add apigee client id and secret #107

w1th0ut · 2021-09-03T13:59:47Z

Hello,
I have suggestion add apigee client id and secret. With client id and secret, we can gain full access to apigee service of that company who leak id and secret. No regex for hunting client id and secret but there is

curl -I -H 'Content-Type: application/x-www-form-urlencoded' -X POST 'https://company.apigee.net/oauth/accesstoken' -d 'grant_type=client_credentials&client_id=xxx&client_secret=yyy'

Client id always longer than client secret.

{
    "token": "xxx",
    "access_token": "xxx",
    "issued_at": "00000",
    "expires_in": "00000"
}

Access token will look like jwt token, so decode it and find this:

{
  "access_token": "agGEHDkB7WRDYNbVJ1VVbAjzGTi4",
  "audience": "",
  "api_product_list": [
  ],

Use this key as bearer authorization to explore more deep.

But do not always following /oauth/accesstoken endpoint because some company using custom endpoint.
Simple Regex to hunt apigee service of company: .*\.apigee\.net

reference:
https://docs.apigee.com/api-platform/security/oauth/oauth-20-client-credentials-grant-type

The text was updated successfully, but these errors were encountered:

streaak · 2021-10-02T04:53:09Z

Hey @w1th0ut,
Could you create a PR and reference this issue?

Thanks

EdOverflow added the status: pr needed Issue ticket is awaiting a PR label Feb 6, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

add apigee client id and secret #107

add apigee client id and secret #107

w1th0ut commented Sep 3, 2021

streaak commented Oct 2, 2021

add apigee client id and secret #107

add apigee client id and secret #107

Comments

w1th0ut commented Sep 3, 2021

streaak commented Oct 2, 2021