docs/atlas.en-us.api_rest.meta/api_rest/quickstart_oauth.htm) 397 | ``` 398 | curl https://instance_name.salesforce.com/services/data/v20.0/ -H 'Authorization: Bearer access_token_here' 399 | ``` 400 | 401 | ## [Algolia API key](https://www.algolia.com/doc/rest-api/search/#overview) 402 | 403 | Be cautious when running this command, since the payload might execute within an administrative environment, depending on what index you are editing the `highlightPreTag` of. It's recommended to use a more silent payload (such as XSS Hunter) to prove the possible cross-site scripting attack. 404 | 405 | ``` 406 | curl --request PUT \ 407 | --url https://-1.algolianet.com/1/indexes//settings \ 408 | --header 'content-type: application/json' \ 409 | --header 'x-algolia-api-key: ' \ 410 | --header 'x-algolia-application-id: ' \ 411 | --data '{"highlightPreTag": ""}' 412 | ``` 413 | 414 | ## [Zapier Webhook Token](https://zapier.com/help/how-get-started-webhooks-zapier/) 415 | ``` 416 | curl -H "Accept: application/json" -H "Content-Type: application/json" -X POST -d '{"name":"streaak"}' "webhook_url_here" 417 | ``` 418 | 419 | ## [Pagerduty API token](https://support.pagerduty.com/docs/using-the-api) 420 | ``` 421 | curl -H "Accept: application/vnd.pagerduty+json;version=2" -H "Authorization: Token token=TOKEN_HERE" -X GET "https://api.pagerduty.com/schedules" 422 | ``` 423 | 424 | ## [BrowserStack Access Key](https://www.browserstack.com/automate/rest-api) 425 | ``` 426 | curl -u "USERNAME:ACCESS_KEY" https://api.browserstack.com/automate/plan.json 427 | ``` 428 | 429 | ## [Google Maps API key](https://developers.google.com/maps/documentation/javascript/get-api-key) 430 | 431 | **Key restrictions are set per service. When testing the key, if the key is restricted/inactive on one service try it with another.** 432 | 433 | | Name| Endpoint| Pricing| 434 | | ------------- |:-------------:| -----:| 435 | | Static Maps | https://maps.googleapis.com/maps/api/staticmap?center=45%2C10&zoom=7&size=400x400&key=KEY_HERE| $2 | 436 | | Streetview | https://maps.googleapis.com/maps/api/streetview?size=400x400&location=40.720032,-73.988354&fov=90&heading=235&pitch=10&key=KEY_HERE| $7 | 437 | | Embed | https://www.google.com/maps/embed/v1/place?q=place_id:ChIJyX7muQw8tokR2Vf5WBBk1iQ&key=KEY_HERE| Varies | 438 | | Directions | https://maps.googleapis.com/maps/api/directions/json?origin=Disneyland&destination=Universal+Studios+Hollywood4&key=KEY_HERE| $5 | 439 | | Geocoding | https://maps.googleapis.com/maps/api/geocode/json?latlng=40,30&key=KEY_HERE| $5 | 440 | | Distance Matrix| https://maps.googleapis.com/maps/api/distancematrix/json?units=imperial&origins=40.6655101,-73.89188969999998&destinations=40.6905615%2C-73.9976592%7C40.6905615%2C-73.9976592%7C40.6905615%2C-73.9976592%7C40.6905615%2C-73.9976592%7C40.6905615%2C-73.9976592%7C40.6905615%2C-73.9976592%7C40.659569%2C-73.933783%7C40.729029%2C-73.851524%7C40.6860072%2C-73.6334271%7C40.598566%2C-73.7527626%7C40.659569%2C-73.933783%7C40.729029%2C-73.851524%7C40.6860072%2C-73.6334271%7C40.598566%2C-73.7527626&key=KEY_HERE | $5 | 441 | |Find Place from Text | https://maps.googleapis.com/maps/api/place/findplacefromtext/json?input=Museum%20of%20Contemporary%20Art%20Australia&inputtype=textquery&fields=photos,formatted_address,name,rating,opening_hours,geometry&key=KEY_HERE | Varies | 442 | | Autocomplete | https://maps.googleapis.com/maps/api/place/autocomplete/json?input=Bingh&types=%28cities%29&key=KEY_HERE| Varies | 443 | | Elevation | https://maps.googleapis.com/maps/api/elevation/json?locations=39.7391536,-104.9847034&key=KEY_HERE | $5 | 444 | | Timezone | https://maps.googleapis.com/maps/api/timezone/json?location=39.6034810,-119.6822510×tamp=1331161200&key=KEY_HERE | $5 | 445 | | Roads | https://roads.googleapis.com/v1/nearestRoads?points=60.170880,24.942795\|60.170879,24.942796\|60.170877,24.942796&key=KEY_HERE | $10| 446 | | Geolocate | https://www.googleapis.com/geolocation/v1/geolocate?key=KEY_HERE| $5 | 447 | 448 | *\*Pricing is in USD per 1000 requests (for the first 100k requests)* 449 | 450 | More Information available here- 451 | 452 | https://medium.com/@ozguralp/unauthorized-google-maps-api-key-usage-cases-and-why-you-need-to-care-1ccb28bf21e 453 | 454 | https://github.com/ozguralp/gmapsapiscanner/ 455 | 456 | https://developers.google.com/maps/api-key-best-practices 457 | 458 | ## [Google Recaptcha key](https://developers.google.com/recaptcha/docs/verify) 459 | 460 | Send a POST to the following URL: 461 | 462 | ``` 463 | https://www.google.com/recaptcha/api/siteverify 464 | ``` 465 | 466 | `secret` and `response` are two required POST parameters, where `secret` is the key and `response` is the response to test for. 467 | 468 | Regular expression: `^6[0-9a-zA-Z_-]{39}$`. The API key always starts with a 6 and is 40 chars long. Read more here: https://developers.google.com/recaptcha/docs/verify. 469 | 470 | ## [Google Cloud Service Account credentials](https://cloud.google.com/docs/authentication/production) 471 | 472 | Service Account credentials may be found in a JSON file like this: 473 | 474 | ``` 475 | $ cat service_account.json 476 | { 477 | "type": "service_account", 478 | "project_id": "...", 479 | "private_key_id": "...", 480 | "private_key": "-----BEGIN PRIVATE KEY-----...-----END PRIVATE KEY-----\n", 481 | "client_email": "...", 482 | "client_id": "...", 483 | "auth_uri": "https://accounts.google.com/o/oauth2/auth", 484 | "token_uri": "https://oauth2.googleapis.com/token", 485 | "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", 486 | "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/..." 487 | } 488 | ``` 489 | 490 | If this is your case you may check these credentials using `gcloud` tool ([how to install `gcloud`](https://cloud.google.com/sdk/docs/quickstart-debian-ubuntu)): 491 | 492 | ``` 493 | $ gcloud auth activate-service-account --key-file=service_account.json 494 | Activated service account credentials for: [...] 495 | $ gcloud auth print-access-token 496 | ya29.c... 497 | ``` 498 | 499 | In case of success you'll see access token printed in terminal. Please note that after verifying that credentials are actually valid you may want to enumerate permissions of these credentials which is another story. 500 | 501 | ## [Branch.IO Key and Secret](https://docs.branch.io/pages/apps/deep-linking-api/#app-read) 502 | 503 | Visit the following URL to check for validity: 504 | 505 | ``` 506 | https://api2.branch.io/v1/app/KEY_HERE?branch_secret=SECRET_HERE 507 | ``` 508 | 509 | ## [Bing Maps API Key](https://docs.microsoft.com/en-us/bingmaps/rest-services/locations/find-a-location-by-address) 510 | 511 | Visit this link to check for the key's validity. A valid key's response should start with `authenticationResultCode: "ValidCredentials"` 512 | 513 | ``` 514 | https://dev.virtualearth.net/REST/v1/Locations?CountryRegion=US&adminDistrict=WA&locality=Somewhere&postalCode=98001&addressLine=100%20Main%20St.