Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up

A demo showing how to harvest credentials from Zapier

License

NotificationsYou must be signed in to change notification settings

mbrg/zapcreds

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

starstwitteremail me

ZapCreds is a recon tool that harvests credentials from Zapier.

Given a Zapier user, ZapCreds will scan every Zapier account the user has access to and will retrieve private connections owned by this user and shared connections the user has access to.

Disclaimer: these materials are presented from an attacker’s perspective with the goal of raising awareness to the risks of underestimating the security impact of No Code/Low Code. No Code/Low Code is awesome.

Output example

account_nameapp_nameapp_iconconnection_createdconnection_titleconnection_owner
MarketingDropboxDropbox2021-06-06T10:54:52ZDropboxjohnw@gmail.comJohn.Webb@mycompany.com
MarketingGmailGmail2021-06-06T10:00:14ZGmailBobby.Atkinson@mycompany.comBobby.Atkinson@mycompany.com
MarketingGmailGmail2021-06-06T07:53:42ZGmailLola.Burton@mycompany.com #2Lola.Burton@mycompany.com
MarketingGoogle CalendarGoogle Calendar2022-01-25T21:08:48ZGoogle Calendarjohnw@gmail.comJohn.Webb@mycompany.co
MarketingGoogle DriveGoogle Drive2022-01-26T11:10:41ZGoogle DriveBobby.Atkinson@mycompany.comBobby.Atkinson@mycompany.com
SalesOpsGoogle SheetsGoogle Sheets2022-02-20T09:20:15ZGoogle SheetsSariah.Cote@mycompany.comSariah.Cote@mycompany.com
SalesOpsOneNoteOneNote2022-03-03T09:18:36ZOneNotegibsonm@outlook.com #2Mia.Gibson@mycompany.com

Usage

Install

git clone https://github.com/mbrg/zapcreds# use python>=3.6python -m pip install.

Examples

Command line

zapcreds --email John.Webb@mycompany.com --password password -out found_creds.csv

Python

importrequestsfromzapcreds.harvestimportauthenticate_session,get_credentialssession=requests.Session()authenticate_session(session,"John.Webb@mycompany.com","password")creds=get_credentials(session)print(creds.columns)# Index(['account_name', 'account_owner', 'app_name', 'app_version', 'app_icon', 'connection_created', 'connection_title', 'connection_description', 'connection_owner'],

Contributing

Pull requests and issues are always welcome.

About

A demo showing how to harvest credentials from Zapier

Topics

Resources

License

Stars

Watchers

Forks

Languages

[8]ページ先頭
©2009-2025 Movatter.jp