InfoSec Write-ups – Medium–
Source Code Analysis and Exploiting API Keys
I was getting lots of requests and msg on Whatsapp, LinkedIn, Twitter about the source code analysis, and exploitation of API Keys. So I will share my approach and also some blogs and writeups which you can refer to get a clear understanding.
So whenever we think of source code analysis, one thing which comes to my mind is how can I check thousands line of code manually. It’s not impossible but it’s time-consuming. So when I started learning about this Source Code Analysis, I asked Aditya Shende (Follow him on Twitter for tips on Bug Hunting) regarding this and he explained to me that try to use some keywords and focus on searching .js file (Don't look min.js).
But now the problem is there are many .js file and I am very lazy to search all so what to do???
Then I came across Manas Harsh’s Blog and got to know about one tool
$ git clone https://github.com/m4ll0k/SecretFinder.git secretfinder
$ cd secretfinder
$ python -m pip install -r requirements.txt or pip install -r requirements.txt
$ python SecretFinder.py
python3 SecretFinder.py -i https://example.com/ -e
python3 SecretFinder.py -i https://example.com/1.js -o results.html
python3 SecretFinder.py -i https://example.com/1.js -o cli
API Keys Exploitations……..
So after doing Github recon and Source Code Analysis we sometimes get API Keys. Now we need to check if it is vulnerable or not. So for this, we can use Gmapsapiscanner
Gmapsapiscanner- is used for determining whether a leaked/found Google Maps API Key is vulnerable to unauthorized access by other applications or not.
Some Blogs you can refer:
<link rel="stylesheet" type="text/css" href="./style.css" />
For some more Key Hacks you can check here –https://github.com/streaak/keyhacks
Thanks for Reading
You can also enroll for my Bug Hunting Training(Syllabus: Bugcrowd’s VRT Book)
For any quick query or getting in touch with me, You can follow me on