Skip to content

Instantly share code, notes, and snippets.

@win3zz
Last active December 24, 2024 04:30
Show Gist options
  • Save win3zz/0a1c70589fcbea64dba4588b93095855 to your computer and use it in GitHub Desktop.
Save win3zz/0a1c70589fcbea64dba4588b93095855 to your computer and use it in GitHub Desktop.

GitHub Search Syntax for Finding API Keys/Secrets/Tokens

As a security professional, it is important to conduct a thorough reconnaissance. With the increasing use of APIs nowadays, it has become paramount to keep access tokens and other API-related secrets secure in order to prevent leaks. However, despite technological advances, human error remains a factor, and many developers still unknowingly hardcode their API secrets into source code and commit them to public repositories. GitHub, being a widely popular platform for public code repositories, may inadvertently host such leaked secrets. To help identify these vulnerabilities, I have created a comprehensive search list using powerful search syntax that enables the search of thousands of leaked keys and secrets in a single search.

Search Syntax:

(path:*.{File_extension1} OR path:*.{File_extension-N}) AND ({Keyname1} OR {Keyname-N}) AND (({Signature/pattern1} OR {Signature/pattern-N}) AND ({PlatformTag1} OR {PlatformTag-N}))

Examples:

1. OpenAI API keys

(path:*.xml OR path:*.json OR path:*.properties OR path:*.sql OR path:*.txt OR path:*.log OR path:*.tmp OR path:*.backup OR path:*.bak OR path:*.enc OR path:*.yml OR path:*.yaml OR path:*.toml OR path:*.ini OR path:*.config OR path:*.conf OR path:*.cfg OR path:*.env OR path:*.envrc OR path:*.prod OR path:*.secret OR path:*.private OR path:*.key) AND (access_key OR secret_key OR access_token OR api_key OR apikey OR api_secret OR apiSecret OR app_secret OR application_key OR app_key OR appkey OR auth_token OR authsecret) AND ("sk-" AND (openai OR gpt))

Update: We can use following refined regular expression to filters out most dummy keys:

... AND (/sk-[a-zA-Z0-9]{48}/ AND (openai OR gpt))

Special thanks to @fkulakov for the insightful contribution.

Screeenshot:

GithubOpenAIAPIkeysSearch

2. Github OAuth/App/Personal/Refresh Access Token

(path:*.xml OR path:*.json OR path:*.properties OR path:*.sql OR path:*.txt OR path:*.log OR path:*.tmp OR path:*.backup OR path:*.bak OR path:*.enc OR path:*.yml OR path:*.yaml OR path:*.toml OR path:*.ini OR path:*.config OR path:*.conf OR path:*.cfg OR path:*.env OR path:*.envrc OR path:*.prod OR path:*.secret OR path:*.private OR path:*.key) AND (access_key OR secret_key OR access_token OR api_key OR apikey OR api_secret OR apiSecret OR app_secret OR application_key OR app_key OR appkey OR auth_token OR authsecret) AND (("ghp_" OR "gho_" OR "ghu_" OR "ghs_" OR "ghr_") AND (Github OR OAuth))

3. Slack Token

(path:*.xml OR path:*.json OR path:*.properties OR path:*.sql OR path:*.txt OR path:*.log OR path:*.tmp OR path:*.backup OR path:*.bak OR path:*.enc OR path:*.yml OR path:*.yaml OR path:*.toml OR path:*.ini OR path:*.config OR path:*.conf OR path:*.cfg OR path:*.env OR path:*.envrc OR path:*.prod OR path:*.secret OR path:*.private OR path:*.key) AND (access_key OR secret_key OR access_token OR api_key OR apikey OR api_secret OR apiSecret OR app_secret OR application_key OR app_key OR appkey OR auth_token OR authsecret) AND (xox AND Slack)

4. Google API key

(path:*.xml OR path:*.json OR path:*.properties OR path:*.sql OR path:*.txt OR path:*.log OR path:*.tmp OR path:*.backup OR path:*.bak OR path:*.enc OR path:*.yml OR path:*.yaml OR path:*.toml OR path:*.ini OR path:*.config OR path:*.conf OR path:*.cfg OR path:*.env OR path:*.envrc OR path:*.prod OR path:*.secret OR path:*.private OR path:*.key) AND (access_key OR secret_key OR access_token OR api_key OR apikey OR api_secret OR apiSecret OR app_secret OR application_key OR app_key OR appkey OR auth_token OR authsecret) AND (AIza AND Google)

