Mapping what others miss. Human error is my favorite.
BlackAPI is a high-efficiency API vulnerability scanner designed to identify misconfigurations and unrestricted permissions in leaked API keys. Built for speed and clarity, it helps security researchers determine the actual impact of a discovered credential.
- Multi-Service Probing: Automatically tests keys against critical infrastructure endpoints.
- Bulk Processing: Supports scanning a single key or importing a wordlist for large-scale reconnaissance.
- Permission Mapping: Specifically identifies if a key is "Unrestricted" or "Accessible" for:
- Google Maps / Places: Potential for financial drain via unauthorized location queries.
- YouTube Data: Access to private metadata and video statistics.
- Firebase Auth: Risks involving unauthorized user registration and database interaction.
- Zero Dependencies: Lightweight Bash script requiring only
curl.
- Clone or Download the script to your local machine (Kali Linux/Debian recommended).
- Grant execution permissions:
chmod +x blackapi.sh
- (Optional) Install globally:
sudo mv blackapi.sh /usr/local/bin/blackapi
Quickly verify the impact of one API key:
./blackapi.sh -k AIzaSyBxxxxxxxxxxxxxxProvide a list of keys (one per line) for batch processing:
./blackapi.sh -f api_keys_leak.txtView all available options:
./blackapi.sh --helpWhen a critical vulnerability is detected, BlackAPI highlights the risk in Green:
[*] PROBING KEY: AIzaSyA-ExampleKey123
[+] Google Maps API: UNRESTRICTED
[+] YouTube Data API: ACCESSIBLE
------------------------------------------------------------
[*] PROBING KEY: AIzaSyB-ExampleKey456
[-] No critical vulnerabilities detected.
- Hacker: Jake Lo
- Assistant: Gemini
- Framework: BlackPentest Environment
This tool is intended for authorized penetration testing and educational purposes only. Unauthorized use of this tool against targets without prior written consent is illegal. The developers assume no liability and are not responsible for any misuse or damage caused by this program.