Sendgrid verification is not working with rotated keys

[andy778]

TruffleHog Version

3.84.1

Expected Behavior

Sendgrid seems not to remove keys when they get invalidated but rather they are removed all rights so one can't send e-mail on them. Think the test need to be redone to try to send mail as the documentation on sendgrid suggests

Actual Behavior

It says the key is valid, so it's kind of false positive

Steps to Reproduce

References

https://www.twilio.com/docs/sendgrid/ui/account-and-settings/api-keys#testing-an-api-key

[kashifkhan0771]

I conducted some tests using different types of API keys with the API currently used in the detector. I generated an API key with the least access privileges, specifically a billing key. The API worked fine with this key.

I didn’t observe any expiry time on their API keys, and even after deleting the key, the API continued returning 200 OK for a short period (consistent with what you reported). However, after a few minutes, the API began returning 401 Unauthorized, as expected. It seems their system takes a few minutes to recognize that an API key has been deleted or removed, after which it correctly returns 401.

I guess the reason for using this API endpoint /scopes was that it works for all type of tokens regardless of the access.

[andy778]

I have a couple of keys that have been in this state for soon half year.

[kashifkhan0771]

Are those keys deleted? If yes, can you try to make a call to the scopes API using those API Keys in Postman or any other tool you like. If it works and return 200, than that is something to worry about.