Giter Club home page Giter Club logo

gmapsapiscanner's People

Contributors

0xbad53c avatar arbazkiraak avatar dhra avatar ozguralp avatar xalfie avatar yassineaboukir avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

gmapsapiscanner's Issues

No module named 'requests'

Hello,

I try running the command >python3 maps_api_scanner_python3.py and keeps throwing the same error.

How can I fix this issue?

GMAPSAPISCANNER

Add Firebase Cloud Messaging (FCM) check

You can check if an API key works for FCM by using the curl below:

api_key=YOUR_SERVER_KEY


curl --header "Authorization: key=$api_key" \
     --header Content-Type:"application/json" \
     https://fcm.googleapis.com/fcm/send \
     -d "{\"registration_ids\":[\"ABC\"]}"

Source: https://abss.me/posts/fcm-takeover/

Would be cool if this would be integrated in the script. I will be trying to integrate this myself sometime soon, so I might come back later with a pull request.

json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)

Hi,

Running this on a MacBook Pro M2 in Docker and using the python3 maps_api_scanner_python3.py line. All goes through fine until the end where I get

Reason: Verbose responses are not enabled for this API, cannot determine the reason.
API key is not vulnerable for Playable Locations API.
Traceback (most recent call last):
  File "/opt/homebrew/lib/python3.11/site-packages/requests/models.py", line 971, in json
    return complexjson.loads(self.text, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/[email protected]/3.11.6/Frameworks/Python.framework/Versions/3.11/lib/python3.11/json/__init__.py", line 346, in loads
    return _default_decoder.decode(s)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/[email protected]/3.11.6/Frameworks/Python.framework/Versions/3.11/lib/python3.11/json/decoder.py", line 337, in decode
    obj, end = self.raw_decode(s, idx=_w(s, 0).end())
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/[email protected]/3.11.6/Frameworks/Python.framework/Versions/3.11/lib/python3.11/json/decoder.py", line 355, in raw_decode
    raise JSONDecodeError("Expecting value", s, err.value) from None
json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/Users/jj/gmapsapiscanner/maps_api_scanner_python3.py", line 254, in <module>
    scan_gmaps(apikey)
  File "/Users/jj/gmapsapiscanner/maps_api_scanner_python3.py", line 203, in scan_gmaps
    print("Reason: "+ response.json()["error"]["message"])
                      ^^^^^^^^^^^^^^^
  File "/opt/homebrew/lib/python3.11/site-packages/requests/models.py", line 975, in json
    raise RequestsJSONDecodeError(e.msg, e.doc, e.pos)
requests.exceptions.JSONDecodeError: Expecting value: line 1 column 1 (char 0)

It worked before so I'm not sure what has changed before. It displayed a table before but no longer.

Thank you

Embed check will always work

The endpoint used in https://github.com/ozguralp/gmapsapiscanner/blob/master/maps_api_scanner.py#L28 will always work on valid API keys, even if the key is restricted. Here is why:

If the embed maps are using the basic embed requests, Google will not check restrictions, as the usage of that API is free.

https://www.google.com/maps/embed/v1/place?q=Seattle&key=KEY

But if the advanced map modes are used, then the restrictions apply.

https://www.google.com/maps/embed/v1/search?q=record+stores+in+Seattle&key=KEY

issue

python3 maps_api_scanner.py -help
File "maps_api_scanner.py", line 11
print "API key is vulnerable for Staticmap API! Here is the PoC link which can be used directly via browser:"
^
SyntaxError: Missing parentheses in call to 'print'. Did you mean print("API key is vulnerable for Staticmap API! Here is the PoC link which can be used directly via browser:")?

explain proper how to use

[Feature request] - Referer header for "Custom Search API" endpoint

hi there, the google maps endpoint for the "Custom Search API" requires a valid referer header before processing the request, if you add the correct referer (in most cases the website that is leaking the api token) if goes through. Atm I launched the script with the private api key, and if fails to detect this endpoint even though its vulnerable - i manually added the referer and it works.

Could you add a script parameter that asks for the referer header on script launch and subsequently adds it to the sent request?

Reduce needed steps for JavaScript API test (semi auto or completely auto)

The script can do:

  1. create html page with the API_KEY as received from command-line.
  2. create local http server (http.server module / SimpleHTTPServer) and have the above HTML file return for /test endpoint.
  3. visit the above page using headless-browser (if not implemented, tell the user to visit the created file on http://localhost:8090/test)
  4. Detect the errors (use onerror event in HTML page) and show the status in the HTML file itself.

Allow set api_key via command-line argument

Currently it's asking for input, it's useful to have option such as running "python3 maps_api_scanner_python3.py --apikey "API_KEY_HERE" , it's useful for container usage, see issue #9

Add Containerfile to repo

Example:

.dockerignore file content:

Containerfile
LICENSE
README.md
maps_api_scanner.py

Here what I use on latest fedora: (after git clone --depth 1 this repo)
Build by: podman build --rm -t gmapsapiscanner .
Run by: podman run --name gmapsapiscanner -ti --entrypoint /bin/sh --rm gmapsapiscanner then python3 maps_api_scanner_python3.py and enter the key.

Containerfile content:

FROM python:alpine

RUN set -ex; \
   apk update; \
   apk upgrade; \
   adduser -D appuser

USER appuser
WORKDIR /home/appuser/gmapsapiscanner/
COPY . /home/appuser/gmapsapiscanner/

RUN set -ex; \
    pip3 install requests

it will be possible to use it from command-line without enter container if api-key can be set by argument, issue #8 , then ContainerFile can have add at the bottom:

ENTRYPOINT ["python3", "maps_api_scanner_python3.py", "--apikey"]

and be run like:
podman run --name gmapsapiscanner --rm gmapsapiscanner API_KEY_HERE

False positive Embed (Basic) API

I used the latest version (pulled the code one hour ago)

Try this key AIzaSyB3MeUSpCntta2BW8UeLmVlRgnM7tB6hio.

Then if you try the generated iframe code:

<iframe width="600" height="450" frameborder="0" style="border:0" src="https://www.google.com/maps/embed/v1/place?q=Seattle&key=AIzaSyB3MeUSpCntta2BW8UeLmVlRgnM7tB6hio" allowfullscreen></iframe>

You will get this:

Screenshot from 2021-02-05 19-18-24

Security

google api key is a public information, why it could be vulnerable? How to protect it? Does
It need to be encrypted?

google map in iframe

Hello @ozguralp

Thanks for the tool.
Btw i have a doubt.What about this type of google map. now a days so many sites are using map in iframe.
How to know the API key. is there an method?
can you help on this?

<iframe title="Google Maps" src="https://www.google.com/maps/embed?pb=!1m18!1m12!1m3!1d2460i768!4f13.1!3m3!1m2!1s0x47c4348fb3c0de4d%3A0x3eb9473d3aaf9db6!2s!5e0!3m2!1sen!2snl!4v1494572044200" frameborder="0" allowfullscreen></iframe>

when try to open this iframe link got this type response in source code

<script src="https://maps.googleapis.com/maps/api/js?client=google-maps-embed&paint_origin=&libraries=geometry,search&v=3.exp&language=en_US&region=no&callback=onApiLoad" nonce="JLOyqV1ANgEX13u4e9g==" async defer></script>

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.