&key=API_KEY 515 | ``` 516 | 517 | ## [Bit.ly Access token](https://dev.bitly.com/authentication.html) 518 | 519 | Visit the following URL to check for validity: 520 | 521 | ``` 522 | https://api-ssl.bitly.com/v3/shorten?access_token=ACCESS_TOKEN&longUrl=https://www.google.com 523 | ``` 524 | 525 | ## [Buildkite Access token](https://buildkite.com/docs/apis/rest-api) 526 | ``` 527 | curl -H "Authorization: Bearer ACCESS_TOKEN" \ 528 | https://api.buildkite.com/v2/user 529 | ``` 530 | 531 | ## [ButterCMS-API-Key](https://buttercms.com/docs/api/#authentication) 532 | ``` 533 | curl -X GET 'https://api.buttercms.com/v2/posts/?auth_token=your_api_token' 534 | ``` 535 | 536 | ## [Asana Access token](https://asana.com/developers/documentation/getting-started/auth#personal-access-token) 537 | ``` 538 | curl -H "Authorization: Bearer ACCESS_TOKEN" https://app.asana.com/api/1.0/users/me 539 | ``` 540 | 541 | ## [Zendesk Access token](https://support.zendesk.com/hc/en-us/articles/203663836-Using-OAuth-authentication-with-your-application) 542 | ``` 543 | curl https://{subdomain}.zendesk.com/api/v2/tickets.json \ 544 | -H "Authorization: Bearer ACCESS_TOKEN" 545 | ``` 546 | 547 | ## [Zendesk Api Key](https://developer.zendesk.com/api-reference/ticketing/introduction/) 548 | API tokens are different from OAuth tokens, API tokens are auto-generated passwords in the Support admin interface. 549 | ``` 550 | curl https://{target}.zendesk.com/api/v2/users.json \ -u support@{target}.com/token:{here your token} 551 | ``` 552 | 553 | ## [MailChimp API Key](https://developer.mailchimp.com/documentation/mailchimp/reference/overview/) 554 | ``` 555 | curl --request GET --url 'https://.api.mailchimp.com/3.0/' --user 'anystring:' --include 556 | ``` 557 | 558 | ## [WPEngine API Key](https://wpengineapi.com/) 559 | 560 | This issue can be further exploited by checking out [@hateshape](https://github.com/hateshape/)'s gist https://gist.github.com/hateshape/2e671ea71d7c243fac7ebf51fb738f0a. 561 | 562 | ``` 563 | curl "https://api.wpengine.com/1.2/?method=site&account_name=ACCOUNT_NAME&wpe_apikey=WPENGINE_APIKEY" 564 | ``` 565 | 566 | ## [DataDog API key](https://docs.datadoghq.com/api/) 567 | ``` 568 | curl "https://api.datadoghq.com/api/v1/dashboard?api_key=&application_key=" 569 | ``` 570 | 571 | ## [Delighted API key](https://app.delighted.com/docs/api) 572 | Do not delete the `:` at the end. 573 | ``` 574 | curl https://api.delighted.com/v1/metrics.json \ 575 | -H "Content-Type: application/json" \ 576 | -u YOUR_DELIGHTED_API_KEY: 577 | ``` 578 | 579 | ## [Travis CI API token](https://developer.travis-ci.com/gettingstarted) 580 | 581 | ``` 582 | curl -H "Travis-API-Version: 3" -H "Authorization: token " https://api.travis-ci.org/repos 583 | ``` 584 | 585 | ## [WakaTime API Key](https://wakatime.com/developers) 586 | ``` 587 | curl "https://wakatime.com/api/v1/users/current/projects/?api_key=KEY_HERE" 588 | ``` 589 | 590 | ## [Sonarcloud Token](https://sonarcloud.io/web_api) 591 | ``` 592 | curl -u : "https://sonarcloud.io/api/authentication/validate" 593 | ``` 594 | 595 | ## [Spotify Access Token](https://developer.spotify.com/documentation/general/guides/authorization-guide/) 596 | ``` 597 | curl -H "Authorization: Bearer " https://api.spotify.com/v1/me 598 | ``` 599 | 600 | ## [Instagram Basic Display API Access Token](https://developers.facebook.com/docs/instagram-basic-display-api/getting-started) 601 | E.g.: IGQVJ... 