If the below command returns missing_text_or_fallback_or_attachments, it means that the URL is valid, any other responses would mean that the URL is invalid.
curl -s -X POST -H "Content-type: application/json" -d '{"text":""}' "https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX"
Obtain ID token and refresh token from custom token and API key: curl -s -XPOST -H 'content-type: application/json' -d '{"token":":custom_token","returnSecureToken":True}' 'https://identitytoolkit.googleapis.com/v1/accounts:signInWithCustomToken?key=:api_key'
Exchange ID token for auth token: curl -s -XPOST -H 'content-type: application/json' -d '{"idToken":":id_token"}' https://www.googleapis.com/identitytoolkit/v3/relyingparty/verifyCustomToken?key=:api_key'
SSH private keys can be tested against github.com to see if they are registered against an existing user account. If the key exists the username corresponding to the key will be provided. (source)
$ ssh -i <path to SSH private key> -T git@github.com
Hi <username>! You've successfully authenticated, but GitHub does not provide shell access.
AWS credentials' permissions can be determined using Enumerate-IAM. This gives broader view of the discovered AWS credentials privileges instead of just checking S3 buckets.
git clone https://github.com/andresriancho/enumerate-iam
cd enumerate-iam
./enumerate-iam.py --access-key AKIA... --secret-key StF0q...
curl -v -u user@yourcompany.com:test -X GET 'https://domain.freshdesk.com/api/v2/groups/1'
This requires the API key in 'user@yourcompany.com', pass in 'test' and 'domain.freshdesk.com' to be the instance url of the target. In case you get a 403, try the endpoint api/v2/tickets, which is accessible for all keys.
The following powershell can be used to test a Shared Access Signature Token:
static void UseAccountSAS(string sasToken)
{
// Create new storage credentials using the SAS token.
StorageCredentials accountSAS = new StorageCredentials(sasToken);
// Use these credentials and the account name to create a Blob service client.
CloudStorageAccount accountWithSAS = new CloudStorageAccount(accountSAS, "account-name", endpointSuffix: null, useHttps: true);
CloudBlobClient blobClientWithSAS = accountWithSAS.CreateCloudBlobClient();
// Now set the service properties for the Blob client created with the SAS.
blobClientWithSAS.SetServiceProperties(new ServiceProperties()
{
HourMetrics = new MetricsProperties()
{
MetricsLevel = MetricsLevel.ServiceAndApi,
RetentionDays = 7,
Version = "1.0"
},
MinuteMetrics = new MetricsProperties()
{
MetricsLevel = MetricsLevel.ServiceAndApi,
RetentionDays = 7,
Version = "1.0"
},
Logging = new LoggingProperties()
{
LoggingOperations = LoggingOperations.All,
RetentionDays = 14,
Version = "1.0"
}
});
// The permissions granted by the account SAS also permit you to retrieve service properties.
ServiceProperties serviceProperties = blobClientWithSAS.GetServiceProperties();
Console.WriteLine(serviceProperties.HourMetrics.MetricsLevel);
Console.WriteLine(serviceProperties.HourMetrics.RetentionDays);
Console.WriteLine(serviceProperties.HourMetrics.Version);
}
Mapbox secret keys start with sk, rest start with pk (public token), sk (secret token), or tk (temporary token).
curl "https://api.mapbox.com/geocoding/v5/mapbox.places/Los%20Angeles.json?access_token=ACCESS_TOKEN"
#Check token validity
curl "https://api.mapbox.com/tokens/v2?access_token=YOUR_MAPBOX_ACCESS_TOKEN"
#Get list of all tokens associated with an account. (only works if the token is a Secret Token (sk), and has the appropiate scope)
curl "https://api.mapbox.com/tokens/v2/MAPBOX_USERNAME_HERE?access_token=YOUR_MAPBOX_ACCESS_TOKEN"
Be cautious when running this command, since the payload might execute within an administrative environment, depending on what index you are editing the highlightPreTag of. It's recommended to use a more silent payload (such as XSS Hunter) to prove the possible cross-site scripting attack.
In case of success you'll see access token printed in terminal. Please note that after verifying that credentials are actually valid you may want to enumerate permissions of these credentials which is another story.
Keep the colon at the end of the token to prevent cURL from requesting a password.
The token is always in the following format: sk_live_24charshere, where the 24charshere part contains 24 characters from a-z A-Z 0-9. There is also a test key, which starts with sk_test, but this key is worthless since it is only used for testing purposes and most likely doesn't contain any sensitive information. The live key, on the other hand, can be used to extract/retrieve a lot of info — ranging from charges to the complete product list.
Keep in mind that you will never be able to get the full credit card information since Stripe only gives you the last 4 digits.
You'll get username in response in case of success, 401 Unauthorized in case if token doesn't exists and 403 Forbidden in case if your IP address is not whitelisted.
NPM token can be CIDR-whitelisted. Thus if you are using token from non-whitelisted CIDR you'll get 403 Forbidden in response. So try to verify NPM token from different IP ranges!.
Note: Keep the colon at the end of the token to prevent cURL from requesting a password. Info: The token is always in the following format: sk_live_34charshere, where the 34charshere part contains 34 characters from a-z A-Z 0-9 There is also a test key, which starts with sk_test, but this key is worthless since it is only used for testing purposes and most likely doesn't contain any sensitive info. The live key, on the other hand, can be used to extract/retrieve a lot of info. Going from charges, to the complete product list. Keep in mind that you will never be able to get the full credit card information since stripe only gives you like the last 4 digits. More info / complete docs: https://stripe.com/docs/api/authentication =======
In order to check recordKey validity you'll need projectId which is public value that usually can be found at cypress.json file. Replace {recordKey} and {projectId} in JSON body with your values.
Yes, this request needs to be that big. It'll return 200 OK with some information about run in case if both projectId and recordKey are valid, 404 Not Found with {"message":"Project not found. Invalid projectId."} if projectId is invalid or 401 Unauthorized with {"message":"Invalid Record Key."} if recordKey is invalid.
Example of projectId is 1yxykz and example of recordKey is a216e7b4-4819-4713-b9c2-c5da60a1c48c.
The response is a zipped archive of JSON files, with potentially multiple files per hour. Note that events prior to 2014-11-12 will be grouped by day instead of by the hour. If you request data for a time range during which no data has been collected for the project, then you will receive a 404 response from the server.
curl -X POST \
'https://api.weglot.com/translate?api_key=my_api_key' \
-H 'Content-Type: application/json' \
-d '{
"l_from":"en",
"l_to":"fr",
"request_url":"https://www.website.com/",
"words":[
{"w":"This is a blue car", "t": 1},
{"w":"This is a black car", "t": 1}
]
}'