Dora : Find Exposed API Keys Based On RegEx And Get Exploitation Methods

Dora, a tool to Find Exposed API Keys Based On RegEx And Get Exploitation Methods For Some Of Keys That Are Found

Features

• Blazing fast as we are using ripgrep in backend
• Exploit/PoC steps for many of the API key, allowing to write a good report for bug bounty hunting
• Unlike many other API key finders, dora also shows the path to the file and the line with context for easier analysis
• Can easily be implemented into scripts. See Example Use Cases

Installation

Make sure to install ripgrep

clone the repo
git clone https://github.com/sdushantha/dora.git
change the working directory to sherlock
cd dora
install dora
python3 setup.py install –user

Usage

$ dora –help
usage: dora [options]
positional arguments:
PATH Path to directory or file to scan
optional arguments:
-h, –help show this help message and exit
–rg-path RG_PATH Specify path to ripgrep
–rg-arguments RG_ARGUMENTS
Arguments you want to provide to ripgrep
–json JSON Load regex data from a valid JSON file (default: db/data.json)
–verbose, -v, –debug, -d
Display extra debugging information
–no-color Don’t show color in terminal output

Example Use Cases

• Decompile an APK using apktool and run dora to find exposed API keys
• Scan GitHub repos by cloning it and allowing dora to scan it
• While scraping sites, run dora to scan for API keys