A web application crawling tool for crawling endpoints you can use Burp Crawler, Gau, and Waybackurl. I will be using Hakrawler. Hakrawler is a Go web crawler designed for easy, quick discovery of endpoints and assets within a web application.
The first approach is to find and sort js files related to the selected target host “example.com”.
We can use Burp Suite for crawling through the website by simply navigating through traffic and filtering out the js files after the crawling is done.
“waybackurls example.com | grep “\.js” | uniq | sort”
And save the output in a file “js.txt”
Validate the API Keys
Feed this sorted data to mantra using the following command
“cat js.txt | mantra”
The output will have a resource related to each endpoint, validated if the keys are truly positive or not.
There are API keys which are meant to be exposed in a client-side script, for example, Firebase project API keys which are meant to be exposed, and other API keys which are not meant to be exposed, which have a much broader scope. For example, if you’re pen testing a web application and you find a client-side secret key, which can be used for testing for misconfigured OAuth functionality of a web application. Another example would be exposed Google API keys which have Geocoding, which shouldn’t be exposed to the public unnecessarily.
There are some good ways to prevent this unintended exposure. One major step would be to set API key restrictions, even if it’s meant to be exposed, and configure the API keys to be URL-specific. The API key should only be accessible from the specified URLs. This means that even if a hacker gains access to your key, it should be rendered useless outside of the designated URLs. Additionally, implementing a secret manager can help you securely store, manage, retrieve, and rotate your application secrets efficiently.
There are several secret manager service providers available, such as Azure Key Vault, Google Cloud Secret Manager, AWS Secrets Manager, etc.
FireCompass is a SaaS platform for Continuous Automated Pen Testing, Red Teaming and External Attack Surface Management (EASM). FireCompass continuously indexes and monitors the deep, dark and surface webs using nation-state grade reconnaissance techniques. The platform automatically discovers an organization’s digital attack surface and launches multi-stage safe attacks, mimicking a real attacker, to help identify breach and attack paths that are otherwise missed out by conventional tools.
Feel free to get in touch with us to get a better view of your attack surface.