Open Caglankaan opened 3 months ago
POST /v1/graphql HTTP/2 Host: graphql.union.build User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:125.0) Gecko/20100101 Firefox/125.0 Accept: application/graphql-response+json, application/json Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: https://app.union.build/ Content-Type: application/json Content-Length: 856 Origin: https://app.union.build Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Te: trailers {"query":"query ChainsQuery @cached(ttl: 30) {\n v0_chains(where: {enabled: {_eq: true}}, order_by: {display_name: asc}) {\n display_name\n testnet\n chain_id\n enabled\n id\n rpc_type\n addr_prefix\n rpcs(where: {enabled: {_eq: true}}) {\n url\n type\n }\n ucs1_configurations {\n channel_id\n contract_address\n destination_chain {\n chain_id\n }\n forward {\n channel_id\n destination_chain {\n chain_id\n }\n port\n }\n }\n explorers {\n tx_url\n block_url\n address_url\n }\n assets {\n denom\n display_symbol\n display_name\n decimals\n faucets(where: {enabled: {_eq: true}}) {\n url\n display_name\n }\n }\n }\n}","variables":{},"operationName":"ChainsQuery"}
HTTP/2 200 OK Date: Tue, 02 Jul 2024 08:24:34 GMT Content-Type: application/json; charset=utf-8 Content-Length: 8821 Access-Control-Allow-Origin: https://app.union.build Access-Control-Allow-Credentials: true Access-Control-Allow-Methods: GET,POST,PUT,PATCH,DELETE,OPTIONS Access-Control-Expose-Headers: X-Hasura-Query-Cache-Key,X-Hasura-Query-Family-Cache-Key,Warning X-Hasura-Query-Family-Cache-Key: 30084d897ed1163cc7896ec0d445cb2c072330d0 X-Hasura-Query-Cache-Key: 1027a2ae2b3a2ed30160f58bd971bb7a783186e1 X-Request-Id: 5e59272fd8b8a1f1f392fe4b9853c3ec Cache-Control: max-age=24 Cf-Cache-Status: DYNAMIC Content-Security-Policy: upgrade-insecure-requests Referrer-Policy: strict-origin-when-cross-origin Strict-Transport-Security: max-age=31536000; includeSubDomains X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-Xss-Protection: 0 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rJ%2FGONRnKXa6LeuwS1btNIJt%2BTT%2FQG%2BMsaRXrkn%2FbZrqPaygNGg0yPGjdRGzEsEG6GF1yMm7sIV6AV%2FypOVZc5saIrGAaUQqh1ttnpz2Vp3kzeg9wM92bNOq1vK0GU%2BKROyDXWU%3D"}],"group":"cf-nel","max_age":604800} Nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare Cf-Ray: 89cd3d7f9802b63b-IST {"data":{"v0_chains":[{"display_name":"Sepolia","testnet":true,"chain_id":"11155111","enabled":true,"id":1,"rpc_type":"evm","addr_prefix":"0x","rpcs":[{"url":"eth-sepolia.g.alchemy.com/v2/SQAcneXzJzITjplR7cwQhFUqF-SU-ds4","type":"alchemy" ... ... ...
In this response, the Alchemy API key is exposed and can be used by anyone. None of the HTTP response values should expose any kind of API keys.
>>> from web3 import Web3 >>> infura_url = "https://eth-sepolia.g.alchemy.com/v2/SQAcneXzJzITjplR7cwQhFUqF-SU-ds4" >>> web3 = Web3(Web3.HTTPProvider(infura_url)) >>> web3.eth.get_balance("0x5CF094a64E99A85AA7866DB5B2A51827C7D224aF") 1515001042037750000
this issue is also present in our other keys like the alchemy key used for sentinel fyi
Alchemy API Key Exposed
Request
Response
In this response, the Alchemy API key is exposed and can be used by anyone. None of the HTTP response values should expose any kind of API keys.
POC