[Feature request] - Referer header for "Custom Search API" endpoint about gmapsapiscanner HOT 5 CLOSED

Hi,
Actually if you add the correct referer header, it will go through for all of the applications. For this vulnerability-misconfiguration type, Google Maps now only suggests header based security controls such as Referer or Application header controls. So if the referer is correct, there is nothing to do. This actually blocks usage from other web applications directly since there is no chance to manipulate referer headers from web browser use.

from gmapsapiscanner.

Sorry, it's still a bit unclear to me, you're saying that if I add the correct referer header all the endpoints will work?
In that case, what we're actually testing is the ability to use the maps api key from another website, rather than the ability to cause financial damage to the key owner by repeated use of his key (for example through burp intruder or a shell script)?

Am I understanding correctly ?

from gmapsapiscanner.

Yeah that's true. If you want to harm the key owner within repeated use, you can do anyways within the repeating the original request going from the original web application unless JS API is used (Because the behavior in JS API is a little bit complex comparing to the other API's). Google does not offer any other abuse protection system rather than referer header security control. Only configuration a developer can be make is actually restricting the referer so the API key cannot be used by other application unauthorizedly. In this case, abuse from other application would not be possible, however abuse for denial of service or financial damage would still be possible.

I recommend you to read my 2 blog posts about it, referenced in readme file.

from gmapsapiscanner.

Oh wow, I didn't know you were an expert on the matter, now I'm following you on twitter.
Thanks for the reply mate!
gg

from gmapsapiscanner.

Glad to help!

from gmapsapiscanner.