Skip to content

A list of different types of API keys and how to prove impact for bug bounty programs.

License

Notifications You must be signed in to change notification settings

TargetPackage/api-key-impact

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
 
 
 
 
 
 

Repository files navigation

API Key Impact

When auditing website security, one common weakness is exposed API keys, often in the form of environmental variables in a file with public read access. Whether conducting a sanctioned penetration test or participating in a bug bounty program, it is often necessary to either expand access or prove impact to the business in question. The purpose of this list is to detail examples of types of API credentials and how they can be leveraged to exploit a site.

The list is most useful when viewed fullscreen here.

Variable Private Example Purpose
AMPLITUDE_API_KEY N a205ed9b06a7baf5a594bdd30293aa80 The Amplitude API key is intended to be public, it is used to identify an Amplitude application for analytical purposes.
AWS_ACCESS_KEY_ID Y AKIAIOSFODNN7EXAMPLE The AWS Access Key ID is used for programmatic access to Amazon Web Services (AWS) resources.
DROPBOX_API_TOKEN Y abc123def456ghi789jkl01mno234pqr The Dropbox API token grants access to files and data stored in Dropbox accounts. Protecting it is crucial to maintain data integrity.
FACEBOOK_API_KEY Y abcdefghijklmnopqrstuvwxyz987654 The Facebook API key is used to integrate Facebook services into apps and websites, allowing for features like social login and sharing.
GITHUB_API_TOKEN Y 0123456789abcdef0123456789abcdef The GitHub API token is used for programmatic access to GitHub's repositories, issues, and user data.
GOODREADS_API_KEY Y AABBCCDDEEFF00112233445566778899 The Goodreads API allows developers access to Goodreads data in order to help websites or applications that deal with books be more personalized, social, and engaging. With OAuth authorization, an API token can be used to interact with accounts on behalf of a user. The site is no longer issuing new API tokens, meaning the existing tokens are more valuable.
GOOGLE_MAPS_API_KEY Y AIzaSyD3vS5UEOJmNpR5Q5bXnqYf4qPiWg The Google Maps API key allows access to mapping services and geolocation data. Protecting this key is essential to prevent unauthorized usage.
INSTAGRAM_API_KEY Y abcdefghijklmnopqrstuvwxyz123456 The Instagram API key is used to interact with Instagram's API for tasks like retrieving user photos and media content.
LINKEDIN_API_KEY Y abcdefghijklmnopqrstuvwxyz123456 The LinkedIn API key allows access to LinkedIn's data and integration into apps for professional networking.
MAILCHIMP_API_KEY Y d12a34567890123456789dcbef123456-us5 The Mailchimp API key is used for integration with email marketing services, including sending newsletters and managing subscribers.
MICROSOFT_GRAPH_API Y abcdefghijklmnopqrstuvwxyz123456 The Microsoft Graph API key is used for accessing data from Microsoft 365 services such as email, calendar, and contacts.
PAYPAL_CLIENT_ID Y AbCdEfGhIjKlMnOpQrStUvWxYz12345678 The PayPal client ID is used to initiate and process PayPal payments on websites and apps. Safeguarding it is critical for secure transactions.
SPOTIFY_API_KEY Y abcdefghijklmnopqrstuvwxyz123456 The Spotify API key is used for integrating music streaming and playlists into apps and websites.
STRIPE_API_KEY Y sk_test_abcdefgh1234567890 The Stripe API key is a private key used for secure communication with Stripe payment services. It should never be exposed publicly to prevent unauthorized transactions.
TRELLO_API_KEY Y abcdefghijklmnopqrstuvwxyz123456 The Trello API key is used for managing Trello boards, lists, and cards programmatically.
TWILIO_API_SID Y SKXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX The Twilio API SID is a secret identifier for accessing Twilio's communication services, such as sending SMS or making phone calls programmatically.
TWITCH_API_KEY Y abcdefghijklmnopqrstuvwxyz123456 The Twitch API key is used to access and interact with Twitch streaming and chat services.
TWITTER_API_KEY Y abcdefghijklmnopqrstuvwxyz123456 The Twitter API key is used to authenticate and access Twitter's API for tasks such as posting tweets or reading user timelines.
YOUTUBE_API_KEY Y abcdefghijklmnopqrstuvwxyz123456 The YouTube API key is used for integrating YouTube video content and data into apps and websites.
ZM_CLIENT_ID N abcdefghijklmnopqrstuvwxyz123456 The Zoom client ID is used to identify a specific application when communicating with the Zoom video conferencing backend.
ZM_CLIENT_SECRET Y abcdefghijklmnopqrstuvwxyz123456 The Zoom client secret is used to securely authenticate a client ID with the backend in conjunction with an (optionally) specified OAuth redirect URL. With this and the client ID, requests can be made to the Zoom application on behalf of the key's owning organization.

About

A list of different types of API keys and how to prove impact for bug bounty programs.

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published