602 | ``` 603 | curl -X GET 'https://graph.instagram.com/{user-id}?fields=id,username&access_token={access-token}' 604 | ``` 605 | 606 | ## [Instagram Graph API Access Token](https://developers.facebook.com/docs/instagram-api/getting-started) 607 | E.g.: EAAJjmJ... 608 | ``` 609 | curl -i -X GET 'https://graph.facebook.com/v8.0/me/accounts?access_token={access-token}' 610 | ``` 611 | 612 | ## [Gitlab personal access token](https://docs.gitlab.com/ee/api/README.html#personal-access-tokens) 613 | ``` 614 | curl "https://gitlab.example.com/api/v4/projects?private_token=" 615 | ``` 616 | 617 | ## [Paypal client id and secret key](https://developer.paypal.com/docs/api/get-an-access-token-curl/) 618 | ``` 619 | curl -v https://api.sandbox.paypal.com/v1/oauth2/token \ 620 | -H "Accept: application/json" \ 621 | -H "Accept-Language: en_US" \ 622 | -u "client_id:secret" \ 623 | -d "grant_type=client_credentials" 624 | ``` 625 | 626 | The access token can be further used to extract data from the PayPal API. More information: https://developer.paypal.com/docs/api/overview/#make-rest-api-calls. 627 | 628 | This can be verified using: 629 | 630 | ``` 631 | curl -v -X GET "https://api.sandbox.paypal.com/v1/identity/oauth2/userinfo?schema=paypalv1.1" -H "Content-Type: application/json" -H "Authorization: Bearer [ACCESS_TOKEN]" 632 | ``` 633 | 634 | ## [Stripe Live Token](https://stripe.com/docs/api/authentication) 635 | 636 | ``` 637 | curl https://api.stripe.com/v1/charges -u token_here: 638 | ``` 639 | 640 | Keep the colon at the end of the token to prevent `cURL` from requesting a password. 641 | 642 | The token is always in the following format: `sk_live_24charshere`, where the `24charshere` part contains 24 characters from `a-z A-Z 0-9`. There is also a test key, which starts with `sk_test`, but this key is worthless since it is only used for testing purposes and most likely doesn't contain any sensitive information. The live key, on the other hand, can be used to extract/retrieve a lot of info — ranging from charges to the complete product list. 643 | 644 | Keep in mind that you will never be able to get the full credit card information since Stripe only gives you the last 4 digits. 645 | 646 | More info/complete documentation: https://stripe.com/docs/api/authentication. 647 | 648 | ## [Razorpay API key and Secret key](https://razorpay.com/docs/api/) 649 | 650 | This can be verified using: 651 | 652 | ``` 653 | curl -u : \ 654 | https://api.razorpay.com/v1/payments 655 | ``` 656 | 657 | ## [CircleCI Access Token](https://circleci.com/docs/api/#api-overview) 658 | 659 | ``` 660 | curl https://circleci.com/api/v1.1/me?circle-token= 661 | ``` 662 | 663 | ## [Loqate API key](https://www.loqate.com/resources/support/apis) 664 | 665 | ``` 666 | curl 'http://api.addressy.com/Capture/Interactive/Find/v1.00/json3.ws?Key=&Countries=US,CA&Language=en&Limit=5&Text=BHAR' 667 | ``` 668 | 669 | ## [Ipstack API Key](https://ipstack.com/documentation) 670 | 671 | ``` 672 | curl 'https://api.ipstack.com/{ip_address}?access_key={keyhere}' 673 | ``` 674 | 675 | ## [NPM token](https://docs.npmjs.com/about-authentication-tokens) 