Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/TargetPackage/api-key-impact

A list of different types of API keys and how to prove impact for bug bounty programs.
https://github.com/TargetPackage/api-key-impact

api api-key api-keys bug-bounty bugbounty impact

Last synced: 3 months ago
JSON representation

A list of different types of API keys and how to prove impact for bug bounty programs.

Awesome Lists containing this project

README

        

# API Key Impact
When auditing website security, one common weakness is exposed API keys, often in the form of environmental variables in a file with public read access. Whether conducting a sanctioned penetration test or participating in a bug bounty program, it is often necessary to either expand access or prove impact to the business in question. The purpose of this list is to detail examples of types of API credentials and how they can be leveraged to exploit a site.

The list is most useful when viewed fullscreen [here](https://github.com/TargetPackage/api-key-impact/blob/main/README.md).

| Variable | Private | Example | Purpose |
| :--------------------: | :-----: | :----------------------------------: | ---------------------------------------------------------------------------------------------------------------------------- |
| AMPLITUDE_API_KEY | N | a205ed9b06a7baf5a594bdd30293aa80 | The [Amplitude API key](https://www.docs.developers.amplitude.com/guides/amplitude-keys-guide/) is intended to be public, it is used to identify an Amplitude application for analytical purposes. |
| AWS_ACCESS_KEY_ID | **Y** | AKIAIOSFODNN7EXAMPLE | The [AWS Access Key ID](https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys) is used for programmatic access to Amazon Web Services (AWS) resources. |
| DROPBOX_API_TOKEN | **Y** | abc123def456ghi789jkl01mno234pqr | The [Dropbox API token](https://www.dropbox.com/developers/reference/oauth-guide) grants access to files and data stored in Dropbox accounts. Protecting it is crucial to maintain data integrity. |
| FACEBOOK_API_KEY | **Y** | abcdefghijklmnopqrstuvwxyz987654 | The [Facebook API key](https://developers.facebook.com/docs/apis-and-sdks) is used to integrate Facebook services into apps and websites, allowing for features like social login and sharing. |
| GITHUB_API_TOKEN | **Y** | 0123456789abcdef0123456789abcdef | The [GitHub API token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/about-authentication-to-github#authenticating-with-the-api) is used for programmatic access to GitHub's repositories, issues, and user data. |
| GOODREADS_API_KEY | **Y** | AABBCCDDEEFF00112233445566778899 | The [Goodreads API](https://www.goodreads.com/api) allows developers access to Goodreads data in order to help websites or applications that deal with books be more personalized, social, and engaging. With OAuth authorization, an API token can be used to interact with accounts on behalf of a user. The site is no longer issuing new API tokens, meaning the existing tokens are more valuable. |
| GOOGLE_MAPS_API_KEY | **Y** | AIzaSyD3vS5UEOJmNpR5Q5bXnqYf4qPiWg | The [Google Maps API key](https://developers.google.com/maps/gmp-get-started) allows access to mapping services and geolocation data. Protecting this key is essential to prevent unauthorized usage. |
| INSTAGRAM_API_KEY | **Y** | abcdefghijklmnopqrstuvwxyz123456 | The [Instagram API key](https://www.instagram.com/developer/) is used to interact with Instagram's API for tasks like retrieving user photos and media content. |
| LINKEDIN_API_KEY | **Y** | abcdefghijklmnopqrstuvwxyz123456 | The [LinkedIn API key](https://developer.linkedin.com/docs/guide) allows access to LinkedIn's data and integration into apps for professional networking. |
| MAILCHIMP_API_KEY | **Y** | d12a34567890123456789dcbef123456-us5 | The [Mailchimp API key](https://mailchimp.com/developer/marketing/guides/quick-start/) is used for integration with email marketing services, including sending newsletters and managing subscribers. |
| MICROSOFT_GRAPH_API | **Y** | abcdefghijklmnopqrstuvwxyz123456 | The [Microsoft Graph API key](https://docs.microsoft.com/en-us/graph/overview) is used for accessing data from Microsoft 365 services such as email, calendar, and contacts. |
| PAYPAL_CLIENT_ID | **Y** | AbCdEfGhIjKlMnOpQrStUvWxYz12345678 | The [PayPal client ID](https://developer.paypal.com/docs/checkout/integrate/) is used to initiate and process PayPal payments on websites and apps. Safeguarding it is critical for secure transactions. |
| SPOTIFY_API_KEY | **Y** | abcdefghijklmnopqrstuvwxyz123456 | The [Spotify API key](https://developer.spotify.com/documentation/general/guides/app-settings/) is used for integrating music streaming and playlists into apps and websites. |
| STRIPE_API_KEY | **Y** | sk_test_abcdefgh1234567890 | The [Stripe API key](https://stripe.com/docs/keys) is a private key used for secure communication with Stripe payment services. It should never be exposed publicly to prevent unauthorized transactions. |
| TRELLO_API_KEY | **Y** | abcdefghijklmnopqrstuvwxyz123456 | The [Trello API key](https://developer.atlassian.com/cloud/trello/guides/rest-api/api-introduction/) is used for managing Trello boards, lists, and cards programmatically. |
| TWILIO_API_SID | **Y** | SKXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX | The [Twilio API SID](https://www.twilio.com/docs/iam/keys/api-key) is a secret identifier for accessing Twilio's communication services, such as sending SMS or making phone calls programmatically. |
| TWITCH_API_KEY | **Y** | abcdefghijklmnopqrstuvwxyz123456 | The [Twitch API key](https://dev.twitch.tv/docs/authentication/getting-tokens-oauth) is used to access and interact with Twitch streaming and chat services. |
| TWITTER_API_KEY | **Y** | abcdefghijklmnopqrstuvwxyz123456 | The [Twitter API key](https://developer.twitter.com/en/docs/authentication/oauth-1-0a) is used to authenticate and access Twitter's API for tasks such as posting tweets or reading user timelines. |
| YOUTUBE_API_KEY | **Y** | abcdefghijklmnopqrstuvwxyz123456 | The [YouTube API key](https://developers.google.com/youtube/registering_an_application) is used for integrating YouTube video content and data into apps and websites. |
| ZM_CLIENT_ID | N | abcdefghijklmnopqrstuvwxyz123456 | The [Zoom client ID](https://developers.zoom.us/docs/api/rest/using-zoom-apis/) is used to identify a specific application when communicating with the Zoom video conferencing backend. |
| ZM_CLIENT_SECRET | **Y** | abcdefghijklmnopqrstuvwxyz123456 | The [Zoom client secret](https://developers.zoom.us/docs/api/rest/using-zoom-apis/) is used to securely authenticate a client ID with the backend in conjunction with an (optionally) specified OAuth redirect URL. With this and the client ID, requests can be made to the Zoom application on behalf of the key's owning organization. |