Sam Paredes (CoffeeJunkie)

Sam Paredes (CoffeeJunkie)

Cybersecurity student and pentester in continuous development.

Day 23/100 Hack and Improvement

1 minute read

After looking new resources of learning and methods, seemed to be easier to learn from real world examples such as write ups and also by practicing in different kind of programs. Day 23 comes with Google API Keys exploit and API testing findings.

Exploit the Google Map API keys

From Rajesh Ranjan. For the ones who do not have any information about this service and its API Key’s, Google Maps API is a paid service which allows applications to embed & search from the Google Maps Database and use it on their own applications.

If you found any Google Map API key, either in web application or Android App, then you can check that, is it vulnerable or not. There are two ways by which you can verify this.

  • By curl command 
    curl -H "referer: http://example.com" "https://maps.googleapis.com/maps/api/directions/json?origin=Stockholm&destination=Kalmar&key=KEY_HERE

    If response is 200 OK , then its vulnerable

nmap scan

  • By Web Browser
https://maps.googleapis.com/maps/api/directions/json?origin=Stockholm&destination=Kalmar&key=KEY_HERE

Replace your found API keys and if you got response except “Access denied”, then this key is vulnerable.

Source

https://medium.com/bugbountywriteup/unauthorized-google-maps-api-key-usage-cases-and-why-you-need-to-care-1ccb28bf21e

Hackerone Report

https://hackerone.com/reports/753868

API testing findings

From Sam (CoffeeJunkie). There are several ways to test APIs, in my “forever noob” days I found pretty useful and fun to read different reports and writeups, and realize the thought process that testers put on their work. That’s why here I brought three reports and writeups related to API testing.

Multiple Bugs in api.data.gov/signup endpoint leads to send custom messages to Anyone

  • Look closer to different kind of parameters that might involve personal data at the time to send and receive as well. In this case the attacker used different kind of API keys and IDs in order to spoof the emails.

Takeaway: Be aware of all the parameters available during the HTTP requests.

Broken API Authorization

  • In this case the attacker saw the capabilities which were involved to create, delete, and change users passwords as long the attacker has a valid bearer token in the header of the response.

Takeaway: Look for endpoints and functionalities in order to bypass them.

Disclose any user’s private email through API

  • In this case the attacker was able to disclose any user’s email at the time to add them as a participant in the reports. All of this was possible by fetching the report through the API.

Takeaway: Look what you’re able to do with the target website.

Leave a comment

You may also enjoy

Day 97/100 Hack and Improvement

less than 1 minute read

Due to travel reasons #100daystohackandimprove moved to twitter. The following days will be posted on Twitter till day 97.