Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/ozguralp/gmapsapiscanner
https://github.com/ozguralp/gmapsapiscanner
Last synced: 21 days ago
JSON representation
- Host: GitHub
- URL: https://github.com/ozguralp/gmapsapiscanner
- Owner: ozguralp
- License: mit
- Created: 2020-01-13T15:10:45.000Z (almost 5 years ago)
- Default Branch: master
- Last Pushed: 2024-01-31T08:35:58.000Z (11 months ago)
- Last Synced: 2024-08-05T17:36:19.265Z (4 months ago)
- Language: Python
- Size: 62.5 KB
- Stars: 888
- Watchers: 24
- Forks: 173
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-hacking-lists - ozguralp/gmapsapiscanner - (Python)
- awesome-rainmana - ozguralp/gmapsapiscanner - (Python)
README
# Google Maps API Scanner
Used for determining whether a leaked/found Google Maps API Key is vulnerable to unauthorized access by other applications or not.***[Blog Post #1 - Unauthorized Google Maps API Key Usage Cases, and Why You Need to Care](https://medium.com/bugbountywriteup/unauthorized-google-maps-api-key-usage-cases-and-why-you-need-to-care-1ccb28bf21e)***
***[Blog Post #2 - Google Maps API (Not the Key) Bugs That I Found Over the Years](https://medium.com/bugbountywriteup/google-maps-api-not-the-key-bugs-that-i-found-over-the-years-781840fc82aa)***
***Please note that most of the bug bounty platforms marking this vulnerability type as informational/low impact. So please make sure that the platform or program is accepting this kind of issues before reporting.***
***Usage:***
- Download `maps_api_scanner.py` file and run as: `python3 maps_api_scanner.py` & paste API key wanted to test when asked. (Python2 is no longer supported.)
- Script will return `API key is vulnerable for XXX API!` message and the PoC link/code if determines any unauthorized access within this API key within any API's.
- Now it supports also api key as argument such as `python3 maps_api_scanner.py --api-key API_KEY`.***Checked APIs:***
- Staticmap API
- Streetview API
- Embed (Basic-Free) API (No longer checked since it is completely free.)
- Embed (Advanced-Paid) API (No longer checked since it is completely free.)
- Directions API
- Geocode API
- Distance Matrix API
- Find Place From Text API
- Autocomplete API
- Elevation API
- Timezone API
- Roads API
- Geolocation API
- Route to Traveled API
- Speed Limit-Roads API
- Place Details API
- Nearby Search-Places API
- Text Search-Places API
- Places Photo API
- Playable Locations API (API is deprecated.)
- FCM API
- Custom Search API***Semi-Auto Checked APIs:***
- JavaScript API***Notes:***
- Because JavaScript API needs manual confirmation from a web browser directly, only file is created via the script for manual checks/confirmation.
- For Staticmap, Streetview and Embed API's, if used from another domain instead of just testing from browser; whether referer checks are enabled or not on the server-side for the key, script still could return it as vulnerable due to a server-side vulnerability. If you cannot reproduce the vulnerability via browser while the script says so, please read the ***Blog Post #2*** for more information & a better understanding about what is going on.
- If you find any Google Maps API's which are not mentioned in this document/script, create an issue with details so I can also add them.
- Special thanks to [Yatin](https://twitter.com/ysirpaul) for his contributions on both discovery of additional API's & cost information!# Docker
To run this script in a Dockerized Alpine Linux environment, use the following commands:
```
docker build -t google_maps_api_scanner .
docker run --rm -v $(pwd):/opt/html -i docker.io/library/google_maps_api_scanner
```