Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/sdushantha/dora

Find exposed API keys based on RegEx and get exploitation methods for some of keys that are found
https://github.com/sdushantha/dora

apikeys bugbounty bugcrowd ethical-hacking exploits hackerone infosec python regex

Last synced: 1 day ago
JSON representation

Find exposed API keys based on RegEx and get exploitation methods for some of keys that are found

Host: GitHub
URL: https://github.com/sdushantha/dora
Owner: sdushantha
License: mit
Created: 2021-09-07T11:16:24.000Z (over 3 years ago)
Default Branch: main
Last Pushed: 2023-11-06T13:46:31.000Z (about 1 year ago)
Last Synced: 2025-01-07T00:33:02.769Z (8 days ago)
Topics: apikeys, bugbounty, bugcrowd, ethical-hacking, exploits, hackerone, infosec, python, regex
Language: Python
Homepage:
Size: 2.16 MB
Stars: 328
Watchers: 7
Forks: 49
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

awesome-hacking-lists - sdushantha/dora - Find exposed API keys based on RegEx and get exploitation methods for some of keys that are found (Python)

README

        
dora



  



## Features

- Blazing fast as we are using `ripgrep` in backend

- Exploit/PoC steps for many of the API key, allowing to write a good report for bug bounty hunting

- Unlike many other API key finders, `dora` also shows the path to the file and the line with context for easier analysis

- Can easily be implemented into scripts. See [Example Use Cases](https://github.com/sdushantha/dora#example-use-cases)

## Installation

**Make sure to install [ripgrep](https://github.com/BurntSushi/ripgrep)**

```console

# clone the repo

$ git clone https://github.com/sdushantha/dora.git

# change the working directory to dora

$ cd dora 

# install dora

$ python3 setup.py install --user

```

## Usage

```console

$ dora --help

usage: dora [options]

positional arguments:

  PATH                  Path to directory or file to scan

optional arguments:

  -h, --help            show this help message and exit

  --rg-path RG_PATH     Specify path to ripgrep

  --rg-arguments RG_ARGUMENTS

                        Arguments you want to provide to ripgrep

  --json JSON           Load regex data from a valid JSON file (default: db/data.json)

  --verbose, -v, --debug, -d

                        Display extra debugging information

  --no-color            Don't show color in terminal output

```

## Example Use Cases 

1. Decompile an APK using `apktool` and run `dora` to find exposed API keys

2. Scan GitHub repos by cloning it and allowing `dora` to scan it

3. While scraping sites, run `dora` to scan for API keys

## Contributing

You are more than welcome to contribute in one of the following ways:

- Add or improve existing regular expressions for matching API keys

- Add or improve the `info` in the JSON data for an API key to better help the user getting a valid bug bounty report when reporting an API key they have found

- Fix bugs (kindly refrain from creating bugs)

## Credits

Original creator - [Siddharth Dushantha](https://github.com/sdushantha)

Many of the regular expressions where taken from the following GitHub repositories:

- [truffleHogRegexes](https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json) by [dxa4481](https:/github.com/dxa4481)

- [secretx](https://github.com/harry1080/secretx/blob/master/patterns.json) by [harry1080](https:/github.com/harry1080)

- [gitGraber](https://github.com/hisxo/gitGraber/blob/master/tokens.py) by [hisxo](https://github.com/hisxo)

- [shhgit](https://github.com/eth0izzle/shhgit/blob/3ce441853d999dacf6e20e59b116c135dcdd0c68/config.yaml) by [eth0izzle](https://github.com/eth0izzle)

- [w13scan](https://github.com/w-digital-scanner/w13scan/blob/master/W13SCAN/scanners/PerFile/js_sensitive_content.py) by [w-digital-scanner](https://github.com/w-digital-scanner)

- [SecretFinder](https://github.com/m4ll0k/SecretFinder/blob/master/BurpSuite-SecretFinder/SecretFinder.py) by [m4ll0k](https://github.com/m4ll0k)

- [nuclei-templates](https://github.com/projectdiscovery/nuclei-templates/blob/master/exposed-tokens/generic/credentials-disclosure.yaml) by [projectdiscovery](https://github.com/projectdiscovery)

- [AdvancedKeyHacks](https://github.com/udit-thakkur/AdvancedKeyHacks/blob/master/hackcura_apikey_hacks.sh) by [udit-thakkur](https://github.com/udit-thakkur)

- [pentest-tools](https://github.com/gwen001/pentest-tools/blob/master/keyhacks.sh) by [gwen001](https://github.com/gwen001)

- [gitleaks](https://github.com/zricethezav/gitleaks) by [zricethezav](https://github.com/zricethezav)

- [dalfox](https://github.com/hahwul/dalfox/blob/1f32f3494e1aa3312f84b3e2a836eb61a9ae9aac/pkg/scanning/grep.go) by [hahwul](https://github.com/hahwul)

Majority of the exploitation/POC methods were taken from [keyhacks](https://github.com/streaak/keyhacks) repository by [streaak](https://github.com/streaak)