5. Square OAuth/access token

(path:*.xml OR path:*.json OR path:*.properties OR path:*.sql OR path:*.txt OR path:*.log OR path:*.tmp OR path:*.backup OR path:*.bak OR path:*.enc OR path:*.yml OR path:*.yaml OR path:*.toml OR path:*.ini OR path:*.config OR path:*.conf OR path:*.cfg OR path:*.env OR path:*.envrc OR path:*.prod OR path:*.secret OR path:*.private OR path:*.key) AND (access_key OR secret_key OR access_token OR api_key OR apikey OR api_secret OR apiSecret OR app_secret OR application_key OR app_key OR appkey OR auth_token OR authsecret) AND (("sq0atp-" OR "sq0csp-") AND (square OR OAuth))

6. Shopify shared secret, access token, private/custom app access token

(path:*.xml OR path:*.json OR path:*.properties OR path:*.sql OR path:*.txt OR path:*.log OR path:*.tmp OR path:*.backup OR path:*.bak OR path:*.enc OR path:*.yml OR path:*.yaml OR path:*.toml OR path:*.ini OR path:*.config OR path:*.conf OR path:*.cfg OR path:*.env OR path:*.envrc OR path:*.prod OR path:*.secret OR path:*.private OR path:*.key) AND (access_key OR secret_key OR access_token OR api_key OR apikey OR api_secret OR apiSecret OR app_secret OR application_key OR app_key OR appkey OR auth_token OR authsecret) AND (("shpss_" OR "shpat_" OR "shpca_" OR "shppa_") AND "Shopify")

Parameters Used

File Extensions

File Extension Description
.xml XML file format
.json JSON (JavaScript Object Notation) file format
.properties Properties file format used for configuration settings
.sql SQL (Structured Query Language) file format used for database queries
.txt Plain text file format
.log Log file format used for recording events or activities
.tmp Temporary file format
.backup Backup file format
.bak Backup file format
.enc Encrypted file format
.yml YAML (YAML Ain't Markup Language) file format used for configuration settings
.yaml YAML (YAML Ain't Markup Language) file format used for configuration settings
.toml TOML (Tom's Obvious, Minimal Language) file format used for configuration settings
.ini INI (Initialization) file format used for configuration settings
.config Configuration file format
.conf Configuration file format
.cfg Configuration file format
.env Environment file format
.envrc Environment file format specific to the Direnv tool
.prod Production file format
.secret Secret file format
.private Private file format
.key Key file format

Keynames

Keynames Description
access_key Variable name to store the key used for accessing a resource or service
secret_key Variable name to store the key used for authentication or encryption
access_token Variable name to store the token used for accessing an API or resource
api_key Variable name to store the key used for accessing an API or service
apikey Shortened version of "api_key"
api_secret Variable name to store the secret key used for API authentication
apiSecret An alternate of "api_secret"
app_secret Variable name to store the secret key used for application authentication
application_key Variable name to store the key used for identifying an application
app_key Variable name to store the key used for identifying an application
appkey Shortened version of "app_key"
auth_token Variable name to store the token used for authentication or authorization
authsecret Variable name to store the secret key used for authentication or authorization

Other Useful Tools:

@TriDev-Studios
Copy link

not working anymore, I get error too many AND OR

@win3zz
Copy link
Author

win3zz commented Aug 20, 2024

@TriDev-Studios are you sure?? Working fine for me:

Screenshot 2024-08-20 113333

@yashyadurai
Copy link

yeah working fine

@Ve2s4
Copy link

Ve2s4 commented Sep 8, 2024

Create a list of the leaked secret keys and then run them through this function to quickly check which ones are valid.

keys = [
secret keys here...
]

for key, i in zip(keys, range(len(keys))):
    try:
        client = OpenAI(api_key=key)
        chat_completion = client.chat.completions.create(
            messages=[
                {
                    "role": "user",
                    "content": "Say this is a test",
                }
            ],
            model="gpt-3.5-turbo",
        )
        print("response",i, chat_completion.choices[0].message.content)
    except Exception as e:
        print("error", i, str(e))
        continue

@vassu-v
Copy link

vassu-v commented Nov 3, 2024

could anybody give working keys cuz all the keys in search are old or fake they do not work

@prawnydagrate
Copy link

could anybody give working keys cuz all the keys in search are old or fake they do not work

bro that's illegal you're not supposed to actually try to use these keys 💀

@dickyindra
Copy link

could anybody give working keys cuz all the keys in search are old or fake they do not work

OpenAI will disable the API key that has been publicly leaked 😅

image

@SynclonSec
Copy link

LMFAOOOOOOOOOOOO

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment