API Keys for SaaS and cloud providers are more often making their way into Javascript. That’s why we’re proud to open source a tool that helps find them.
Check it out here! https://github.com/trufflesecurity/Trufflehog-Chrome-Extension
Below is a real example of an AWS key from weather.com making its way onto the front page, identified with the extension
AWS key on weather.com
You can still view this key today by visiting archive.org and going back to 2020. The chrome extension should alert you there’s a key there.
To understand why keys like this are making their way into Javascript we first need to understand CORS.
By default websites can’t just make request and read the response to other API’s without the foreign API inviting them to do so with a permissive CORS header.
Amazon AWS API’s as well as many other SaaS and Cloud provider API’s have extremely permissive CORS settings, as seen below with the Access-Control-Allow-Origin: * header
Permissive CORS on AWS
This header not only encourages websites to make requests to AWS, but because AWS’s API’s are credentialed, this encourages Javascript to contain AWS credentials as seen below:
Cross Origin Requests to AWS
We’ve observed this pattern on the open internet, but it also seems more common in internal applications at companies. Unfortunately CORS issues can often cascade and lead to multiple points of failure compromising the integrity of the keys on internal apps.
Specifically common apps often have permissive CORS settings. This is a growing trend with API first application development. Because multiple frontend applications often consume the same backend API, many internal apps unfortunately get scopes with permissive CORS settings.
If we combine the above two concepts, we end up with a foreign origin from the open internet with the ability to make requests to internal apps and API’s, view the responses, and steal API keys hardcoded client side in the internal applications:
The chrome extension has a few other nice features as well, such as the ability to detect .git directories and .env files, both of which can also contain credentials in them.
Here’s again a link to the repo https://github.com/trufflesecurity/Trufflehog-Chrome-Extension
The extension is currently pending security review on the google extension store, but in the mean time it can be side loaded.
Happy hacking!