676 | 677 | You can verify NPM token [using `npm`](https://medium.com/bugbountywriteup/one-token-to-leak-them-all-the-story-of-a-8000-npm-token-79b13af182a3) (replacing `00000000-0000-0000-0000-000000000000` with NPM token): 678 | 679 | ``` 680 | export NPM_TOKEN="00000000-0000-0000-0000-000000000000" 681 | echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" > .npmrc 682 | npm whoami 683 | ``` 684 | 685 | Another way to verify token is to query API directly: 686 | 687 | ``` 688 | curl -H 'authorization: Bearer 00000000-0000-0000-0000-000000000000' 'https://registry.npmjs.org/-/whoami' 689 | ``` 690 | 691 | You'll get username in response in case of success, `401 Unauthorized` in case if token doesn't exists and `403 Forbidden` in case if your IP address is not whitelisted. 692 | 693 | NPM token can be [CIDR-whitelisted](https://docs.npmjs.com/creating-and-viewing-authentication-tokens#creating-tokens-with-the-cli). Thus if you are using token from *non-whitelisted* CIDR you'll get `403 Forbidden` in response. So try to verify NPM token from different IP ranges!. 694 | 695 | P.S. Some companies [uses registries other than `registry.npmjs.org`](https://medium.com/bugbountywriteup/one-token-to-leak-them-all-the-story-of-a-8000-npm-token-79b13af182a3). If it's the case replace all `registry.npmjs.org` occurrences with domain name of company's NPM registry. 696 | 697 | ## [Keen.io API Key](https://keen.io/docs/api/) 698 | 699 | Get all collections for a specific project: 700 | 701 | ``` 702 | curl "https://api.keen.io/3.0/projects/PROJECT_ID/events?api_key=READ_KEY" 703 | ``` 704 | 705 | >Note: Keep the colon at the end of the token to prevent cURL from requesting a password. 706 | Info: The token is always in the following format: sk_live_34charshere, where the 34charshere part contains 34 characters from a-z A-Z 0-9 707 | There is also a test key, which starts with sk_test, but this key is worthless since it is only used for testing purposes and most likely doesn't contain any sensitive info. 708 | The live key, on the other hand, can be used to extract/retrieve a lot of info. Going from charges, to the complete product list. 709 | Keep in mind that you will never be able to get the full credit card information since stripe only gives you like the last 4 digits. 710 | More info / complete docs: https://stripe.com/docs/api/authentication 711 | ======= 712 | 713 | ## [Calendly API Key](https://developer.calendly.com/docs/) 714 | 715 | Get user information: 716 | 717 | ```` 718 | curl --header "X-TOKEN: " https://calendly.com/api/v1/users/me 719 | ```` 720 | 721 | List Webhook Subscriptions: 722 | 723 | ```` 724 | curl --header "X-TOKEN: " https://calendly.com/api/v1/hooks 725 | ```` 726 | 727 | ## [Azure Application Insights APP ID and API Key](https://dev.applicationinsights.io/reference) 728 | 729 | Get the total number of requests made in last 24 hours: 730 | 731 | ``` 732 | curl -H "x-api-key: {API_Key}" "https://api.applicationinsights.io/v1/apps/{APP_ID}/metrics/requests/count" 733 | ``` 734 | 735 | ## [Cypress record key](https://docs.cypress.io/guides/dashboard/projects.html#Record-key) 736 | 737 | In order to check `recordKey` validity you'll need `projectId` which is public value that usually can be found at `cypress.json` file. Replace `{recordKey}` and `{projectId}` in JSON body with your values. 