Google Maps API checker

Overview

GAP

Google API checker.

Based on the study Unauthorized Google Maps API Key Usage Cases, and Why You Need to Care and Google Maps API (Not the Key) Bugs That I Found Over the Years.

Checks performed

USAGE

# Check API key AIza[REDACTED] and print PoC
$> gap -api "AIza[REDACTED]" -poc

[i] Performing checks using AIza[REDACTED]
[+] Not vulnerable to DirectionsAPI
[+] Not vulnerable to StaticMapAPI
[+] Not vulnerable to StreetViewAPI
[+] Not vulnerable to EmbedBasicAPI
[+] Not vulnerable to EmbedAdvancedAPI
[+] Not vulnerable to DirectionsAPI
[-] Vulnerable to GeocodeAPI
[!] PoC URL: https://maps.googleapis.com/maps/api/geocode/json?latlng=40,30&key=AIza[REDACTED]

[-] Vulnerable to DistanceMatrixAPI
[!] PoC URL: https://maps.googleapis.com/maps/api/distancematrix/json?units=imperial&origins=40.6655101,-73.89188969999998&destinations=40.6905615%2C-73.9976592%7C40.6905615%2C-73.9976592%7C40.6905615%2C-73.9976592%7C40.6905615%2C-73.9976592%7C40.6905615%2C-73.9976592%7C40.6905615%2C-73.9976592%7C40.659569%2C-73.933783%7C40.729029%2C-73.851524%7C40.6860072%2C-73.6334271%7C40.598566%2C-73.7527626%7C40.659569%2C-73.933783%7C40.729029%2C-73.851524%7C40.6860072%2C-73.6334271%7C40.598566%2C-73.7527626&key=AIza[REDACTED]

[-] Vulnerable to FindPlaceFromTextAPI
[!] PoC URL: https://maps.googleapis.com/maps/api/place/findplacefromtext/json?input=Museum%20of%20Contemporary%20Art%20Australia&inputtype=textquery&fields=photos,formatted_address,name,rating,opening_hours,geometry&key=AIza[REDACTED]

[-] Vulnerable to AutocompleteAPI
[!] PoC URL: https://maps.googleapis.com/maps/api/place/autocomplete/json?input=Bingh&types=%28cities%29&key=AIza[REDACTED]

[+] Not vulnerable to ElevationAPI
[+] Not vulnerable to TimezoneAPI
[+] Not vulnerable to NearestRoadsAPI
[-] Vulnerable to GeolocationAPI
[!] PoC Request:
POST /geolocation/v1/geolocate?key=AIza[REDACTED] HTTP/1.1
Host: www.googleapis.com
Content-Type: application/json

{"considerIp": true}

[+] Not vulnerable to RouteToTraveledAPI
[+] Not vulnerable to SpeedLimitRoadsAPI
[-] Vulnerable to PlaceDetailsAPI
[!] PoC URL: https://maps.googleapis.com/maps/api/place/details/json?place_id=ChIJN1t_tDeuEmsRUsoyG83frY4&fields=name,rating,formatted_phone_number&key=AIza[REDACTED]

[-] Vulnerable to NearbySearchPlacesAPI
[!] PoC URL: https://maps.googleapis.com/maps/api/place/nearbysearch/json?location=-33.8670522,151.1957362&radius=100&types=food&name=harbour&key=AIza[REDACTED]

[-] Vulnerable to TextSearchPlacesAPI
[!] PoC URL: https://maps.googleapis.com/maps/api/place/textsearch/json?query=restaurants+in+Sydney&key=AIza[REDACTED]

[+] Not vulnerable to PlacesPhotoAPI
[+] Not vulnerable to PlayableLocationsAPI
[+] Not vulnerable to FCMAPI
You might also like...
Google Cloud Client Libraries for Go.

