Sourav Sahana

@pocdork

Sourav Sahana Uncategorized Basetrip API Key Exposure

Basetrip API Key Exposure

In June 2020, I found an Basetrip API Key exposing publicly in an android source code. That application has a bug bounty program in Bugcrowd , I reported the issue and my report Triaged.

Category: Sensitive Data Exposure > Critically Sensitive Data > Private API Keys

Status: Triaged

Bounty: Points

You can use apktool to decompile an apk and find these hard coded secret keys.

Let’s directly jump into the POC and cURL request:

POC:

curl --request GET --url 'https://api.thebasetrip.com/v3/countries/france?from=spain' --header 'Accept: application/json' --header 'x-api-key: <API_KEY>

You will get a valid response if the key is active/valid.

Leave a Reply

Your email address will not be published.

TopBack to Top