Skip to content

Instantly share code, notes, and snippets.

@win3zz
Last active December 8, 2024 18:37
Show Gist options
  • Save win3zz/0a1c70589fcbea64dba4588b93095855 to your computer and use it in GitHub Desktop.
Save win3zz/0a1c70589fcbea64dba4588b93095855 to your computer and use it in GitHub Desktop.

GitHub Search Syntax for Finding API Keys/Secrets/Tokens

As a security professional, it is important to conduct a thorough reconnaissance. With the increasing use of APIs nowadays, it has become paramount to keep access tokens and other API-related secrets secure in order to prevent leaks. However, despite technological advances, human error remains a factor, and many developers still unknowingly hardcode their API secrets into source code and commit them to public repositories. GitHub, being a widely popular platform for public code repositories, may inadvertently host such leaked secrets. To help identify these vulnerabilities, I have created a comprehensive search list using powerful search syntax that enables the search of thousands of leaked keys and secrets in a single search.

Search Syntax:

(path:*.{File_extension1} OR path:*.{File_extension-N}) AND ({Keyname1} OR {Keyname-N}) AND (({Signature/pattern1} OR {Signature/pattern-N}) AND ({PlatformTag1} OR {PlatformTag-N}))

Examples:

1. OpenAI API keys

(path:*.xml OR path:*.json OR path:*.properties OR path:*.sql OR path:*.txt OR path:*.log OR path:*.tmp OR path:*.backup OR path:*.bak OR path:*.enc OR path:*.yml OR path:*.yaml OR path:*.toml OR path:*.ini OR path:*.config OR path:*.conf OR path:*.cfg OR path:*.env OR path:*.envrc OR path:*.prod OR path:*.secret OR path:*.private OR path:*.key) AND (access_key OR secret_key OR access_token OR api_key OR apikey OR api_secret OR apiSecret OR app_secret OR application_key OR app_key OR appkey OR auth_token OR authsecret) AND ("sk-" AND (openai OR gpt))

Update: We can use following refined regular expression to filters out most dummy keys:

... AND (/sk-[a-zA-Z0-9]{48}/ AND (openai OR gpt))

Special thanks to @fkulakov for the insightful contribution.

Screeenshot:

GithubOpenAIAPIkeysSearch

2. Github OAuth/App/Personal/Refresh Access Token

(path:*.xml OR path:*.json OR path:*.properties OR path:*.sql OR path:*.txt OR path:*.log OR path:*.tmp OR path:*.backup OR path:*.bak OR path:*.enc OR path:*.yml OR path:*.yaml OR path:*.toml OR path:*.ini OR path:*.config OR path:*.conf OR path:*.cfg OR path:*.env OR path:*.envrc OR path:*.prod OR path:*.secret OR path:*.private OR path:*.key) AND (access_key OR secret_key OR access_token OR api_key OR apikey OR api_secret OR apiSecret OR app_secret OR application_key OR app_key OR appkey OR auth_token OR authsecret) AND (("ghp_" OR "gho_" OR "ghu_" OR "ghs_" OR "ghr_") AND (Github OR OAuth))

3. Slack Token

(path:*.xml OR path:*.json OR path:*.properties OR path:*.sql OR path:*.txt OR path:*.log OR path:*.tmp OR path:*.backup OR path:*.bak OR path:*.enc OR path:*.yml OR path:*.yaml OR path:*.toml OR path:*.ini OR path:*.config OR path:*.conf OR path:*.cfg OR path:*.env OR path:*.envrc OR path:*.prod OR path:*.secret OR path:*.private OR path:*.key) AND (access_key OR secret_key OR access_token OR api_key OR apikey OR api_secret OR apiSecret OR app_secret OR application_key OR app_key OR appkey OR auth_token OR authsecret) AND (xox AND Slack)

4. Google API key

(path:*.xml OR path:*.json OR path:*.properties OR path:*.sql OR path:*.txt OR path:*.log OR path:*.tmp OR path:*.backup OR path:*.bak OR path:*.enc OR path:*.yml OR path:*.yaml OR path:*.toml OR path:*.ini OR path:*.config OR path:*.conf OR path:*.cfg OR path:*.env OR path:*.envrc OR path:*.prod OR path:*.secret OR path:*.private OR path:*.key) AND (access_key OR secret_key OR access_token OR api_key OR apikey OR api_secret OR apiSecret OR app_secret OR application_key OR app_key OR appkey OR auth_token OR authsecret) AND (AIza AND Google)

5. Square OAuth/access token

(path:*.xml OR path:*.json OR path:*.properties OR path:*.sql OR path:*.txt OR path:*.log OR path:*.tmp OR path:*.backup OR path:*.bak OR path:*.enc OR path:*.yml OR path:*.yaml OR path:*.toml OR path:*.ini OR path:*.config OR path:*.conf OR path:*.cfg OR path:*.env OR path:*.envrc OR path:*.prod OR path:*.secret OR path:*.private OR path:*.key) AND (access_key OR secret_key OR access_token OR api_key OR apikey OR api_secret OR apiSecret OR app_secret OR application_key OR app_key OR appkey OR auth_token OR authsecret) AND (("sq0atp-" OR "sq0csp-") AND (square OR OAuth))

