When auditing website security, one common weakness is exposed API keys, often in the form of environmental variables in a file with public read access. Whether conducting a sanctioned penetration test or participating in a bug bounty program, it is often necessary to either expand access or prove impact to the business in question. The purpose of this list is to detail examples of types of API credentials and how they can be leveraged to exploit a site.
The list is most useful when viewed fullscreen here.
| Variable | Private | Example | Purpose |
|---|---|---|---|
| AMPLITUDE_API_KEY | N | a205ed9b06a7baf5a594bdd30293aa80 | The Amplitude API key is intended to be public, it is used to identify an Amplitude application for analytical purposes. |
| AWS_ACCESS_KEY_ID | Y | AKIAIOSFODNN7EXAMPLE | The AWS Access Key ID is used for programmatic access to Amazon Web Services (AWS) resources. |
| DROPBOX_API_TOKEN | Y | abc123def456ghi789jkl01mno234pqr | The Dropbox API token grants access to files and data stored in Dropbox accounts. Protecting it is crucial to maintain data integrity. |
| FACEBOOK_API_KEY | Y | abcdefghijklmnopqrstuvwxyz987654 | The Facebook API key is used to integrate Facebook services into apps and websites, allowing for features like social login and sharing. |
| GITHUB_API_TOKEN | Y | 0123456789abcdef0123456789abcdef | The GitHub API token is used for programmatic access to GitHub's repositories, issues, and user data. |
| GOODREADS_API_KEY | Y | AABBCCDDEEFF00112233445566778899 | The Goodreads API allows developers access to Goodreads data in order to help websites or applications that deal with books be more personalized, social, and engaging. With OAuth authorization, an API token can be used to interact with accounts on behalf of a user. The site is no longer issuing new API tokens, meaning the existing tokens are more valuable. |
| GOOGLE_MAPS_API_KEY | Y | AIzaSyD3vS5UEOJmNpR5Q5bXnqYf4qPiWg | The Google Maps API key allows access to mapping services and geolocation data. Protecting this key is essential to prevent unauthorized usage. |
| INSTAGRAM_API_KEY | Y | abcdefghijklmnopqrstuvwxyz123456 | The Instagram API key is used to interact with Instagram's API for tasks like retrieving user photos and media content. |
| LINKEDIN_API_KEY | Y | abcdefghijklmnopqrstuvwxyz123456 | The LinkedIn API key allows access to LinkedIn's data and integration into apps for professional networking. |
| MAILCHIMP_API_KEY | Y | d12a34567890123456789dcbef123456-us5 | The Mailchimp API key is used for integration with email marketing services, including sending newsletters and managing subscribers. |
| MICROSOFT_GRAPH_API | Y | abcdefghijklmnopqrstuvwxyz123456 | The Microsoft Graph API key is used for accessing data from Microsoft 365 services such as email, calendar, and contacts. |
| PAYPAL_CLIENT_ID | Y | AbCdEfGhIjKlMnOpQrStUvWxYz12345678 | The PayPal client ID is used to initiate and process PayPal payments on websites and apps. Safeguarding it is critical for secure transactions. |
| SPOTIFY_API_KEY | Y | abcdefghijklmnopqrstuvwxyz123456 | The Spotify API key is used for integrating music streaming and playlists into apps and websites. |
| STRIPE_API_KEY | Y | sk_test_abcdefgh1234567890 | The Stripe API key is a private key used for secure communication with Stripe payment services. It should never be exposed publicly to prevent unauthorized transactions. |
| TRELLO_API_KEY | Y | abcdefghijklmnopqrstuvwxyz123456 | The Trello API key is used for managing Trello boards, lists, and cards programmatically. |
| TWILIO_API_SID | Y | SKXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX | The Twilio API SID is a secret identifier for accessing Twilio's communication services, such as sending SMS or making phone calls programmatically. |
| TWITCH_API_KEY | Y | abcdefghijklmnopqrstuvwxyz123456 | The Twitch API key is used to access and interact with Twitch streaming and chat services. |
| TWITTER_API_KEY | Y | abcdefghijklmnopqrstuvwxyz123456 | The Twitter API key is used to authenticate and access Twitter's API for tasks such as posting tweets or reading user timelines. |
| YOUTUBE_API_KEY | Y | abcdefghijklmnopqrstuvwxyz123456 | The YouTube API key is used for integrating YouTube video content and data into apps and websites. |
| ZM_CLIENT_ID | N | abcdefghijklmnopqrstuvwxyz123456 | The Zoom client ID is used to identify a specific application when communicating with the Zoom video conferencing backend. |
| ZM_CLIENT_SECRET | Y | abcdefghijklmnopqrstuvwxyz123456 | The Zoom client secret is used to securely authenticate a client ID with the backend in conjunction with an (optionally) specified OAuth redirect URL. With this and the client ID, requests can be made to the Zoom application on behalf of the key's owning organization. |