Whats is API?
An application programming interface key is a unique identifier used to authenticate a user, developer, or calling program to an API. However, they are typically used to authenticate a project with the API rather than a human user.
Where to find?
- Source code : Right click on web_application –> inspect element –> search for (API,TOKEN etc)
- Hard corded in mobile application : decomplie application –> resources –> values –> strings.xml
- GitHub Recon : “site.com” api_key (use dork)
As this was a private program all illustrations of vulnerabilities will be represented with the host as example.com
This site is built for a shopping website that asks for an address for delivery. To find the location it uses google maps API key (thanks to wappalyzer plugin ) simple next thing is to find the key.
- Right click on web_application
- found .js files ( ctrl + F –> .js)
- found one with all keys (Salesforce, Google Maps, content_access_token)
- time to show exploit since some developers restricted keys to access.
- CURL command to check whether the map is restricted using referrer header
curl --location --request GET 'https://maps.googleapis.com/maps/api/staticmap?center=40.714728,-73.998672&zoom=12&size=2500x2000&maptype=roadmap&key=keyhere' --header 'Referer: www.bla.com'
- https://github.com/streaak/keyhacks –> Key-hacks shows ways in which particular API keys found on a Bug Bounty Program can be used, check if they are valid.
- If you are able to download map then report if not then it is restricted using referrer header.
TIP: USE wappalyzer plugin it shows technology used to the built site if you see maps start searching for Google-maps key.
H1 reports links