Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/trufflesecurity/Trufflehog-Chrome-Extension

Last synced: about 2 months ago
JSON representation

Host: GitHub
URL: https://github.com/trufflesecurity/Trufflehog-Chrome-Extension
Owner: trufflesecurity
License: gpl-2.0
Created: 2021-03-07T00:22:59.000Z (over 3 years ago)
Default Branch: main
Last Pushed: 2021-10-16T18:14:24.000Z (almost 3 years ago)
Last Synced: 2024-06-15T01:46:44.181Z (3 months ago)
Language: JavaScript
Size: 71.3 KB
Stars: 360
Watchers: 31
Forks: 38
Open Issues: 8
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

awesome-bugbounty-tools - Trufflehog-Chrome-Extension - Trufflehog-Chrome-Extension (Miscellaneous / Secrets)

README

## Talk explaining this extension

https://www.youtube.com/watch?v=i9b5Yij_HV4

## Questions? Feedback? Join our slack

https://join.slack.com/t/trufflehog-community/shared_invite/zt-nzznzf8w-y1Lg4PnnLupzlYuwq_AUHA

## Install instructions

The extension is available for install here https://chrome.google.com/webstore/detail/trufflehog/bafhdnhjnlcdbjcdcnafhdcphhnfnhjc

Here's what to do if you find these keys:

## AWS keys
AWS has a rich API and sadely you may have to test a bunch of commands. List buckets might be a good start https://docs.aws.amazon.com/cli/latest/reference/s3api/list-buckets.html

## Slack webhook keys
These are a problem almost always, see https://cybersecurity.att.com/blogs/labs-research/slack-phishing-attacks-using-webhooks

## Algelia
These keys have access controls, a typical public key should not have access to the usage API, otherwise it could be an issue:
```
curl -X GET \
-H "X-Algolia-API-Key: ${API_KEY}" \
-H "X-Algolia-Application-Id: ${APPLICATION_ID}" \
--compressed \
"https://usage.algolia.com/1/usage/records?startDate=2020-07-15T00:00:00Z&endDate=2020-07-16T00:00:00Z&granularity=daily"
{"status":401,"message":"The provided API key is missing the \"usage\" ACL"}%
```

## Amplitude
You should not be able to export all data out of amplitude with a typical public key
```
curl -u API_Key:${KEY} 'https://amplitude.com/api/2/export?start=20150201T5&end=20150203T20'
403: Forbidden403: Forbidden%
```

## Bugsnag API
You should not be able to pull the orginization name
```
curl --get 'https://api.bugsnag.com/user/organizations' \
--header 'Authorization: token ${TOKEN}' \
--header 'X-Version: 2'
{"errors":["Bad Credentials"]}%
```

## Google maps
This is untested, I found this repo for google map keys https://github.com/ozguralp/gmapsapiscanner

These keys also follow the same format for many other API's such as gmail/drive/cloud/etc... so this tool likely doesn't give full coverage

## Json web tokens
JWT's are interesting not just because they go to API's, but also because you can crack their secret in hashcat if they're alg `hs`
you can decode them here to figure out their algorithm https://jwt.io/
and you can crack them here https://hashcat.net/wiki/doku.php?id=example_hashes with flag `-m 16500`