738 | 739 | ``` 740 | curl -i -s -k -X $'POST' \ 741 | -H $'x-route-version: 4' -H $'x-os-name: darwin' -H $'x-cypress-version: 5.5.0' -H $'host: api.cypress.io' -H $'accept: application/json' -H $'content-type: application/json' -H $'Content-Length: 1433' -H $'Connection: close' \ 742 | --data-binary $'{\"ci\":{\"params\":null,\"provider\":null},\"specs\":[\"cypress/integration/examples/actions.spec.js\",\"cypress/integration/examples/aliasing.spec.js\",\"cypress/integration/examples/assertions.spec.js\",\"cypress/integration/examples/connectors.spec.js\",\"cypress/integration/examples/cookies.spec.js\",\"cypress/integration/examples/cypress_api.spec.js\",\"cypress/integration/examples/files.spec.js\",\"cypress/integration/examples/local_storage.spec.js\",\"cypress/integration/examples/location.spec.js\",\"cypress/integration/examples/misc.spec.js\",\"cypress/integration/examples/navigation.spec.js\",\"cypress/integration/examples/network_requests.spec.js\",\"cypress/integration/examples/querying.spec.js\",\"cypress/integration/examples/spies_stubs_clocks.spec.js\",\"cypress/integration/examples/traversal.spec.js\",\"cypress/integration/examples/utilities.spec.js\",\"cypress/integration/examples/viewport.spec.js\",\"cypress/integration/examples/waiting.spec.js\",\"cypress/integration/examples/window.spec.js\"],\"commit\":{\"sha\":null,\"branch\":null,\"authorName\":null,\"authorEmail\":null,\"message\":null,\"remoteOrigin\":null,\"defaultBranch\":null},\"group\":null,\"platform\":{\"osCpus\":[],\"osName\":\"darwin\",\"osMemory\":{\"free\":1153744896,\"total\":17179869184},\"osVersion\":\"19.6.0\",\"browserName\":\"Electron\",\"browserVersion\":\"85.0.4183.121\"},\"parallel\":null,\"ciBuildId\":null,\"projectId\":\"{projectId}\",\"recordKey\":\"{recordKey}\",\"specPattern\":null,\"tags\":[\"\"]}' \ 743 | $'https://api.cypress.io/runs' 744 | ``` 745 | 746 | Yes, this request needs to be that big. It'll return `200 OK` with some information about run in case if both `projectId` and `recordKey` are valid, `404 Not Found` with `{"message":"Project not found. Invalid projectId."}` if `projectId` is invalid or `401 Unauthorized` with `{"message":"Invalid Record Key."}` if `recordKey` is invalid. 747 | 748 | Example of `projectId` is `1yxykz` and example of `recordKey` is `a216e7b4-4819-4713-b9c2-c5da60a1c48c`. 749 | 750 | ## [YouTube API Key](https://developers.google.com/youtube/v3/docs/) 751 | Fetch content details for a YouTube channel (The channelId in this case points to PewDiePie's channel). 752 | 753 | ``` 754 | curl -iLk 'https://www.googleapis.com/youtube/v3/activities?part=contentDetails&maxResults=25&channelId=UC-lHJZR3Gqxm24_Vd_AJ5Yw&key={KEY_HERE}' 755 | ``` 756 | 757 | 758 | ## [ABTasty API Key](https://developers.abtasty.com/server-side.html#authentication) 759 | 760 | ``` 761 | curl "api_endpoint_here" -H "x-api-key: your_api_key" 762 | ``` 763 | 764 | ## [Iterable API Key](https://api.iterable.com/api/docs) 765 | Export campaign analytics data in JSON format, one entry per line. Use of either 'range' or 'startDateTime' and 'endDateTime' is required. 