search

streaak / keyhacks

Keyhacks is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid.
4.84k stars 1.01k forks source link

Update to Shodan API #160

Open loveapis opened 1 month ago

loveapis commented 1 month ago

The /notifier Shodan API endpoint discloses the email address attached to the API key thereby allowing the tester to verify if the Shodan API key belongs to a program or company under pentest.

For instance is the response to the request is;

{
    "matches": [
        {
            "description": null,
            "args": {
                "to": "example@example.com"
            },
            "provider": "email",
            "id": "default"
        },
        ...
    ],
    "total": 2
}

The tester can make a report to example site with proof the API key belongs to one of their employees/staff.