#Dora #Find #Exposed #API #Keys #Based #RegEx #Exploitation #Methods

Dora, a tool to Find Exposed API Keys Based On RegEx And Get Exploitation Methods For Some Of Keys That Are Found


  • Blazing fast as we are using ripgrep in backend
  • Exploit/PoC steps for many of the API key, allowing to write a good report for bug bounty hunting
  • Unlike many other API key finders, dora also shows the path to the file and the line with context for easier analysis
  • Can easily be implemented into scripts. See Example Use Cases


Make sure to install ripgrep

clone the repo
git clone https://github.com/sdushantha/dora.git
change the working directory to sherlock
cd dora
install dora
python3 setup.py install –user


$ dora –help
usage: dora [options]
positional arguments:
PATH Path to directory or file to scan
optional arguments:
-h, –help show this help message and exit
–rg-path RG_PATH Specify path to ripgrep
–rg-arguments RG_ARGUMENTS
Arguments you want to provide to ripgrep
–json JSON Load regex data from a valid JSON file (default: db/data.json)
–verbose, -v, –debug, -d
Display extra debugging information
–no-color Don’t show color in terminal output

Example Use Cases

  • Decompile an APK using apktool and run dora to find exposed API keys
  • Scan GitHub repos by cloning it and allowing dora to scan it
  • While scraping sites, run dora to scan for API keys



ahmedaljanahy Creative Designer @al.janahy Founder of @inkhost I hope to stay passionate in what I doing

Leave a Reply

Your email address will not be published. Required fields are marked *