id: pinata-keys-exposed

info:
  name: Pinata API Secrets Exposed
  author: kaks3c
  severity: high
  reference: https://github.com/karkis3c/bugbounty/blob/main/poc/pinata-api-key.md

http:
  - method: GET
    path:
      - "{{BaseURL}}"

    matchers:
      - type: word
        words:
          - "pinata_api_secret"
          - "pinata_api_key"
        condition: and
        case-insensitive: true

    extractors:
      - type: regex
        part: body
        regex:
          - "(?i)pinata_api_key\\s*[:=]\\s*[\"']?([a-zA-Z0-9_\\-]+)[\"']?"
          - "(?i)pinata_api_secret\\s*[:=]\\s*[\"']?([a-zA-Z0-9_\\-]+)[\"']?"
        group: 1