Google Maps API checker

GAP

Google API checker.

Based on the study Unauthorized Google Maps API Key Usage Cases, and Why You Need to Care and Google Maps API (Not the Key) Bugs That I Found Over the Years.

Checks performed

USAGE

# Check API key AIza[REDACTED] and print PoC
$> gap -api "AIza[REDACTED]" -poc

[i] Performing checks using AIza[REDACTED]
[+] Not vulnerable to DirectionsAPI
[+] Not vulnerable to StaticMapAPI
[+] Not vulnerable to StreetViewAPI
[+] Not vulnerable to EmbedBasicAPI
[+] Not vulnerable to EmbedAdvancedAPI
[+] Not vulnerable to DirectionsAPI
[-] Vulnerable to GeocodeAPI
[!] PoC URL: https://maps.googleapis.com/maps/api/geocode/json?latlng=40,30&key=AIza[REDACTED]

[-] Vulnerable to DistanceMatrixAPI
[!] PoC URL: https://maps.googleapis.com/maps/api/distancematrix/json?units=imperial&origins=40.6655101,-73.89188969999998&destinations=40.6905615%2C-73.9976592%7C40.6905615%2C-73.9976592%7C40.6905615%2C-73.9976592%7C40.6905615%2C-73.9976592%7C40.6905615%2C-73.9976592%7C40.6905615%2C-73.9976592%7C40.659569%2C-73.933783%7C40.729029%2C-73.851524%7C40.6860072%2C-73.6334271%7C40.598566%2C-73.7527626%7C40.659569%2C-73.933783%7C40.729029%2C-73.851524%7C40.6860072%2C-73.6334271%7C40.598566%2C-73.7527626&key=AIza[REDACTED]

[-] Vulnerable to FindPlaceFromTextAPI
[!] PoC URL: https://maps.googleapis.com/maps/api/place/findplacefromtext/json?input=Museum%20of%20Contemporary%20Art%20Australia&inputtype=textquery&fields=photos,formatted_address,name,rating,opening_hours,geometry&key=AIza[REDACTED]

[-] Vulnerable to AutocompleteAPI
[!] PoC URL: https://maps.googleapis.com/maps/api/place/autocomplete/json?input=Bingh&types=%28cities%29&key=AIza[REDACTED]

[+] Not vulnerable to ElevationAPI
[+] Not vulnerable to TimezoneAPI
[+] Not vulnerable to NearestRoadsAPI
[-] Vulnerable to GeolocationAPI
[!] PoC Request:
POST /geolocation/v1/geolocate?key=AIza[REDACTED] HTTP/1.1
Host: www.googleapis.com
Content-Type: application/json

{"considerIp": true}

[+] Not vulnerable to RouteToTraveledAPI
[+] Not vulnerable to SpeedLimitRoadsAPI
[-] Vulnerable to PlaceDetailsAPI
[!] PoC URL: https://maps.googleapis.com/maps/api/place/details/json?place_id=ChIJN1t_tDeuEmsRUsoyG83frY4&fields=name,rating,formatted_phone_number&key=AIza[REDACTED]

[-] Vulnerable to NearbySearchPlacesAPI
[!] PoC URL: https://maps.googleapis.com/maps/api/place/nearbysearch/json?location=-33.8670522,151.1957362&radius=100&types=food&name=harbour&key=AIza[REDACTED]

[-] Vulnerable to TextSearchPlacesAPI
[!] PoC URL: https://maps.googleapis.com/maps/api/place/textsearch/json?query=restaurants+in+Sydney&key=AIza[REDACTED]

[+] Not vulnerable to PlacesPhotoAPI
[+] Not vulnerable to PlayableLocationsAPI
[+] Not vulnerable to FCMAPI
Owner
Joan Bono
IT Security Analyst
Joan Bono
https://github.com/joanbono/gap
Similar Resources

Google Cloud Client Libraries for Go.

