ozguralp / gmapsapiscanner Goto Github PK

I used the latest version (pulled the code one hour ago)

Try this key AIzaSyB3MeUSpCntta2BW8UeLmVlRgnM7tB6hio.

Then if you try the generated iframe code:

<iframe width="600" height="450" frameborder="0" style="border:0" src="https://www.google.com/maps/embed/v1/place?q=Seattle&key=AIzaSyB3MeUSpCntta2BW8UeLmVlRgnM7tB6hio" allowfullscreen></iframe>

You will get this:

Hello @ozguralp

Thanks for the tool.
Btw i have a doubt.What about this type of google map. now a days so many sites are using map in iframe.
How to know the API key. is there an method?
can you help on this?

<iframe title="Google Maps" src="https://www.google.com/maps/embed?pb=!1m18!1m12!1m3!1d2460i768!4f13.1!3m3!1m2!1s0x47c4348fb3c0de4d%3A0x3eb9473d3aaf9db6!2s!5e0!3m2!1sen!2snl!4v1494572044200" frameborder="0" allowfullscreen></iframe>

when try to open this iframe link got this type response in source code

<script src="https://maps.googleapis.com/maps/api/js?client=google-maps-embed&paint_origin=&libraries=geometry,search&v=3.exp&language=en_US&region=no&callback=onApiLoad" nonce="JLOyqV1ANgEX13u4e9g==" async defer></script>

python3 maps_api_scanner.py -help
File "maps_api_scanner.py", line 11
print "API key is vulnerable for Staticmap API! Here is the PoC link which can be used directly via browser:"
^
SyntaxError: Missing parentheses in call to 'print'. Did you mean print("API key is vulnerable for Staticmap API! Here is the PoC link which can be used directly via browser:")?

explain proper how to use

Example:

.dockerignore file content:

Containerfile
LICENSE
README.md
maps_api_scanner.py

Here what I use on latest fedora: (after git clone --depth 1 this repo)
Build by: podman build --rm -t gmapsapiscanner .
Run by: podman run --name gmapsapiscanner -ti --entrypoint /bin/sh --rm gmapsapiscanner then python3 maps_api_scanner_python3.py and enter the key.

Containerfile content:

FROM python:alpine

RUN set -ex; \
   apk update; \
   apk upgrade; \
   adduser -D appuser

USER appuser
WORKDIR /home/appuser/gmapsapiscanner/
COPY . /home/appuser/gmapsapiscanner/

RUN set -ex; \
    pip3 install requests

it will be possible to use it from command-line without enter container if api-key can be set by argument, issue #8 , then ContainerFile can have add at the bottom:

ENTRYPOINT ["python3", "maps_api_scanner_python3.py", "--apikey"]

and be run like:
podman run --name gmapsapiscanner --rm gmapsapiscanner API_KEY_HERE

You can check if an API key works for FCM by using the curl below:

api_key=YOUR_SERVER_KEY


curl --header "Authorization: key=$api_key" \
     --header Content-Type:"application/json" \
     https://fcm.googleapis.com/fcm/send \
     -d "{\"registration_ids\":[\"ABC\"]}"

Source: https://abss.me/posts/fcm-takeover/

Would be cool if this would be integrated in the script. I will be trying to integrate this myself sometime soon, so I might come back later with a pull request.

Currently it's asking for input, it's useful to have option such as running "python3 maps_api_scanner_python3.py --apikey "API_KEY_HERE" , it's useful for container usage, see issue #9

hi there, the google maps endpoint for the "Custom Search API" requires a valid referer header before processing the request, if you add the correct referer (in most cases the website that is leaking the api token) if goes through. Atm I launched the script with the private api key, and if fails to detect this endpoint even though its vulnerable - i manually added the referer and it works.

Could you add a script parameter that asks for the referer header on script launch and subsequently adds it to the sent request?

streaak/keyhacks#63

Hi,

Running this on a MacBook Pro M2 in Docker and using the python3 maps_api_scanner_python3.py line. All goes through fine until the end where I get

Reason: Verbose responses are not enabled for this API, cannot determine the reason.
API key is not vulnerable for Playable Locations API.
Traceback (most recent call last):
  File "/opt/homebrew/lib/python3.11/site-packages/requests/models.py", line 971, in json
    return complexjson.loads(self.text, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/[email protected]/3.11.6/Frameworks/Python.framework/Versions/3.11/lib/python3.11/json/__init__.py", line 346, in loads
    return _default_decoder.decode(s)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/[email protected]/3.11.6/Frameworks/Python.framework/Versions/3.11/lib/python3.11/json/decoder.py", line 337, in decode
    obj, end = self.raw_decode(s, idx=_w(s, 0).end())
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/Cellar/[email protected]/3.11.6/Frameworks/Python.framework/Versions/3.11/lib/python3.11/json/decoder.py", line 355, in raw_decode
    raise JSONDecodeError("Expecting value", s, err.value) from None
json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/Users/jj/gmapsapiscanner/maps_api_scanner_python3.py", line 254, in <module>
    scan_gmaps(apikey)
  File "/Users/jj/gmapsapiscanner/maps_api_scanner_python3.py", line 203, in scan_gmaps
    print("Reason: "+ response.json()["error"]["message"])
                      ^^^^^^^^^^^^^^^
  File "/opt/homebrew/lib/python3.11/site-packages/requests/models.py", line 975, in json
    raise RequestsJSONDecodeError(e.msg, e.doc, e.pos)
requests.exceptions.JSONDecodeError: Expecting value: line 1 column 1 (char 0)

It worked before so I'm not sure what has changed before. It displayed a table before but no longer.

Thank you

The script can do:

1. create html page with the API_KEY as received from command-line.
2. create local http server (http.server module / SimpleHTTPServer) and have the above HTML file return for /test endpoint.
3. visit the above page using headless-browser (if not implemented, tell the user to visit the created file on http://localhost:8090/test)
4. Detect the errors (use onerror event in HTML page) and show the status in the HTML file itself.

google api key is a public information, why it could be vulnerable? How to protect it? Does
It need to be encrypted?

Issue 6 refers to Embed Advanced being paid, however now all Embed API usage is unlimited with no charge, compare Google docs below:

Old Embed API pricing:
https://web.archive.org/web/20200616082619/https://developers.google.com/maps/documentation/embed/usage-and-billing#embed-advanced

Current Embed API pricing:
https://developers.google.com/maps/documentation/embed/usage-and-billing

The endpoint used in https://github.com/ozguralp/gmapsapiscanner/blob/master/maps_api_scanner.py#L28 will always work on valid API keys, even if the key is restricted. Here is why:

If the embed maps are using the basic embed requests, Google will not check restrictions, as the usage of that API is free.

https://www.google.com/maps/embed/v1/place?q=Seattle&key=KEY

But if the advanced map modes are used, then the restrictions apply.

https://www.google.com/maps/embed/v1/search?q=record+stores+in+Seattle&key=KEY

Hello,

I try running the command >python3 maps_api_scanner_python3.py and keeps throwing the same error.

How can I fix this issue?