Hey guys,
Today I will talk a little about how to find and test google maps API keys.
I could mention some tools that help you in the search, such as the famous nuclei and dalfox, but this is not the case.
You could also create your own tool to automate the search.
In this article I would like to manually demonstrate how you can locate these keys and test them to make sure they are vulnerable and have any cost to companies.
We have all come across some map implemented on some website where you can see the exact location of the company, store, etc..
Well… here’s a simple example:
Let’s call our target teste.com and when we access the path “/contact” on the site, we come across google maps:
https://teste.com/contact.html
When we look at the source code of the page, we locate the google maps api key as shown in the print below:
Note: The key being located in the source code does not mean it is vulnerable, then we will test it to see if it is really vulnerable.
At first we need to test the API and confirm that it is not restricted, which means that we could use this API without protection for our own use and for example implement it on our own website.
According to google’s own documentation we can test it through the link where we find an html code ready to test the api
URL: https://developers.google.com/maps/documentation/javascript/examples/map-simple#maps_map_simple-html
When we access the site above we can click on the JSFiddle where we will go to the site where we already have the html code where we can test the API.
The example below shows that the API is vulnerable as it has no restrictions and that it can be used outside the domain where we find it.
Now I will use as an example an API that I found in another bug bounty program where it is not vulnerable.
The second step is to know what consumption costs this API may have and for that I use the gmapsapiscanner tool where you can find it on github below:
Google Maps API Scanner
This is a tool written in python3 and its use is very simple:
When inserting the api key and running the tool it gives us this result:
Oops.. it informs us that the api is vulnerable to Staticmap API and StreetviewAPI and below vulnerable to url with the POC proving the vuln.
At the end of the scan, it gives us the result with the costs per thousand requests using the api without restriction:
Impact:
Consume the company’s monthly quota or you may be overbilled with the unauthorized use of this service and cause financial loss to the company, if the company does not have any limitation settings on API budgets.
For those interested, here are the API security best practices:
I had already made numerous reports of this type at Hackerone and I always took duplicates until one day the report went through the screening and receives the bounty. =)
In fact, it is not a critical vulnerability that is difficult to exploit, but it generates costs for companies and I thought it was interesting to share this experience with you.
Thanks for reading and until next time. ;)