6. Shopify shared secret, access token, private/custom app access token

(path:*.xml OR path:*.json OR path:*.properties OR path:*.sql OR path:*.txt OR path:*.log OR path:*.tmp OR path:*.backup OR path:*.bak OR path:*.enc OR path:*.yml OR path:*.yaml OR path:*.toml OR path:*.ini OR path:*.config OR path:*.conf OR path:*.cfg OR path:*.env OR path:*.envrc OR path:*.prod OR path:*.secret OR path:*.private OR path:*.key) AND (access_key OR secret_key OR access_token OR api_key OR apikey OR api_secret OR apiSecret OR app_secret OR application_key OR app_key OR appkey OR auth_token OR authsecret) AND (("shpss_" OR "shpat_" OR "shpca_" OR "shppa_") AND "Shopify")

Parameters Used

File Extensions

File Extension Description
.xml XML file format
.json JSON (JavaScript Object Notation) file format
.properties Properties file format used for configuration settings
.sql SQL (Structured Query Language) file format used for database queries
.txt Plain text file format
.log Log file format used for recording events or activities
.tmp Temporary file format
.backup Backup file format
.bak Backup file format
.enc Encrypted file format
.yml YAML (YAML Ain't Markup Language) file format used for configuration settings
.yaml YAML (YAML Ain't Markup Language) file format used for configuration settings
.toml TOML (Tom's Obvious, Minimal Language) file format used for configuration settings
.ini INI (Initialization) file format used for configuration settings
.config Configuration file format
.conf Configuration file format
.cfg Configuration file format
.env Environment file format
.envrc Environment file format specific to the Direnv tool
.prod Production file format
.secret Secret file format
.private Private file format
.key Key file format

Keynames

Keynames Description
access_key Variable name to store the key used for accessing a resource or service
secret_key Variable name to store the key used for authentication or encryption
access_token Variable name to store the token used for accessing an API or resource
api_key Variable name to store the key used for accessing an API or service
apikey Shortened version of "api_key"
api_secret Variable name to store the secret key used for API authentication
apiSecret An alternate of "api_secret"
app_secret Variable name to store the secret key used for application authentication
application_key Variable name to store the key used for identifying an application
app_key Variable name to store the key used for identifying an application
appkey Shortened version of "app_key"
auth_token Variable name to store the token used for authentication or authorization
authsecret Variable name to store the secret key used for authentication or authorization

Other Useful Tools:

@sondt1337
Copy link

thx!!!

@accessor-io
Copy link

accessor-io commented Oct 14, 2023

returns error exceeds 256 characters /more that 5 operators disallowed

@win3zz
Copy link
Author

win3zz commented Dec 6, 2023

returns error exceeds 256 characters /more that 5 operators disallowed

@accessor-io I just tried it and no such errors were found. Please try again, and make sure you are using the operators correctly.

@win3zz
Copy link
Author

win3zz commented Dec 6, 2023

hi. very good. can help me more page limited 5 pages. thanks.

@lolminerxmrig The 5-page limit is a known issue on GitHub, and the GitHub development team is aware of it and is actively working to address the issue. You can review the ongoing discussions about this matter on the GitHub community forum.

It should have been fixed earlier, but I don't know why they're taking this much time.

@fkulakov
Copy link

For openai api_keys, you can use this regular expression to filter out most dummies:

AND (/sk-[a-zA-Z0-9]{48}/ AND (openai OR gpt))

instead of

AND ("sk-" AND (openai OR gpt))

@win3zz
Copy link
Author

win3zz commented Dec 29, 2023

@fkulakov That's c00l! Thank you for sharing. I updated this gist.

@pendragons-code
Copy link

THANKS <3

@TriDev-Studios
Copy link

not working anymore, I get error too many AND OR

@win3zz
Copy link
Author

win3zz commented Aug 20, 2024

@TriDev-Studios are you sure?? Working fine for me:

Screenshot 2024-08-20 113333

@yashyadurai
Copy link

yeah working fine

@Ve2s4
Copy link

Ve2s4 commented Sep 8, 2024

Create a list of the leaked secret keys and then run them through this function to quickly check which ones are valid.

keys = [
secret keys here...
]

for key, i in zip(keys, range(len(keys))):
    try:
        client = OpenAI(api_key=key)
        chat_completion = client.chat.completions.create(
            messages=[
                {
                    "role": "user",
                    "content": "Say this is a test",
                }
            ],
            model="gpt-3.5-turbo",
        )
        print("response",i, chat_completion.choices[0].message.content)
    except Exception as e:
        print("error", i, str(e))
        continue

@vassu-v
Copy link

vassu-v commented Nov 3, 2024

could anybody give working keys cuz all the keys in search are old or fake they do not work

@prawnydagrate
Copy link

could anybody give working keys cuz all the keys in search are old or fake they do not work

bro that's illegal you're not supposed to actually try to use these keys 💀

@dickyindra
Copy link

could anybody give working keys cuz all the keys in search are old or fake they do not work

OpenAI will disable the API key that has been publicly leaked 😅

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment