Source Code Analysis and API Keys Exploitations

InfoSec Write-ups – Medium–

Source Code Analysis and Exploiting API Keys

I was getting lots of requests and msg on Whatsapp, LinkedIn, Twitter about the source code analysis, and exploitation of API Keys. So I will share my approach and also some blogs and writeups which you can refer to get a clear understanding.

Google Images

So whenever we think of source code analysis, one thing which comes to my mind is how can I check thousands line of code manually. It’s not impossible but it’s time-consuming. So when I started learning about this Source Code Analysis, I asked Aditya Shende (Follow him on Twitter for tips on Bug Hunting) regarding this and he explained to me that try to use some keywords and focus on searching .js file (Don't look min.js).

But now the problem is there are many .js file and I am very lazy to search all so what to do???

Then I came across Manas Harsh’s Blog and got to know about one tool

Secret Finder-It is a python script based on LinkFinder, written to discover sensitive data like API keys, access token, authorizations, jwt,..etc in JavaScript files. This tool scrapes the js data from a particular domain and gives you output on the terminal on the basis of keywords defined in its regex.


$ git clone secretfinder
$ cd secretfinder
$ python -m pip install -r requirements.txt or pip install -r requirements.txt
$ python


python3 -i -e

python3 -i -o results.html

python3 -i -o cli

API Keys Exploitations……..

So after doing Github recon and Source Code Analysis we sometimes get API Keys. Now we need to check if it is vulnerable or not. So for this, we can use Gmapsapiscanner

Gmapsapiscanner- is used for determining whether a leaked/found Google Maps API Key is vulnerable to unauthorized access by other applications or not.

Some Blogs you can refer:



One Negative point about this tool is it is not checking JavaScript API.So, in that case, use this

Source-Developer.Google Documentations

<!DOCTYPE html>
<title>Simple Map</title>
<link rel="stylesheet" type="text/css" href="./style.css" />
<div id="map"></div>

For some more Key Hacks you can check here –

Thanks for Reading

You can also enroll for my Bug Hunting Training(Syllabus: Bugcrowd’s VRT Book)

For any quick query or getting in touch with me, You can follow me on




Source Code Analysis and API Keys Exploitations was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

View original article on InfoSec Write-ups – Medium

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s