Created
November 12, 2023 12:22
-
-
Save MohitDabas/2c804f685f4597acf6312c2d1191d558 to your computer and use it in GitHub Desktop.
"🚀 Exploring URLs for Sensitive Data -Python Asyncio Scanner🕵️♂️"
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import aiohttp | |
import asyncio | |
import re | |
_regex = { | |
'google_api': r'AIza[0-9A-Za-z-_]{35}', | |
'firebase': r'AAAA[A-Za-z0-9_-]{7}:[A-Za-z0-9_-]{140}', | |
'google_captcha': r'6L[0-9A-Za-z-_]{38}|^6[0-9a-zA-Z_-]{39}$', | |
'google_oauth': r'ya29\.[0-9A-Za-z\-_]+', | |
'amazon_aws_access_key_id': r'A[SK]IA[0-9A-Z]{16}', | |
'amazon_mws_auth_toke': r'amzn\\.mws\\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}', | |
'amazon_aws_url': r's3\.amazonaws.com[/]+|[a-zA-Z0-9_-]*\.s3\.amazonaws.com', | |
'amazon_aws_url2': r"(" | |
r"[a-zA-Z0-9-\.\_]+\.s3\.amazonaws\.com" | |
r"|s3://[a-zA-Z0-9-\.\_]+" | |
r"|s3-[a-zA-Z0-9-\.\_\/]+" | |
r"|s3.amazonaws.com/[a-zA-Z0-9-\.\_]+" | |
r"|s3.console.aws.amazon.com/s3/buckets/[a-zA-Z0-9-\.\_]+)", | |
'facebook_access_token': r'EAACEdEose0cBA[0-9A-Za-z]+', | |
'authorization_basic': r'basic [a-zA-Z0-9=:_\+\/-]{5,100}', | |
'authorization_bearer': r'bearer [a-zA-Z0-9_\-\.=:_\+\/]{5,100}', | |
'authorization_api': r'api[key|_key|\s+]+[a-zA-Z0-9_\-]{5,100}', | |
'mailgun_api_key': r'key-[0-9a-zA-Z]{32}', | |
'twilio_api_key': r'SK[0-9a-fA-F]{32}', | |
'twilio_account_sid': r'AC[a-zA-Z0-9_\-]{32}', | |
'twilio_app_sid': r'AP[a-zA-Z0-9_\-]{32}', | |
'paypal_braintree_access_token': r'access_token\$production\$[0-9a-z]{16}\$[0-9a-f]{32}', | |
'square_oauth_secret': r'sq0csp-[ 0-9A-Za-z\-_]{43}|sq0[a-z]{3}-[0-9A-Za-z\-_]{22,43}', | |
'square_access_token': r'sqOatp-[0-9A-Za-z\-_]{22}|EAAA[a-zA-Z0-9]{60}', | |
'stripe_standard_api': r'sk_live_[0-9a-zA-Z]{24}', | |
'stripe_restricted_api': r'rk_live_[0-9a-zA-Z]{24}', | |
'github_access_token': r'[a-zA-Z0-9_-]*:[a-zA-Z0-9_\-]+@github\.com*', | |
'rsa_private_key': r'-----BEGIN RSA PRIVATE KEY-----', | |
'ssh_dsa_private_key': r'-----BEGIN DSA PRIVATE KEY-----', | |
'ssh_dc_private_key': r'-----BEGIN EC PRIVATE KEY-----', | |
'pgp_private_block': r'-----BEGIN PGP PRIVATE KEY BLOCK-----', | |
'json_web_token': r'ey[A-Za-z0-9-_=]+\.[A-Za-z0-9-_=]+\.?[A-Za-z0-9-_.+/=]*$', | |
'slack_token': r"\"api_token\":\"(xox[a-zA-Z]-[a-zA-Z0-9-]+)\"", | |
'SSH_privKey': r"([-]+BEGIN [^\s]+ PRIVATE KEY[-]+[\s]*[^-]*[-]+END [^\s]+ PRIVATE KEY[-]+)", | |
'Heroku API KEY': r'[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}', | |
"Json Web Token" : "eyJhbGciOiJ", | |
"Github Auth Creds": "https:\/\/[a-zA-Z0-9]{40}@github\.com", | |
'possible_Creds': r"(?i)(" | |
r"password\s*[`=:\"]+\s*[^\s]+|" | |
r"password is\s*[`=:\"]*\s*[^\s]+|" | |
r"pwd\s*[`=:\"]*\s*[^\s]+|" | |
r"passwd\s*[`=:\"]+\s*[^\s]+)", | |
} | |
js_urls = open("jsfiles_list.txt", "r").read() | |
timeout_seconds = 10 | |
async def fetch_js(url): | |
try: | |
async with aiohttp.ClientSession(connector=aiohttp.TCPConnector(ssl=False)) as session: | |
async with session.get(url, timeout=timeout_seconds) as response: | |
if response.status == 200: | |
data = await response.text() | |
return data | |
else: | |
return None | |
except Exception as e: | |
print(f"Exception: {e}") | |
async def process_js_url(url): | |
data = await fetch_js(url) | |
if data is not None: | |
for key, pattern in _regex.items(): | |
if re.search(pattern, data): | |
match = re.search(pattern, data) | |
print(f"\033[1;32;40m {match.group()} \033[0m") | |
print(f"Found {key} in {url}") | |
print("---------------------------------") | |
print("\n") | |
else: | |
print(f"{key} not found in {url}") | |
else: | |
print(f"{url} is not reachable within {timeout_seconds} seconds") | |
async def main(): | |
urls = js_urls.split('\n') | |
tasks = [process_js_url(url) for url in urls] | |
await asyncio.gather(*tasks) | |
if __name__ == '__main__': | |
asyncio.run(main()) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
put your URLs in this file 'jsfiles_list.txt'