Google Cloud Client Libraries for Go Go packages for Google Cloud Platform services. import "cloud.google.com/go" To install the packages on your syst

Sync your bank transactions with google sheets using Open Banking APIs

Sync your bank transactions with google sheets using Open Banking APIs

Sync your bank transactions with google sheets using Open Banking APIs

this is a markdown version of the copy on the site landing page: https://youneedaspreadsheet.com You need a spreadsheet 📊 Get on top of your finances

Mattermost Plugin - Starts meeting with Google Meet
Mattermost Plugin - Starts meeting with Google Meet

Mattermost Plugin - Starts meeting with Google Meet

View Wikiloc.com trails in Google Earth
View Wikiloc.com trails in Google Earth

Wikiloc Google Earth layer View Wikiloc.com trails in Google Earth. Tiny http server written in Go that fetch trails from wikiloc.com to compose KML u

RawLink makes backlinks queried from ahref ready for *Google Search Console*

Raw Link This simple program makes backlinks queried from ahref ready for Google Search Console. See footnote 1 for more information. It can be used t

Google Play APK apps

googleplay Google Play APK apps https://godocs.io/github.com/89z/googleplay Using Android API 24 fails, but API 25 or higher works. It applies to all

A Google interview task my friend told me about.

deriving π given a normal distribution Try it yourself: package main import ( "fmt" "github.com/cpmech/gosl/rnd" ) // normal returns a number acc

A productivity tools to diagnose list of exported URL status from Google Search Console, Analytics, Sitemap URL...etc.

google-url-checker A productivity tools to diagnose list of exported URL status from Google Search Console, Analytics, Sitemap URL...etc. A quick way

Comments
  • QueryAutocompletePlaces not properly checked

    QueryAutocompletePlaces not properly checked

    When I check a key it says that QueryAutocompletePlaces is vulnerable, but when I open the PoC URL I get

    {
       "error_message" : "API keys with referer restrictions cannot be used with this API.",
       "predictions" : [],
       "status" : "REQUEST_DENIED"
    }
    

    This indicates that the keyis not vulnerable, I assume the check is not working properly (I might be wrong though). I can't share the API key I used, so not sure how to reproduce.

    Also: thanks for this tool btw, love it! Really simple and easy to use! :)

    bug help wanted 
    opened by dcts 2
Owner
Joan Bono
IT Security Analyst
Joan Bono
actionlint is a static checker for GitHub Actions workflow files.

actionlint actionlint is a static checker for GitHub Actions workflow files. Features: Syntax check for workflow files to check unexpected or missing

Linda_pp 1k Sep 12, 2022
A Wrapper Client for Google Spreadsheet API (Sheets API)

Senmai A Wrapper Client for Google Spreadsheet API (Sheets API) PREPARATION Service Account and Key File Create a service account on Google Cloud Plat

ytnobody / satoshi azuma 0 Nov 5, 2021
Google Adwords API for Go

gads Package gads provides a wrapper for the Google Adwords SOAP API. installation go get github.com/emiddleton/gads setup In order to access the API

Edward Middleton 49 Dec 4, 2021
Unofficial Google Trends API for Go

Google Trends API for Go Unofficial Google Trends API for Golang gogtrends is API wrapper which allows to get reports from Google Trends. All contribu

Max Ivanov 69 Sep 26, 2022
Use Google REST api to extract your personal Photo Library

Photo Go A better approach to extracting your photos from Google to your personal cloud. I'm moving my photos out of Google to a Synology NAS. create

James 2 Dec 7, 2021
GoDrive is a Go CLI tool written to wrap the Google Drive API.

GoDrive is a Go CLI tool written to wrap the Google Drive API.

Leonardo Araujo 0 Jan 10, 2022
Simple translation tool using google translation api.

Translator Simple translation tool using google translation api. To use it you have to provide a valid service account as json file with path in the e

eric regnier 0 Feb 1, 2022
Google Cloud Messaging for application servers implemented using the Go programming language.

gcm The Android SDK provides a nice convenience library (com.google.android.gcm.server) that greatly simplifies the interaction between Java-based app

Adriano Orioli 30 Nov 16, 2021
Auto-generated Google APIs for Go.

Google APIs Client Library for Go Getting Started $ go get google.golang.org/api/tasks/v1 $ go get google.golang.org/api/moderator/v1 $ go get google.

Google APIs 3.2k Sep 16, 2022
Simple Reporting for Google Analytics

##Google analytics Data pull Lightweight Golang library for pulling Google Analytics API data. Built for use with Core Reporting API (v3): https://dev

Nithin Meppurathu 12 Mar 26, 2020