API key

Whats is API?

An application programming interface key is a unique identifier used to authenticate a user, developer, or calling program to an API. However, they are typically used to authenticate a project with the API rather than a human user.

Where to find?

  1. Source code : Right click on web_application –> inspect element –> search for (API,TOKEN etc)
  2. JS files : find JS files using Source-code or waybackurl –> Online JavaScript Beautifier –> search for (API, TOKEN, etc)
  3. Hard corded in mobile application : decomplie application –> resources –> values –> strings.xml
  4. GitHub Recon : “site.com” api_key (use dork)

Case study

As this was a private program all illustrations of vulnerabilities will be represented with the host as example.com


This site is built for a shopping website that asks for an address for delivery. To find the location it uses google maps API key (thanks to wappalyzer plugin ) simple next thing is to find the key.

  1. Right click on web_application
  2. found .js files ( ctrl + F –> .js)
  3. found one with all keys (Salesforce, Google Maps, content_access_token)
  4. time to show exploit since some developers restricted keys to access.
  5. CURL command to check whether the map is restricted using referrer header
curl --location --request GET 'https://maps.googleapis.com/maps/api/staticmap?center=40.714728,-73.998672&zoom=12&size=2500x2000&maptype=roadmap&key=keyhere' --header 'Referer: www.bla.com'


  • https://github.com/streaak/keyhacks –> Key-hacks shows ways in which particular API keys found on a Bug Bounty Program can be used, check if they are valid.
  • If you are able to download map then report if not then it is restricted using referrer header.
  1. Reported
  2. Accepted
  3. P3
  4. Duplicate

TIP: USE wappalyzer plugin it shows technology used to the built site if you see maps start searching for Google-maps key.

H1 reports links