ozguralp / gmapsapiscanner Goto Github PK

Hello,

I try running the command >python3 maps_api_scanner_python3.py and keeps throwing the same error.

How can I fix this issue?

You can check if an API key works for FCM by using the curl below:

api_key=YOUR_SERVER_KEY


curl --header "Authorization: key=$api_key" \
     --header Content-Type:"application/json" \
     https://fcm.googleapis.com/fcm/send \
     -d "{\"registration_ids\":[\"ABC\"]}"

Source: https://abss.me/posts/fcm-takeover/

Would be cool if this would be integrated in the script. I will be trying to integrate this myself sometime soon, so I might come back later with a pull request.

Hi,

Running this on a MacBook Pro M2 in Docker and using the python3 maps_api_scanner_python3.py line. All goes through fine until the end where I get

Reason: Verbose responses are not enabled for this API, cannot determine the reason.
API key is not vulnerable for Playable Locations API.
Traceback (most recent call last):
  File "/opt/homebrew/lib/python3.11/site-packages/requests/models.py", line 971, in json
    return complexjson.loads(self.text, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/[email protected]/3.11.6/Frameworks/Python.framework/Versions/3.11/lib/python3.11/json/__init__.py", line 346, in loads
    return _default_decoder.decode(s)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/[email protected]/3.11.6/Frameworks/Python.framework/Versions/3.11/lib/python3.11/json/decoder.py", line 337, in decode
    obj, end = self.raw_decode(s, idx=_w(s, 0).end())
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/[email protected]/3.11.6/Frameworks/Python.framework/Versions/3.11/lib/python3.11/json/decoder.py", line 355, in raw_decode
    raise JSONDecodeError("Expecting value", s, err.value) from None
json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/Users/jj/gmapsapiscanner/maps_api_scanner_python3.py", line 254, in <module>
    scan_gmaps(apikey)
  File "/Users/jj/gmapsapiscanner/maps_api_scanner_python3.py", line 203, in scan_gmaps
    print("Reason: "+ response.json()["error"]["message"])
                      ^^^^^^^^^^^^^^^
  File "/opt/homebrew/lib/python3.11/site-packages/requests/models.py", line 975, in json
    raise RequestsJSONDecodeError(e.msg, e.doc, e.pos)
requests.exceptions.JSONDecodeError: Expecting value: line 1 column 1 (char 0)

It worked before so I'm not sure what has changed before. It displayed a table before but no longer.

Thank you

Issue 6 refers to Embed Advanced being paid, however now all Embed API usage is unlimited with no charge, compare Google docs below:

Old Embed API pricing:
https://web.archive.org/web/20200616082619/https://developers.google.com/maps/documentation/embed/usage-and-billing#embed-advanced

Current Embed API pricing:
https://developers.google.com/maps/documentation/embed/usage-and-billing

The endpoint used in https://github.com/ozguralp/gmapsapiscanner/blob/master/maps_api_scanner.py#L28 will always work on valid API keys, even if the key is restricted. Here is why:

If the embed maps are using the basic embed requests, Google will not check restrictions, as the usage of that API is free.

https://www.google.com/maps/embed/v1/place?q=Seattle&key=KEY

But if the advanced map modes are used, then the restrictions apply.

https://www.google.com/maps/embed/v1/search?q=record+stores+in+Seattle&key=KEY

python3 maps_api_scanner.py -help
File "maps_api_scanner.py", line 11
print "API key is vulnerable for Staticmap API! Here is the PoC link which can be used directly via browser:"
^
SyntaxError: Missing parentheses in call to 'print'. Did you mean print("API key is vulnerable for Staticmap API! Here is the PoC link which can be used directly via browser:")?

explain proper how to use

hi there, the google maps endpoint for the "Custom Search API" requires a valid referer header before processing the request, if you add the correct referer (in most cases the website that is leaking the api token) if goes through. Atm I launched the script with the private api key, and if fails to detect this endpoint even though its vulnerable - i manually added the referer and it works.

Could you add a script parameter that asks for the referer header on script launch and subsequently adds it to the sent request?

The script can do:

1. create html page with the API_KEY as received from command-line.
2. create local http server (http.server module / SimpleHTTPServer) and have the above HTML file return for /test endpoint.
3. visit the above page using headless-browser (if not implemented, tell the user to visit the created file on http://localhost:8090/test)
4. Detect the errors (use onerror event in HTML page) and show the status in the HTML file itself.

Currently it's asking for input, it's useful to have option such as running "python3 maps_api_scanner_python3.py --apikey "API_KEY_HERE" , it's useful for container usage, see issue #9

streaak/keyhacks#63

Example:

.dockerignore file content:

Containerfile
LICENSE
README.md
maps_api_scanner.py

Here what I use on latest fedora: (after git clone --depth 1 this repo)
Build by: podman build --rm -t gmapsapiscanner .
Run by: podman run --name gmapsapiscanner -ti --entrypoint /bin/sh --rm gmapsapiscanner then python3 maps_api_scanner_python3.py and enter the key.

Containerfile content:

FROM python:alpine

RUN set -ex; \
   apk update; \
   apk upgrade; \
   adduser -D appuser

USER appuser
WORKDIR /home/appuser/gmapsapiscanner/
COPY . /home/appuser/gmapsapiscanner/

RUN set -ex; \
    pip3 install requests

it will be possible to use it from command-line without enter container if api-key can be set by argument, issue #8 , then ContainerFile can have add at the bottom:

ENTRYPOINT ["python3", "maps_api_scanner_python3.py", "--apikey"]

and be run like:
podman run --name gmapsapiscanner --rm gmapsapiscanner API_KEY_HERE

I used the latest version (pulled the code one hour ago)

Try this key AIzaSyB3MeUSpCntta2BW8UeLmVlRgnM7tB6hio.

Then if you try the generated iframe code:

<iframe width="600" height="450" frameborder="0" style="border:0" src="https://www.google.com/maps/embed/v1/place?q=Seattle&key=AIzaSyB3MeUSpCntta2BW8UeLmVlRgnM7tB6hio" allowfullscreen></iframe>

You will get this:

google api key is a public information, why it could be vulnerable? How to protect it? Does
It need to be encrypted?

Hello @ozguralp

Thanks for the tool.
Btw i have a doubt.What about this type of google map. now a days so many sites are using map in iframe.
How to know the API key. is there an method?
can you help on this?

<iframe title="Google Maps" src="https://www.google.com/maps/embed?pb=!1m18!1m12!1m3!1d2460i768!4f13.1!3m3!1m2!1s0x47c4348fb3c0de4d%3A0x3eb9473d3aaf9db6!2s!5e0!3m2!1sen!2snl!4v1494572044200" frameborder="0" allowfullscreen></iframe>

when try to open this iframe link got this type response in source code

<script src="https://maps.googleapis.com/maps/api/js?client=google-maps-embed&paint_origin=&libraries=geometry,search&v=3.exp&language=en_US&region=no&callback=onApiLoad" nonce="JLOyqV1ANgEX13u4e9g==" async defer></script>