API Secret Tokens Exposed: Insights from Analyzing 1 Million Domains Tristan Kalos, Co-founder and CEO at Escape Antoine Carossio, Co-Founder & CTO at Escape Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

1. /56
API Secret Tokens Exposed
in Frontends
Insights from Analyzing 1 Million Domains Reveal
Critical Risks of the Modern Web
1

3. /56
Why looking for API Secrets in the wild?
Detecting hard-coded secrets in frontends
Critical findings… and millions of $
Recommendations for mitigating risks
On today’s agenda
2
1.
2.
3.
4.

4. /56
3
Tristan Kalos
linkedin.com/in/tkalos
• Co-founder & CEO of Escape
• Graduate from UC Berkeley
• Ex-Researcher in Artificial Intelligence applied to Cybersecurity
• Got hacked, built a cybersecurity startup
Antoine Carossio
linkedin.com/in/acarossio
• Co-founder & CTO of Escape
• Graduate from UC Berkeley
• Passionate open-source contributor, co-author of GraphQL Armor
• Huge Apple fan

5. /56
4

6. /56
Escape - the API Security Platform
We help security teams discover and secure all their exposed APIs using AI, without an agent

7. /56
Past research
6
escape.tech/resources/

8. /56
7
Past research
escape.tech/resources/

9. /56
8
https://escape.tech/the-api-secret-sprawl-2024

10. /56
9
Why is an API Secret leak
a problem?
1

11. /56
The significant rise of secret sprawl
10
● Tech is booming: every company has
resources on the web
● DevOps teams struggle to deploy
assets effectively and security

12. /56
The significant rise of secret sprawl
11
● Tech is booming: every company has
resources on the web
● DevOps teams struggle to deploy
assets effectively and security
● Companies of all sizes are affected
> Attack vector: Exposed APIs and exposed
secrets

13. /56
12
SAST DAST RASP
Why does this still happen?
Threat
Modeling
SCA

14. /56
13
What about secrets?

15. /56
14
What about secrets in… repos?

16. /56
15
What about secrets in… APIs?

17. /56
What about secrets in… frontends???
16
?

18. /56
Detecting Hard-Coded Secrets
in Frontends
The algorithmic "Tour de Force"
17
2

19. /56
Frontend architecture
18

20. /56
Frontend architecture
19

21. /56
Frontend architecture
20

22. /56
Zoom on Javascript assets
21

23. /56
How to detect hard-coded secrets in frontends?
22
Documented Secrets

24. /56
How to detect hard-coded secrets in frontends?
23
Documented Secrets
⇒ use the good old regex!

25. /56
Filtering scoped tokens and public keys
24
Does not
Protect Assets
Filtered Out

26. /56
What about proprietary & undocumented secrets?
25
Proprietary &
undocumented
secrets?

27. /56
What about proprietary & undocumented secrets?
26
Entropy!
Proprietary &
undocumented
secrets?

28. /56
What about proprietary & undocumented secrets?
27
Entropy!
Javascript bundle
randomness
Proprietary &
undocumented
secrets?
💀 False positives

29. /56
28
Only true positive
counts as we cannot
emit confidence
Unauthorized to test
the tokens
Entropy!
Proprietary &
undocumented
secrets?
💀 False positives
What about proprietary & undocumented secrets?
Javascript bundle
randomness

30. /56
29
Only true positive
counts as we cannot
emit confidence
Unauthorized to test
the tokens
Entropy!
Javascript bundle
randomness
Proprietary &
undocumented
secrets?
💀 False positives
What about proprietary & undocumented secrets?
Leveraging AST for
high confidence
signal

31. /56
Secret Sauce: Leveraging Abstract Syntax Tree (AST)
30
Goal: Restructure the code to
understand the context where
variables are declared and used

32. /56
Dead-simple and scalable architecture
31
150
Concurrent Pods

33. /56
32
956K
Input Domains

34. /56
33
4
Domain per second
956K
Input Domains

35. /56
34
4
Domain per second
69 hours
Total scanning time
956K
Input Domains

36. /56
Millions of requests later …
189.5M
URLs scanned
35
4
Domain per second
69 hours
Total scanning time
956K
Input Domains

37. /56
Millions of requests later …
189.5M
URLs scanned
36
4
Domain per second
69 hours
Total scanning time
956K
Input Domains
💰
$100
Computing cost

38. /56
Analyzing 1 Million Domains
or how we traded $100 for $ 20M…
37
3

39. /56
Nature of the findings
38
18,458
Total secrets found

40. /56
World-Wide exposure
39
#1 󰎙
with 6.26% of total
exposed domains
#1 EU 󰐗
with 5.89% of total
exposed domains

41. /56
When it rains…💧
40

42. /56
When it rains, it pours… 🌧
41
28
biggest number of
secrets exposed per
domain
1.7
average exposed
secrets per “vulnerable“
domain

43. /56
Frontend development bad practices are still prevalent
42

44. /56
Some development trends: Javascript Single Build
43
CI/CD tokens and environment secrets
leaks in Javascript assets
+
.env

45. /56
Critical findings
44
1/3
could lead to an entire
business shutdown

46. /56
Hard-coded private Keys, including Private RSA Keys (25%)
45

47. /56
Million $$ findings
46

48. /56
20 Million $$ findings (0.9%)
47
$17M
on a single token

49. /56
How to secure API Secrets from being exposed?
Our recommendations
48
4

50. /56
The secrets should not be accessed by the frontend…
49
Frontend
OpenAI Key
❌

51. /56
The secrets should not be accessed by the frontend… but the backend
50
Frontend
OpenAI Key
Frontend Backend
OpenAI Key
❌
✅

52. /56
Leveraging Type Prefixes
51
jetpack-io/typeid

53. /56
Leveraging Type Prefixes
52
jetpack-io/typeid
The Perfect Example: Stripe

54. /56
Store your Secrets in Vaults, not .env files!
53
Hashicorp Vault
AWS Secret Manager

55. /56
Automation as a Service: Rotating and Scoped Tokens
54
Vault Key Rotation
Vault Dynamic Secret

56. /56
55
API Discovery & API Security
55
Thank you!
Any questions?
Antoine Carossio
linkedin.com/in/acarossio
Tristan Kalos
linkedin.com/in/tkalos
Try it yourself in 1 minute!
app.escape.tech