As a security professional, it is important to conduct a thorough reconnaissance. With the increasing use of APIs nowadays, it has become paramount to keep access tokens and other API-related secrets secure in order to prevent leaks. However, despite technological advances, human error remains a factor, and many developers still unknowingly hardcode their API secrets into source code and commit them to public repositories. GitHub, being a widely popular platform for public code repositories, may inadvertently host such leaked secrets. To help identify these vulnerabilities, I have created a comprehensive search list using powerful search syntax that enables the search of thousands of leaked keys and secrets in a single search.
(path:*.{File_extension1} OR path:*.{File_extension-N}) AND ({Keyname1} OR {Keyname-N}) AND (({Signature/pattern1} OR {Signature/pattern-N}) AND ({PlatformTag1} OR {PlatformTag-N}))
1. OpenAI API keys
(path:*.xml OR path:*.json OR path:*.properties OR path:*.sql OR path:*.txt OR path:*.log OR path:*.tmp OR path:*.backup OR path:*.bak OR path:*.enc OR path:*.yml OR path:*.yaml OR path:*.toml OR path:*.ini OR path:*.config OR path:*.conf OR path:*.cfg OR path:*.env OR path:*.envrc OR path:*.prod OR path:*.secret OR path:*.private OR path:*.key) AND (access_key OR secret_key OR access_token OR api_key OR apikey OR api_secret OR apiSecret OR app_secret OR application_key OR app_key OR appkey OR auth_token OR authsecret) AND ("sk-" AND (openai OR gpt))
Update: We can use following refined regular expression to filters out most dummy keys:
... AND (/sk-[a-zA-Z0-9]{48}/ AND (openai OR gpt))
Special thanks to @fkulakov for the insightful contribution.
2. Github OAuth/App/Personal/Refresh Access Token
(path:*.xml OR path:*.json OR path:*.properties OR path:*.sql OR path:*.txt OR path:*.log OR path:*.tmp OR path:*.backup OR path:*.bak OR path:*.enc OR path:*.yml OR path:*.yaml OR path:*.toml OR path:*.ini OR path:*.config OR path:*.conf OR path:*.cfg OR path:*.env OR path:*.envrc OR path:*.prod OR path:*.secret OR path:*.private OR path:*.key) AND (access_key OR secret_key OR access_token OR api_key OR apikey OR api_secret OR apiSecret OR app_secret OR application_key OR app_key OR appkey OR auth_token OR authsecret) AND (("ghp_" OR "gho_" OR "ghu_" OR "ghs_" OR "ghr_") AND (Github OR OAuth))
3. Slack Token
(path:*.xml OR path:*.json OR path:*.properties OR path:*.sql OR path:*.txt OR path:*.log OR path:*.tmp OR path:*.backup OR path:*.bak OR path:*.enc OR path:*.yml OR path:*.yaml OR path:*.toml OR path:*.ini OR path:*.config OR path:*.conf OR path:*.cfg OR path:*.env OR path:*.envrc OR path:*.prod OR path:*.secret OR path:*.private OR path:*.key) AND (access_key OR secret_key OR access_token OR api_key OR apikey OR api_secret OR apiSecret OR app_secret OR application_key OR app_key OR appkey OR auth_token OR authsecret) AND (xox AND Slack)
4. Google API key
(path:*.xml OR path:*.json OR path:*.properties OR path:*.sql OR path:*.txt OR path:*.log OR path:*.tmp OR path:*.backup OR path:*.bak OR path:*.enc OR path:*.yml OR path:*.yaml OR path:*.toml OR path:*.ini OR path:*.config OR path:*.conf OR path:*.cfg OR path:*.env OR path:*.envrc OR path:*.prod OR path:*.secret OR path:*.private OR path:*.key) AND (access_key OR secret_key OR access_token OR api_key OR apikey OR api_secret OR apiSecret OR app_secret OR application_key OR app_key OR appkey OR auth_token OR authsecret) AND (AIza AND Google)
5. Square OAuth/access token