Google Cloud Client Libraries for Go Go packages for Google Cloud Platform services. import "cloud.google.com/go" To install the packages on your syst

Jan 1, 2023

Sync your bank transactions with google sheets using Open Banking APIs

Sync your bank transactions with google sheets using Open Banking APIs

Jul 22, 2022

Sync your bank transactions with google sheets using Open Banking APIs

this is a markdown version of the copy on the site landing page: https://youneedaspreadsheet.com You need a spreadsheet 📊 Get on top of your finances

Jul 22, 2022

Mattermost Plugin - Starts meeting with Google Meet

Mattermost Plugin - Starts meeting with Google Meet

Mattermost Plugin - Starts meeting with Google Meet

Sep 16, 2022

View Wikiloc.com trails in Google Earth

View Wikiloc.com trails in Google Earth

Wikiloc Google Earth layer View Wikiloc.com trails in Google Earth. Tiny http server written in Go that fetch trails from wikiloc.com to compose KML u

Aug 22, 2022

RawLink makes backlinks queried from ahref ready for *Google Search Console*

Raw Link This simple program makes backlinks queried from ahref ready for Google Search Console. See footnote 1 for more information. It can be used t

Dec 14, 2022

Google Play APK apps

googleplay Google Play APK apps https://godocs.io/github.com/89z/googleplay Using Android API 24 fails, but API 25 or higher works. It applies to all

Nov 21, 2022

A Google interview task my friend told me about.

deriving π given a normal distribution Try it yourself: package main import ( "fmt" "github.com/cpmech/gosl/rnd" ) // normal returns a number acc

Dec 16, 2021

A productivity tools to diagnose list of exported URL status from Google Search Console, Analytics, Sitemap URL...etc.

google-url-checker A productivity tools to diagnose list of exported URL status from Google Search Console, Analytics, Sitemap URL...etc. A quick way

Dec 31, 2021
Comments
  • QueryAutocompletePlaces not properly checked

    QueryAutocompletePlaces not properly checked

    When I check a key it says that QueryAutocompletePlaces is vulnerable, but when I open the PoC URL I get

    {
   "error_message" : "API keys with referer restrictions cannot be used with this API.",
   "predictions" : [],
   "status" : "REQUEST_DENIED"
}

    This indicates that the keyis not vulnerable, I assume the check is not working properly (I might be wrong though). I can't share the API key I used, so not sure how to reproduce.

    Also: thanks for this tool btw, love it! Really simple and easy to use! :)

Related tags
Public API Wrappers gap
actionlint is a static checker for GitHub Actions workflow files.

actionlint actionlint is a static checker for GitHub Actions workflow files. Features: Syntax check for workflow files to check unexpected or missing

Dec 27, 2022
A Wrapper Client for Google Spreadsheet API (Sheets API)

Senmai A Wrapper Client for Google Spreadsheet API (Sheets API) PREPARATION Service Account and Key File Create a service account on Google Cloud Plat

Nov 5, 2021
Google Adwords API for Go

gads Package gads provides a wrapper for the Google Adwords SOAP API. installation go get github.com/emiddleton/gads setup In order to access the API

Sep 27, 2022
Unofficial Google Trends API for Go

Google Trends API for Go Unofficial Google Trends API for Golang gogtrends is API wrapper which allows to get reports from Google Trends. All contribu

Nov 21, 2022
Use Google REST api to extract your personal Photo Library

Photo Go A better approach to extracting your photos from Google to your personal cloud. I'm moving my photos out of Google to a Synology NAS. create

Dec 7, 2021
GoDrive is a Go CLI tool written to wrap the Google Drive API.

GoDrive is a Go CLI tool written to wrap the Google Drive API.

Jan 10, 2022
Simple translation tool using google translation api.

Translator Simple translation tool using google translation api. To use it you have to provide a valid service account as json file with path in the e

Feb 1, 2022
Google Cloud Messaging for application servers implemented using the Go programming language.

gcm The Android SDK provides a nice convenience library (com.google.android.gcm.server) that greatly simplifies the interaction between Java-based app

Sep 27, 2022
Auto-generated Google APIs for Go.

Google APIs Client Library for Go Getting Started $ go get google.golang.org/api/tasks/v1 $ go get google.golang.org/api/moderator/v1 $ go get google.

Jan 8, 2023
Simple Reporting for Google Analytics

##Google analytics Data pull Lightweight Golang library for pulling Google Analytics API data. Built for use with Core Reporting API (v3): https://dev

Sep 27, 2022