Day 23/100 Hack and Improvement
After looking new resources of learning and methods, seemed to be easier to learn from real world examples such as write ups and also by practicing in different kind of programs. Day 23 comes with Google API Keys exploit and API testing findings.
Exploit the Google Map API keys
From Rajesh Ranjan. For the ones who do not have any information about this service and its API Key’s, Google Maps API is a paid service which allows applications to embed & search from the Google Maps Database and use it on their own applications.
If you found any Google Map API key, either in web application or Android App, then you can check that, is it vulnerable or not. There are two ways by which you can verify this.
- By curl command
curl -H "referer: http://example.com" "https://maps.googleapis.com/maps/api/directions/json?origin=Stockholm&destination=Kalmar&key=KEY_HERE
If response is 200 OK , then its vulnerable
- By Web Browser
https://maps.googleapis.com/maps/api/directions/json?origin=Stockholm&destination=Kalmar&key=KEY_HERE
Replace your found API keys and if you got response except “Access denied”, then this key is vulnerable.
Source
https://medium.com/bugbountywriteup/unauthorized-google-maps-api-key-usage-cases-and-why-you-need-to-care-1ccb28bf21e
Hackerone Report
https://hackerone.com/reports/753868
API testing findings
From Sam (CoffeeJunkie). There are several ways to test APIs, in my “forever noob” days I found pretty useful and fun to read different reports and writeups, and realize the thought process that testers put on their work. That’s why here I brought three reports and writeups related to API testing.
Multiple Bugs in api.data.gov/signup endpoint leads to send custom messages to Anyone
- Look closer to different kind of parameters that might involve personal data at the time to send and receive as well. In this case the attacker used different kind of API keys and IDs in order to spoof the emails.
Takeaway: Be aware of all the parameters available during the HTTP requests.
- In this case the attacker saw the capabilities which were involved to create, delete, and change users passwords as long the attacker has a valid bearer token in the header of the response.
Takeaway: Look for endpoints and functionalities in order to bypass them.
Disclose any user’s private email through API
- In this case the attacker was able to disclose any user’s email at the time to add them as a participant in the reports. All of this was possible by fetching the report through the API.
Takeaway: Look what you’re able to do with the target website.
Leave a comment