3 releases
new 0.1.2 | May 15, 2024 |
---|---|
0.1.1 | Apr 25, 2024 |
0.1.0 | Apr 23, 2024 |
#473 in Development tools
293 downloads per month
150KB
3K
SLoC
KeyHunter
Check for leaked API keys and secrets any website's JavaScript.
KeyHunter running on sites of the last 7 YCombinator batches
Installation
You can install KeyHunter as a Crate from crates.io:
cargo install keyhunter --all-features
You can also use it as a library:
[dependencies]
keyhunter = "0.1.1"
Library docs are available on docs.rs.
Usage
To reproduce the example above, run
make yc
Provide KeyHunter with a URL to start scanning from. It will visit all pages on the same domain that URL links to, find all scripts referenced by those pages, and check them for leaked API keys and secrets.
keyhunter https://example.com
Authentication
You can include one or more headers in all requests KeyHunter makes with the
--header
(or -H
) flag. This means you can include an Authorization
header
to scan websites that require authentication.
keyhunter https://example.com -H "Authorization: Bearer <token>"
# Multiple headers
keyhunter https://example.com -H "Cookie: session-cookie=123" -H "x-another-header: foo"
This flag follows the same conventions as curl
's -H
flag.
For more information and a list of all available arguments, run
keyhunter --help
.
Disclaimer
This tool is for educational purposes only. Only use it on websites and/or web applications that you own or that are owned by an organization that has given you their explicit consent. Do not use this tool for malicious purposes. Please read the LICENSE for more information.
Dependencies
~18–30MB
~473K SLoC