Skip to content

KingOfBugbounty/Hardcoded-Token-Hunter

BranchesTags

Repository files navigation

πŸ” Hardcoded Token Hunter

Chrome Extension Manifest V3 Version License

⚑ Detect Hardcoded Tokens & Secrets in JavaScript Files

Twitter YouTube

Automatically find exposed API keys, tokens, and secrets while browsing

πŸ“‹ About

Hardcoded Token Hunter is a powerful Chrome extension designed for bug bounty hunters and security researchers. It automatically scans JavaScript files for hardcoded secrets, API keys, tokens, and sensitive data that shouldn't be exposed in client-side code.

⚑ Features

πŸ” Token Detection

  • βœ… AWS Access Keys & Secret Keys
  • βœ… Google API Keys & OAuth
  • βœ… GitHub/GitLab Tokens
  • βœ… Stripe API Keys
  • βœ… Firebase Credentials
  • βœ… JWT Tokens
  • βœ… Private Keys (RSA/SSH)
  • βœ… Database Connection Strings
  • βœ… Slack Webhooks/Tokens
  • βœ… Twilio API Keys
  • βœ… SendGrid API Keys
  • βœ… Mailgun API Keys
  • βœ… And 50+ more patterns!

πŸ› οΈ Advanced Features

  • πŸ”„ Auto Mode: Passive scanning while browsing
  • 🎯 Manual Mode: On-demand deep scanning
  • πŸͺ£ S3 Bucket Takeover Detection
  • πŸ•·οΈ Deep Crawler: Follow JS imports
  • βœ… Token Validation: Verify if tokens are active
  • πŸ’¬ Discord Alerts: Real-time webhook notifications
  • πŸ“Š History Dashboard: Track all findings
  • βš™οΈ Customizable: Add your own regex patterns

🎯 Detected Secrets

Category Patterns
Cloud Providers AWS, GCP, Azure, DigitalOcean, Heroku
Payment Stripe, PayPal, Square, Braintree
Communication Twilio, SendGrid, Mailgun, Slack
Database MongoDB, PostgreSQL, MySQL, Redis
Authentication JWT, OAuth, API Keys, Bearer Tokens
Version Control GitHub, GitLab, Bitbucket
CI/CD Travis CI, CircleCI, Jenkins
Other Firebase, Algolia, Mapbox, Sentry

πŸš€ Installation

# 1. Clone this repository
git clone https://github.com/KingOfBugbounty/Hardcoded-Token-Hunter.git

# 2. Open Chrome
chrome://extensions/

# 3. Enable "Developer mode" (top right corner)

# 4. Click "Load unpacked"

# 5. Select the cloned folder

# 6. Start hunting! 🎯

πŸ“– How to Use

πŸ”„ Auto Mode (Passive)

1️⃣  Enable Auto Mode in settings
         ↓
2️⃣  Browse websites normally
         ↓
3️⃣  Extension scans JS files automatically
         ↓
4️⃣  Get notified when secrets are found
         ↓
5️⃣  Check findings in the popup dashboard

🎯 Manual Mode (Active)

1️⃣  Navigate to target website
         ↓
2️⃣  Click extension icon
         ↓
3️⃣  Click "Deep Scan" button
         ↓
4️⃣  Extension crawls all JS files
         ↓
5️⃣  View detailed results with validation

πŸͺ£ S3 Bucket Takeover Detection

The extension automatically detects:

  • ❌ Non-existent S3 buckets (takeover possible)
  • ⚠️ Misconfigured bucket permissions
  • πŸ”“ Publicly accessible buckets
  • πŸ“ Bucket names in JS code
// These patterns are detected:
"https://bucket-name.s3.amazonaws.com"
"s3://bucket-name/path"
"bucket-name.s3.region.amazonaws.com"

πŸ”§ Configuration

Discord Webhook

Get instant alerts when secrets are found:

  1. Create a webhook in your Discord server
  2. Go to extension Settings
  3. Paste webhook URL
  4. Enable Discord notifications

Custom Patterns

Add your own regex patterns for specific targets:

// Example: Custom API key pattern
{
  "name": "Custom API Key",
  "regex": "CUSTOM_[A-Za-z0-9]{32}",
  "severity": "high"
}

πŸ“Š Dashboard Features

πŸ“ˆ Real-time Stats - Tokens found, files scanned, pages analyzed
πŸ“‹ Findings List - All detected secrets with source URLs
βœ… Validation Status - Check if tokens are still active
πŸ“€ Export - Copy findings or export to JSON
πŸ• History - Track all findings across sessions

πŸ›‘οΈ Security & Ethics

βœ… Legitimate Use Cases

  • 🎯 Bug bounty hunting
  • πŸ”’ Security assessments
  • 🏒 Authorized pentesting
  • πŸ“š Security research
  • πŸŽ“ Educational purposes

❌ Do Not

  • β›” Access systems without authorization
  • β›” Use found credentials maliciously
  • β›” Exploit vulnerabilities without permission
  • β›” Share sensitive findings publicly

πŸ“ Project Structure

Hardcoded-Token-Hunter/
β”œβ”€β”€ manifest.json              # Extension config (Manifest V3)
β”œβ”€β”€ background.js              # Service worker
β”œβ”€β”€ content.js                 # Main content script
β”œβ”€β”€ validator.js               # Token validation logic
β”œβ”€β”€ deep-crawler.js            # JS file crawler
β”œβ”€β”€ bucket-takeover-detector.js # S3 bucket scanner
β”œβ”€β”€ token-scanner-worker.js    # Web worker for scanning
β”œβ”€β”€ popup.html/js              # Extension popup
β”œβ”€β”€ settings.html/js           # Settings page
β”œβ”€β”€ history.html/js            # History dashboard
β”œβ”€β”€ popup.css                  # Styles
└── icons/                     # Extension icons
    β”œβ”€β”€ icon16.png
    β”œβ”€β”€ icon48.png
    └── icon128.png

🎯 Example Findings

πŸ” AWS Access Key Found!
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Key: AKIA52XXXXXXXXXXXXXX
Source: https://target.com/app.bundle.js
Line: 1842
Status: ⚠️ Potentially Active

πŸͺ£ S3 Bucket Takeover Possible!
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Bucket: company-assets-backup
Status: ❌ Does not exist
Risk: πŸ”΄ Critical - Takeover possible!

πŸ› Troubleshooting

Issue Solution
No findings Try Manual/Deep Scan mode
Extension not working Check if Manifest V3 is supported
Discord not receiving Verify webhook URL is correct
High false positives Adjust sensitivity in settings

πŸ“š References

πŸ™ Credits

Developed by OFJAAAH

Twitter GitHub

⚠️ For authorized security testing only. Use responsibly!

About

πŸ” Chrome Extension - Detect hardcoded tokens, API keys & secrets in JavaScript files

Resources

Readme
Activity

Stars

30 stars

Watchers

0 watching

Forks

6 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages