GitHub search syntax fpr API Keys/Secrets/Tokens

Cheatsheet that enhances the GitHub dork list to hunt with the GitHub search syntax for leaked API keys, secrets, and tokens. This list isn’t complete but a good starting point.

GitHub Search Syntax for Finding API Keys/Secrets/Tokens

e created a comprehensive search list using powerful search syntax that enables the search of thousands of leaked keys and secrets in a single search.

Search Syntax:

(path:*.{File_extension1} OR path:*.{File_extension-N}) AND ({Keyname1} OR {Keyname-N}) AND (({Signature/pattern1} OR {Signature/pattern-N}) AND ({PlatformTag1} OR {PlatformTag-N}))

Examples:

1. OpenAI API keys

(path:*.xml OR path:*.json OR path:*.properties OR path:*.sql OR path:*.txt OR path:*.log OR path:*.tmp OR path:*.backup OR path:*.bak OR path:*.enc OR path:*.yml OR path:*.yaml OR path:*.toml OR path:*.ini OR path:*.config OR path:*.conf OR path:*.cfg OR path:*.env OR path:*.envrc OR path:*.prod OR path:*.secret OR path:*.private OR path:*.key) AND (access_key OR secret_key OR access_token OR api_key OR apikey OR api_secret OR apiSecret OR app_secret OR application_key OR app_key OR appkey OR auth_token OR authsecret) AND ("sk-" AND (openai OR gpt))

Screenshot:

2. Github OAuth/App/Personal/Refresh Access Token

(path:*.xml OR path:*.json OR path:*.properties OR path:*.sql OR path:*.txt OR path:*.log OR path:*.tmp OR path:*.backup OR path:*.bak OR path:*.enc OR path:*.yml OR path:*.yaml OR path:*.toml OR path:*.ini OR path:*.config OR path:*.conf OR path:*.cfg OR path:*.env OR path:*.envrc OR path:*.prod OR path:*.secret OR path:*.private OR path:*.key) AND (access_key OR secret_key OR access_token OR api_key OR apikey OR api_secret OR apiSecret OR app_secret OR application_key OR app_key OR appkey OR auth_token OR authsecret) AND (("ghp_" OR "gho_" OR "ghu_" OR "ghs_" OR "ghr_") AND (Github OR OAuth))

3. Slack Token

(path:*.xml OR path:*.json OR path:*.properties OR path:*.sql OR path:*.txt OR path:*.log OR path:*.tmp OR path:*.backup OR path:*.bak OR path:*.enc OR path:*.yml OR path:*.yaml OR path:*.toml OR path:*.ini OR path:*.config OR path:*.conf OR path:*.cfg OR path:*.env OR path:*.envrc OR path:*.prod OR path:*.secret OR path:*.private OR path:*.key) AND (access_key OR secret_key OR access_token OR api_key OR apikey OR api_secret OR apiSecret OR app_secret OR application_key OR app_key OR appkey OR auth_token OR authsecret) AND (xox AND Slack)

4. Google API key

(path:*.xml OR path:*.json OR path:*.properties OR path:*.sql OR path:*.txt OR path:*.log OR path:*.tmp OR path:*.backup OR path:*.bak OR path:*.enc OR path:*.yml OR path:*.yaml OR path:*.toml OR path:*.ini OR path:*.config OR path:*.conf OR path:*.cfg OR path:*.env OR path:*.envrc OR path:*.prod OR path:*.secret OR path:*.private OR path:*.key) AND (access_key OR secret_key OR access_token OR api_key OR apikey OR api_secret OR apiSecret OR app_secret OR application_key OR app_key OR appkey OR auth_token OR authsecret) AND (AIza AND Google)

5. Square OAuth/access token

(path:*.xml OR path:*.json OR path:*.properties OR path:*.sql OR path:*.txt OR path:*.log OR path:*.tmp OR path:*.backup OR path:*.bak OR path:*.enc OR path:*.yml OR path:*.yaml OR path:*.toml OR path:*.ini OR path:*.config OR path:*.conf OR path:*.cfg OR path:*.env OR path:*.envrc OR path:*.prod OR path:*.secret OR path:*.private OR path:*.key) AND (access_key OR secret_key OR access_token OR api_key OR apikey OR api_secret OR apiSecret OR app_secret OR application_key OR app_key OR appkey OR auth_token OR authsecret) AND (("sq0atp-" OR "sq0csp-") AND (square OR OAuth))

6. Shopify shared secret, access token, private/custom app access token

(path:*.xml OR path:*.json OR path:*.properties OR path:*.sql OR path:*.txt OR path:*.log OR path:*.tmp OR path:*.backup OR path:*.bak OR path:*.enc OR path:*.yml OR path:*.yaml OR path:*.toml OR path:*.ini OR path:*.config OR path:*.conf OR path:*.cfg OR path:*.env OR path:*.envrc OR path:*.prod OR path:*.secret OR path:*.private OR path:*.key) AND (access_key OR secret_key OR access_token OR api_key OR apikey OR api_secret OR apiSecret OR app_secret OR application_key OR app_key OR appkey OR auth_token OR authsecret) AND (("shpss_" OR "shpat_" OR "shpca_" OR "shppa_") AND "Shopify")

Parameters Used

File Extensions

File Extension Description
.xml XML file format
.json JSON (JavaScript Object Notation) file format
.properties Properties file format used for configuration settings
.sql SQL (Structured Query Language) file format used for database queries
.txt Plain text file format
.log Log file format used for recording events or activities
.tmp Temporary file format
.backup Backup file format
.bak Backup file format
.enc Encrypted file format
.yml YAML (YAML Ain’t Markup Language) file format used for configuration settings
.yaml YAML (YAML Ain’t Markup Language) file format used for configuration settings
.toml TOML (Tom’s Obvious, Minimal Language) file format used for configuration settings
.ini INI (Initialization) file format used for configuration settings
.config Configuration file format
.conf Configuration file format
.cfg Configuration file format
.env Environment file format
.envrc Environment file format specific to the Direnv tool
.prod Production file format
.secret Secret file format
.private Private file format
.key Key file format

Keynames

Keynames Description
access_key Variable name to store the key used for accessing a resource or service
secret_key Variable name to store the key used for authentication or encryption
access_token Variable name to store the token used for accessing an API or resource
api_key Variable name to store the key used for accessing an API or service
apikey Shortened version of “api_key”
api_secret Variable name to store the secret key used for API authentication
apiSecret An alternate of “api_secret”
app_secret Variable name to store the secret key used for application authentication
application_key Variable name to store the key used for identifying an application
app_key Variable name to store the key used for identifying an application
appkey Shortened version of “app_key”
auth_token Variable name to store the token used for authentication or authorization
authsecret Variable name to store the secret key used for authentication or authorization

Other Useful Tools:

  • Online IDE Search: https://redhuntlabs.com/online-ide-search/
  • Keyhacks on GitHub: https://github.com/streaak/keyhacks
  • Google Hacking Database: https://www.exploit-db.com/google-hacking-database
Written on July 23, 2023


◀ Back to the Pensieve