A web application that scans websites for potential API keys, secrets, and sensitive information leaks. This tool helps developers and security professionals identify and fix security vulnerabilities in their web applications.
Referenced Project: Key detection patterns inspired by Keyleaksecret.
- Scans web pages for common secret patterns (API keys, passwords, tokens, etc.)
- Checks response headers for sensitive information
- Validates security headers
- User-friendly web interface
- Real-time scanning results
- Categorizes findings by severity
-
Clone this repository:
git clone <repository-url> cd keyleak-detector
-
Create and activate a virtual environment (recommended):
python -m venv venv source venv/bin/activate # On Windows: venv\Scripts\activate
-
Install the required dependencies:
pip install -r requirements.txt
-
Install Playwright browsers (required for scanning):
playwright install chromium playwright install-deps
-
Start the application:
-
Open your web browser and navigate to:
Note: The app runs on port 5002 instead of 5000 as port 5000 is commonly used by AirPlay on macOS.
-
Enter the URL you want to scan in the input field and click "Scan Now"
-
View the results, which will show any potential security issues found
The application uses a combination of browser automation and network traffic analysis to find secrets:
- Browser Automation: Uses Playwright to load the target website in a headless browser
- Network Monitoring: Intercepts HTTP requests and responses using mitmproxy
- Content Analysis: Analyzes JavaScript, HTML, headers, and dynamic content
- Pattern Matching: Uses regex patterns to detect various types of secrets
- Smart Filtering: Filters false positives using context-aware analysis
- Categorization: Groups findings by severity (Critical, High, Medium, Low)
The scanner detects 50+ types of sensitive information including:
Cloud Provider Credentials:
- AWS Access Keys & Secret Keys
- Google API Keys & OAuth Tokens
- Google Cloud Service Account Keys
- Google Vertex AI API Keys
- Firebase API Keys
- Heroku API Keys
Service Credentials:
- Stripe API Keys
- Slack Tokens
- GitHub Tokens & OAuth
- GitLab Tokens
- Mailgun, Mailchimp, Twilio API Keys
- npm Tokens
LLM/AI Inference Provider Keys:
- OpenAI API Keys (GPT-4, ChatGPT, etc.)
- Anthropic API Keys (Claude)
- Google Gemini & Vertex AI API Keys
- Hugging Face Tokens
- Cohere API Keys
- OpenRouter API Keys
- Replicate API Keys
- Together AI API Keys
- Perplexity AI API Keys
- Mistral AI API Keys
- AI21 Labs API Keys
- Anyscale API Keys
- DeepInfra API Keys
- Groq API Keys
- Fireworks AI API Keys
Database Credentials:
- MongoDB, PostgreSQL, MySQL, Redis connection strings
- SQL Server connection strings
Authentication:
- JWT Tokens
- Bearer Tokens
- OAuth Tokens
- Session Tokens
- Basic Auth credentials
- API Keys
Sensitive Data:
- Private SSH Keys
- Credit Card Numbers
- Social Security Numbers
- Email Addresses
- Phone Numbers
Other:
- Webhook URLs
- Callback URLs
- Hardcoded passwords
- Encrypted credentials in JavaScript
When the scanner detects potential secrets, it provides:
- Severity classification (Critical, High, Medium, Low)
- Context information showing where the secret was found
- Actionable recommendations for remediation
- Best practices for secure credential management
FOR EDUCATIONAL AND AUTHORIZED TESTING PURPOSES ONLY
This tool is provided for educational purposes and authorized security testing only. By using this software, you agree to the following:
- You may ONLY scan websites and applications that you own or have explicit written permission to test
- Unauthorized scanning of third-party websites may be illegal in your jurisdiction
- The authors and contributors are NOT responsible for any misuse or damage caused by this tool
- Users are solely responsible for ensuring compliance with all applicable laws and regulations
- This tool is provided "AS IS" without warranty of any kind, express or implied
- The authors assume NO liability for any consequences resulting from the use or misuse of this software
By using KeyLeak Detector, you acknowledge that you have read, understood, and agreed to these terms. If you do not agree, do not use this tool.
- ✅ DO scan your own websites and applications
- ✅ DO scan websites where you have explicit written authorization
- ✅ DO use for security research with proper permissions
- ✅ DO use for educational purposes in controlled environments
- ❌ DON'T scan websites without explicit permission
- ❌ DON'T use for malicious purposes
- ❌ DON'T share or exploit found credentials
- Always obtain written permission before scanning any system
- Handle scan results securely and responsibly
- If you find valid credentials, rotate them immediately
- Report findings through responsible disclosure programs
- Be cautious when scanning production environments
- Understand and comply with applicable laws in your jurisdiction
THE AUTHORS AND CONTRIBUTORS OF THIS SOFTWARE DISCLAIM ALL LIABILITY FOR ANY MISUSE, DAMAGES, OR LEGAL CONSEQUENCES ARISING FROM THE USE OF THIS TOOL. USERS ASSUME FULL RESPONSIBILITY FOR THEIR ACTIONS.
Contributions are welcome! Please feel free to:
- Fork the repository: https://github.com/Amal-David/keyleak-detector
- Create a feature branch (
git checkout -b feature/AmazingFeature) - Commit your changes (
git commit -m 'Add some AmazingFeature') - Push to the branch (
git push origin feature/AmazingFeature) - Open a Pull Request
Found a bug or have a feature request? Please open an issue on GitHub: https://github.com/Amal-David/keyleak-detector/issues
This project is licensed under the MIT License - see the LICENSE file for details.
Created and maintained by Amal David