Linux commands to help with bug bounties

Let’s assume we’re extracting secrets from a group of js files using SecretFinder (https://github.com/m4ll0k/SecretFinder)

And we get a list of Heroku API keys that look like this (imagine each key is different, this key is taken from the Heroku docs page):

Heroku API KEY -> 01234567–89ab-cdef-0123–456789abcdef
Heroku API KEY -> 01234567–89ab-cdef-0123–456789abcdef
Heroku API KEY -> 01234567–89ab-cdef-0123–456789abcdef
Heroku API KEY -> 01234567–89ab-cdef-0123–456789abcdef
Heroku API KEY -> 01234567–89ab-cdef-0123–456789abcdef
Heroku API KEY -> 01234567–89ab-cdef-0123–456789abcdef
Heroku API KEY -> 01234567–89ab-cdef-0123–456789abcdef
Heroku API KEY -> 01234567–89ab-cdef-0123–456789abcdef

We can test the key out using a curl command from keyhacks (https://github.com/streaak/keyhacks#Heroku-API-key)

But we need to script it a bit, using linux commands. So first grab the lines that have the heroku keys, and then we use cut to get the keys:

cat secrets.txt | grep -i heroku | cut -d$’\t’ -f3

Cat — prints the file
Grep — shows the lines that have the string
Grep -i — not case sensitive
Cut — cut the line
Cut -d — set the delimiter
cut -d$’\t’ — set the delimiter to tab
cut -d$’\t’ -f3 — cut out the third column using tab as the delimiter

Then we have just the keys, so we set the keys as a variable string and loop through them:

cat secrets.txt | grep -i heroku | cut -d$’\t’ -f3 | while read key; do something; done

Using the line from keyhacks we get

cat secrets.txt | grep -i heroku | cut -d$’\t’ -f3 | while read key; do curl -X POST https://api.heroku.com/apps -H “Accept: application/vnd.heroku+json; version=3” -H “Authorization: Bearer $key”; done

Which will loop through the keys into the curl command and output the results:

{
“id”:”unauthorized”,
“message”:”Invalid credentials provided.”
}