mapbox-token-disclosure: Mapbox Token Disclosure

日期: 2025-08-01 | 影响软件: Mapbox | POC: 已公开

漏洞描述

Mapbox secret token is exposed to external users.

PoC代码[已公开]

id: mapbox-token-disclosure

info:
  name: Mapbox Token Disclosure
  author: Devang-Solanki
  severity: medium
  description: Mapbox secret token is exposed to external users.
  reference:
    - https://docs.gitguardian.com/secrets-detection/detectors/specifics/mapbox_token
    - https://github.com/zricethezav/gitleaks/blob/master/cmd/generate/config/rules/mapbox.go
    - https://docs.mapbox.com/api/accounts/tokens/#token-format
    - https://docs.mapbox.com/help/getting-started/access-tokens/
  metadata:
    verified: true
    max-request: 2
  tags: token,exposure,mapbox,vuln

flow: http(1) && http(2)

http:
  - method: GET
    path:
      - "{{BaseURL}}"

    matchers:
      - type: regex
        part: body
        name: token
        regex:
          - 'sk\.eyJ1Ijoi\w+\.[\w-]*'
        internal: true

  - raw:
      - |
        @Host: https://api.mapbox.com:443
        GET /geocoding/v5/mapbox.places/Los%20Angeles.json?access_token={{token}} HTTP/1.1
        Host: api.mapbox.com

    disable-path-automerge: true
    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains_all(body, "type","query","features")'
        condition: and

    extractors:
      - type: dsl
        dsl:
          - token
# digest: 490a00463044022025230a7aaa2e300b0d78fe708b24246a75a7ca4d70baa4393b8bf7eec667cb2502202ed324e362dae65b8adbb1f0a55b5906c0c021a053d0bf736f21764840b2aaf7:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/exposures/tokens/mapbox/mapbox-token-disclosure.yaml

相关漏洞推荐