(path:*.xml OR path:*.json OR path:*.properties OR path:*.sql OR path:*.txt OR path:*.log OR path:*.tmp OR path:*.backup OR path:*.bak OR path:*.enc OR path:*.yml OR path:*.yaml OR path:*.toml OR path:*.ini OR path:*.config OR path:*.conf OR path:*.cfg OR path:*.env OR path:*.envrc OR path:*.prod OR path:*.secret OR path:*.private OR path:*.key) AND (access_key OR secret_key OR access_token OR api_key OR apikey OR api_secret OR apiSecret OR app_secret OR application_key OR app_key OR appkey OR auth_token OR authsecret) AND (("sq0atp-" OR "sq0csp-") AND (square OR OAuth))
6. Shopify shared secret, access token, private/custom app access token
(path:*.xml OR path:*.json OR path:*.properties OR path:*.sql OR path:*.txt OR path:*.log OR path:*.tmp OR path:*.backup OR path:*.bak OR path:*.enc OR path:*.yml OR path:*.yaml OR path:*.toml OR path:*.ini OR path:*.config OR path:*.conf OR path:*.cfg OR path:*.env OR path:*.envrc OR path:*.prod OR path:*.secret OR path:*.private OR path:*.key) AND (access_key OR secret_key OR access_token OR api_key OR apikey OR api_secret OR apiSecret OR app_secret OR application_key OR app_key OR appkey OR auth_token OR authsecret) AND (("shpss_" OR "shpat_" OR "shpca_" OR "shppa_") AND "Shopify")
File Extension | Description |
---|---|
.xml | XML file format |
.json | JSON (JavaScript Object Notation) file format |
.properties | Properties file format used for configuration settings |
.sql | SQL (Structured Query Language) file format used for database queries |
.txt | Plain text file format |
.log | Log file format used for recording events or activities |
.tmp | Temporary file format |
.backup | Backup file format |
.bak | Backup file format |
.enc | Encrypted file format |
.yml | YAML (YAML Ain't Markup Language) file format used for configuration settings |
.yaml | YAML (YAML Ain't Markup Language) file format used for configuration settings |
.toml | TOML (Tom's Obvious, Minimal Language) file format used for configuration settings |
.ini | INI (Initialization) file format used for configuration settings |
.config | Configuration file format |
.conf | Configuration file format |
.cfg | Configuration file format |
.env | Environment file format |
.envrc | Environment file format specific to the Direnv tool |
.prod | Production file format |
.secret | Secret file format |
.private | Private file format |
.key | Key file format |
Keynames | Description |
---|---|
access_key | Variable name to store the key used for accessing a resource or service |
secret_key | Variable name to store the key used for authentication or encryption |
access_token | Variable name to store the token used for accessing an API or resource |
api_key | Variable name to store the key used for accessing an API or service |
apikey | Shortened version of "api_key" |
api_secret | Variable name to store the secret key used for API authentication |
apiSecret | An alternate of "api_secret" |
app_secret | Variable name to store the secret key used for application authentication |
application_key | Variable name to store the key used for identifying an application |
app_key | Variable name to store the key used for identifying an application |
appkey | Shortened version of "app_key" |
auth_token | Variable name to store the token used for authentication or authorization |
authsecret | Variable name to store the secret key used for authentication or authorization |
- Online IDE Search: https://redhuntlabs.com/online-ide-search/
- Keyhacks on GitHub: https://github.com/streaak/keyhacks
- Google Hacking Database: https://www.exploit-db.com/google-hacking-database
@lolminerxmrig The 5-page limit is a known issue on GitHub, and the GitHub development team is aware of it and is actively working to address the issue. You can review the ongoing discussions about this matter on the GitHub community forum.
It should have been fixed earlier, but I don't know why they're taking this much time.