ozguralp/gmapsapiscanner ozguralp/gmapsapiscanner

  • Stars
    star
    860
  • Rank 53,022 (Top 2 %)
  • Language
    Python
  • License
    MIT License
  • Created almost 5 years ago
  • Updated 10 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
ozguralp/gmapsapiscanner
github

ozguralp

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Google Maps API Scanner

Used for determining whether a leaked/found Google Maps API Key is vulnerable to unauthorized access by other applications or not.

Blog Post #1 - Unauthorized Google Maps API Key Usage Cases, and Why You Need to Care

Blog Post #2 - Google Maps API (Not the Key) Bugs That I Found Over the Years

Please note that most of the bug bounty platforms marking this vulnerability type as informational/low impact. So please make sure that the platform or program is accepting this kind of issues before reporting.

Usage:

  • Download maps_api_scanner.py file and run as: python maps_api_scanner.py & paste API key wanted to test when asked.
  • Script will return API key is vulnerable for XXX API! message and the PoC link/code if determines any unauthorized access within this API key within any API's.
  • Now it supports also api key as argument such as python maps_api_scanner.py --api-key API_KEY.
  • If you want to use python3, download maps_api_scanner_python3.py file and run as: python3 maps_api_scanner_python3.py.

Checked APIs:

  • Staticmap API
  • Streetview API
  • Embed (Basic-Free) API (No longer checked since it is completely free.)
  • Embed (Advanced-Paid) API (No longer checked since it is completely free.)
  • Directions API
  • Geocode API
  • Distance Matrix API
  • Find Place From Text API
  • Autocomplete API
  • Elevation API
  • Timezone API
  • Roads API
  • Geolocation API
  • Route to Traveled API
  • Speed Limit-Roads API
  • Place Details API
  • Nearby Search-Places API
  • Text Search-Places API
  • Places Photo API
  • Playable Locations API
  • FCM API
  • Custom Search API

Semi-Auto Checked APIs:

  • JavaScript API

Notes:

  • Because JavaScript API needs manual confirmation from a web browser directly, only file is created via the script for manual checks/confirmation.
  • For Staticmap, Streetview and Embed API's, if used from another domain instead of just testing from browser; whether referer checks are enabled or not on the server-side for the key, script still could return it as vulnerable due to a server-side vulnerability. If you cannot reproduce the vulnerability via browser while the script says so, please read the Blog Post #2 for more information & a better understanding about what is going on.
  • If you find any Google Maps API's which are not mentioned in this document/script, create an issue with details so I can also add them.
  • Special thanks to Yatin for his contributions on both discovery of additional API's & cost information!

Docker

To run this script in a Dockerized Alpine Linux environment, use the following commands:

docker build -t google_maps_api_scanner .
docker run --rm -v $(pwd):/opt/html -i docker.io/library/google_maps_api_scanner <api key>

More Repositories

1

synackapi

Python
61
star