API-Sniffer-Burp-Extension

API Sniffer is a burp Suite Extension scanner to find exposed sensitive information. What is API-Sniffer? The API Sniffer extension looks for API keys and credentials on websites that are in scope only!

The extension then add the information founded as an issue in the issues section in burp. This is useful for doing web & mobile pentests and code reviews, because it helps identify keys that would otherwise either be missed or have to be searched for manually.

What does the extension capture:

Google API Key	Slack Token	AWS API Key
Slack Webhook	Facebook Access Token	Facebook OAuth
Mailgun API Key	Twilio API key	Paypal Access Token
Square Oauth Secret	Square Access Token	Stripe Standard API
Stripe Restricted	API Github keys	RSA Private Key
SSH (EC) private key	PGP Private Block	Generic API Key
Generic Secret	Saudi National ID

How to install:

From the extender tab in burp >> go to extension tab >> press add >> then load the extension.

After that the extension should be loaded and a message should be printed out as shown below.

How to use:

* The extension will scan only the URLs that is in scope. so make sure to add the targeted domain in scope.
* The extension will not start scanning unless you start a passive scan.
* The issues might take time to appear in the issues section, you can always check the extensions logs to see if the scanner catches anything.

*After a while you will start seeing potential issues added to burp

False positives Alert:

Yup you guessed it, you might have to interfere with False positives results. there is always room for improvements.

How to exploit API keys

Each API key will be exploited differently, depending on the API found.
Below is a great and a very comprehensive reference for how to exploit different API keys.

https://github.com/streaak/keyhacks