Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/trufflesecurity/Trufflehog-Chrome-Extension
https://github.com/trufflesecurity/Trufflehog-Chrome-Extension
Last synced: about 1 month ago
JSON representation
- Host: GitHub
- URL: https://github.com/trufflesecurity/Trufflehog-Chrome-Extension
- Owner: trufflesecurity
- License: gpl-2.0
- Created: 2021-03-07T00:22:59.000Z (almost 4 years ago)
- Default Branch: main
- Last Pushed: 2021-10-16T18:14:24.000Z (about 3 years ago)
- Last Synced: 2024-08-01T10:17:18.553Z (4 months ago)
- Language: JavaScript
- Size: 71.3 KB
- Stars: 359
- Watchers: 31
- Forks: 39
- Open Issues: 8
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-bugbounty-tools - Trufflehog-Chrome-Extension - Trufflehog-Chrome-Extension (Miscellaneous / Secrets)
README
## Talk explaining this extension
https://www.youtube.com/watch?v=i9b5Yij_HV4
## Questions? Feedback? Join our slack
https://join.slack.com/t/trufflehog-community/shared_invite/zt-nzznzf8w-y1Lg4PnnLupzlYuwq_AUHA
## Install instructions
The extension is available for install here https://chrome.google.com/webstore/detail/trufflehog/bafhdnhjnlcdbjcdcnafhdcphhnfnhjc
Here's what to do if you find these keys:
## AWS keys
AWS has a rich API and sadely you may have to test a bunch of commands. List buckets might be a good start https://docs.aws.amazon.com/cli/latest/reference/s3api/list-buckets.html## Slack webhook keys
These are a problem almost always, see https://cybersecurity.att.com/blogs/labs-research/slack-phishing-attacks-using-webhooks## Algelia
These keys have access controls, a typical public key should not have access to the usage API, otherwise it could be an issue:
```
curl -X GET \
-H "X-Algolia-API-Key: ${API_KEY}" \
-H "X-Algolia-Application-Id: ${APPLICATION_ID}" \
--compressed \
"https://usage.algolia.com/1/usage/records?startDate=2020-07-15T00:00:00Z&endDate=2020-07-16T00:00:00Z&granularity=daily"
{"status":401,"message":"The provided API key is missing the \"usage\" ACL"}%
```## Amplitude
You should not be able to export all data out of amplitude with a typical public key
```
curl -u API_Key:${KEY} 'https://amplitude.com/api/2/export?start=20150201T5&end=20150203T20'
403: Forbidden403: Forbidden%
```## Bugsnag API
You should not be able to pull the orginization name
```
curl --get 'https://api.bugsnag.com/user/organizations' \
--header 'Authorization: token ${TOKEN}' \
--header 'X-Version: 2'
{"errors":["Bad Credentials"]}%
```## Google maps
This is untested, I found this repo for google map keys https://github.com/ozguralp/gmapsapiscannerThese keys also follow the same format for many other API's such as gmail/drive/cloud/etc... so this tool likely doesn't give full coverage
## Json web tokens
JWT's are interesting not just because they go to API's, but also because you can crack their secret in hashcat if they're alg `hs`
you can decode them here to figure out their algorithm https://jwt.io/
and you can crack them here https://hashcat.net/wiki/doku.php?id=example_hashes with flag `-m 16500`