766 | 767 | ``` 768 | curl -H "Api_Key: {API_KEY}" https://api.iterable.com/api/export/data.json?dataTypeName=emailSend&range=Today&onlyFields=List.empty 769 | ``` 770 | ## [Amplitude API Keys](https://help.amplitude.com/hc/en-us/articles/205406637-Export-API-Export-Your-Project-s-Event-Data) 771 | The response is a zipped archive of JSON files, with potentially multiple files per hour. Note that events prior to 2014-11-12 will be grouped by day instead of by the hour. If you request data for a time range during which no data has been collected for the project, then you will receive a 404 response from the server. 772 | 773 | ``` 774 | curl -u API_Key:Secret_Key 'https://amplitude.com/api/2/export?start=20200201T5&end=20210203T20' >> yourfilename.zip 775 | ``` 776 | 777 | ## [Visual Studio App Center API Token](https://docs.microsoft.com/en-us/appcenter/api-docs/) 778 | 779 | 1. List all the app projects for the API Token: 780 | ``` 781 | curl -sX GET "https://api.appcenter.ms/v0.1/apps" \ 782 | -H "Content-Type: application/json" \ 783 | -H "X-Api-Token: {your_api_token}" 784 | ``` 785 | 2. Fetch the latest app build information for a particular project: 786 | > Use the `name` and `owner.name` obtained in response in Step [1](#438). 787 | ``` 788 | curl -sX GET "https://api.appcenter.ms/v0.1/apps/{owner.name}/{name}/releases/latest" \ 789 | -H "Content-Type: application/json" \ 790 | -H "X-Api-Token: {your_api_token}" 791 | ``` 792 | 793 | ## [WeGlot Api Key](https://weglot.com/) 794 | 795 | 796 | ``` 797 | curl -X POST \ 798 | 'https://api.weglot.com/translate?api_key=my_api_key' \ 799 | -H 'Content-Type: application/json' \ 800 | -d '{ 801 | "l_from":"en", 802 | "l_to":"fr", 803 | "request_url":"https://www.website.com/", 804 | "words":[ 805 | {"w":"This is a blue car", "t": 1}, 806 | {"w":"This is a black car", "t": 1} 807 | ] 808 | }' 809 | ``` 810 | 811 | ## [PivotalTracker API Token](https://www.pivotaltracker.com/help/api/#top) 812 | 813 | 1. List User Information with API Token: 814 | ``` 815 | curl -X GET -H "X-TrackerToken: $TOKEN" "https://www.pivotaltracker.com/services/v5/me?fields=%3Adefault" 816 | ``` 817 | 818 | 1. Obtain API Token with Valid User Credentials: 819 | ``` 820 | curl -s -X GET --user 'USER:PASSWORD' "https://www.pivotaltracker.com/services/v5/me -o pivotaltracker.json" 821 | jq --raw-output .api_token pivotaltracker.json 822 | ``` 823 | ## [LinkedIn OAUTH](https://docs.microsoft.com/en-us/linkedin/shared/authentication/client-credentials-flow?context=linkedin/context) 824 | A successful access token request returns a JSON object containing access_token, expires_in. 825 | ``` 826 | curl -XPOST -H "Content-type: application/x-www-form-urlencoded" -d 'grant_type=client_credentials&client_id=&client_secret=' 'https://www.linkedin.com/oauth/v2/accessToken' 827 | 828 | ``` 829 | # Contributing 830 | 831 | I welcome contributions from the public. 832 | 833 | ### Using the issue tracker 💡 834 | 835 | The issue tracker is the preferred channel for bug reports and features requests. 836 | 837 | ### Issues and labels 🏷 838 | 839 | The bug tracker utilizes several labels to help organize and identify issues. 840 | 841 | ### Guidelines for bug reports 🐛 842 | 843 | Use the GitHub issue search — check if the issue has already been reported. 844 | 845 | # ⚠ Legal Disclaimer 846 | 847 | This project is made for educational and ethical testing purposes only. Usage of this tool for attacking targets without prior mutual consent is illegal. Developers assume no liability and are not responsible for any misuse or damage caused by this tool. 848 | --------------------------------------------------------------------------------