Secrets Embedded in Web Page DOMs


At Bolster, we analyze millions of web pages every day. We look for similarities to known legitimate brand’s web page DOMs, use natural language processing to compare rendered text, and many other tricks.

When you scan web pages on such a large scale, sometimes you end up finding things you never anticipated. In many surveys, we have seen web page DOMs containing different API keys and email ids. API keys ranged from high severity, Twitter consumer, access tokens, AWS access and secret tokens to medium severity loose webhook URLs, Google Maps API keys and many low-gravity API tokens.

These incidents can occur when the front-end HTML is not examined for secrets before publishing. In some cases, like the Google Maps API, the key is meant to be embedded in HTML by design, but should be restricted from the admin dashboard for referrers and origin.

For this blog, we decided to dive into the scope of this problem

Our research

We took 1.5 million random DOMs and parsed them for regular expressions of popular API keys like Google Cloud API, AWS API & Access, Mailchimp, Mailgun, Telegram, Stripe, Twilio and many more.


Secrets Embedded in Web Page DOMs
Found key types from 1.5 million dom scans

A significant portion of Google Maps API keys found had no throttling policy configured. So anyone can make requests using these API keys. If we parse the found Google Maps key using the gmapsapiscanner we can get a list of endpoints that the particular API key works on and what the price of those endpoints is.

These exposed API keys can be exploited by malicious actors to frustrate unexpected billing costs if the keys do not have a rate limit or usage cap. Additionally, if the attacker consumes the entire request limit quota and billing is not configured correctly, the attacker can cause a denial of service attack. Since the quota is consumed, all newly made API requests by applications will fail for users.

Secrets Embedded in Web Page DOMs
for example, the cost of one of the vulnerable Google Maps API keys found for different endpoint searches

We have not tested all found keys for working condition. It should be assumed that a certain percentage of keys may have already been revoked and are unusable.

Use of Internet search engines

Shodan and ZoomEye

Other approaches to passively finding API keys can include using internet search engines like Shodan and Zoomeye that scan IP addresses to run services. In case the server is running the HTTP service, these services also take a snapshot of the webpage’s DOM and allow us to search among them.

  • To search for DOM content scanned by Shodan, you can use the following filter
  • On Zoomeye, you can search the API key pattern or initial words directly without any filter. Zoomeye automatically searches for search terms in scanned DOMs.

For this example, we looked for Slack webhook URL patterns that can be used to send messages in internal Slack channels. A post request must be made to the URL to send the text message to the slack channel.

There are also dom search engines like You can search for keywords or regex patterns in the DOM using publicwww. We were able to find many loose webhooks URLs using publicwww.

Secrets Embedded in Web Page DOMs
Results for loose webhooks on

Internet Archive Services

Internet archive services such as’s Wayback Machine also regularly take DOM snapshots of web pages. If an API key or other secret has been embedded in the DOM in the past, these can still be found using Internet Archive Services. That’s why exposed secrets and API keys should not only be deleted, but also revoked, because you can never be sure which services took snapshots of the DOM.


  • Analyze/verify the DOM of the webpage before publishing to avoid such incidents. Truffle Hog is a great tool for automating the analysis of various popular API keys in source code.
  • If a key needs to be embedded in the webpage’s DOM or JavaScript, set throttling policies such as referrer, origin, IP address checking and set rate limits accordingly. And make sure it is not enabled to perform sensitive actions.
  • If you find a key embedded in your site’s publicly accessible DOM, you should not only remove it from the DOM, but also revoke it. The keys may also have been cached on the Internet Archive or other similar platforms.

*** This is a syndicated blog from the Security Bloggers Network of Reinforcement Blog written by Nikhil Panwar. Read the original post at:

Source link