GCP - API Keys Unauthenticated Enum
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
For more information about API Keys check:
GCP - API Keys EnumGoogle API Keys are widely used by any kind of applications that uses from the client side. It's common to find them in for websites source code or network requests, in mobile applications or just searching for regexes in platforms like Github.
The regex is: AIza[0-9A-Za-z_-]{35}
Search it for example in Github following: https://github.com/search?q=%2FAIza%5B0-9A-Za-z_-%5D%7B35%7D%2F&type=code&ref=advsearch
apikeys.keys.lookup
This is extremely useful to check to which GCP project an API key that you have found belongs to:
As you might not know which APIs are enabled in the project, it would be interesting to run the tool https://github.com/ozguralp/gmapsapiscanner and check what you can access with the API key.
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)