swaggerHole – A Python3 Script Searching For Secret On Swaggerhub

By /

Introduction 

This tool is made to automate the process of retrieving secrets in the public APIs on [swaggerHub](https://app.swaggerhub.com/search). This tool is multithreaded and pipe mode is available 🙂 

Requirements 

 – python3 (sudo apt install python3) – pip3 (sudo apt install python3-pip) ## Installation pip3 install swaggerhole
or cloning this repository and running git clone https://github.com/Liodeus/swaggerHole.git
pip3 install .

Usage

_____ _ __ ____ _ ____ _ ____ _ ___ _____
/ ___/| | /| / // __ `// __ `// __ `// _ / ___/
(__ ) | |/ |/ // /_/ // /_/ // /_/ // __// /
/____/ |__/|__/ __,_/ __, / __, / ___//_/
__ __ __ /____/ /____/
/ / / /____ / /___
/ /_/ // __ / // _
/ __ // /_/ // // __/
/_/ /_/ ____//_/ ___/

usage: swaggerhole [-h] [-s SEARCH] [-o OUT] [-t THREADS] [-j] [-q] [-du] [-de]

optional arguments:
-h, –help show this help message and exit
-s SEARCH, –search SEARCH
Term to search
-o OUT, –out OUT Output directory
-t THREADS, –threads THREADS
Threads number (Default 25)
-j, –json Json ouput
-q, –quiet Remove banner
-du, –deactivate_url
Deactivate the URL filtering
-de, –deactivate_email
Deactivate the email filtering

Search for secret about a domain

swaggerHole -s test.com

echo test.com | swaggerHole

Search for secret about a domain and output to json

swaggerHole -s test.com –json

echo test.com | swaggerHole –json

Search for secret about a domain and do it fast 🙂

swaggerHole -s test.com -t 100

echo test.com | swaggerHole -t 100

Output explanation

Normal output

 `Finding_Type – Finding – [Swagger_Name][Date_Last_Update][Line:Number]` 

Json output

 `{“Finding_Type”: Finding, “File”: File_path, “Date”: Date_Last_Update, “Line”: Number}` 

Deactivate url/email 

Using -du or -de remove the filtering done by the tool. There is more false positive with those options. 

Related Posts