Secret Key Exposure in API Config Directory

Hello,

My name is Ahmad Halabi, Founder & CTO at Cybit Sec and I am currently a part time bug bounty hunter mostly on Hackerone.

At the beginning of this month, I got an invitation to a private program specialized in Big Data and Integration services. The scope was limited to a website having dashboard.

Going after the Dashboard, I was able to find one valid bug. Then while checking the traffic in Burpsuite, I found that there is an API for this dashboard as the following: https://redacted.com/api.

Time For Some Recon:

First interesting thing to do is Discovering API Content and Directories. So I used a Wordlist that I usually customize it and FFUF tool to bruteforce the API Content.

I found an interesting directory called config: https://redacted.com/api/config. After checking its content I found that there is a token called `LoginUrlSecretKey`. And its value is something like: S#@x%^&$!1 … This value left my attention.

Doing Additional Recon About Key Value:

So I found a secret key that is probably used for API Login purpose. My main goal after that was to know where the token is used ?

I tried several methods and techniques to detect where the key is used or any other useful information connected to that key. Below are some steps that I did:

This means that there are two possibilities:
1. Either the secret key is a dummy key used for testing purposes.
2. Or the key is truly secret as its name represents and because I didn’t find any information related to it in my recon.

So I decided to report the issue based on the second assumption.

Reporting The Bug:

Lesson Learned:

There are some times where you find a secret key, token or password and you don’t know how it can be used or if it is secret exposed or not.
Some programs don’t accept the report because you are unable to prove that the exposed key is sensitive since you don’t know where or how to use it. So try flipping the scenario to the opposite and prove to them that the key is secret because nothing related to it is found publicly on the internet by demonstrating your recon approach in identifying that.

Hope to give my Startup Company `Cybit Sec` a follow on its social media profiles: Twitter , LinkedIn , Facebook , Instagram.

For those who didn’t read my article yet about how I started bug bounty hunting, how I ranked 1st at U.S. Dept Of Defense (2019) and how I reached top 100 hackers on hackerone, You can find it below.

The article also contains all needed resources to start learning and a lot of valuable tips.

Good Luck :)

Thanks For Reading !

Cyber Security Specialist | Hacker | Founder & CTO at Cybit Sec

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store