# Week 14 - Algolia API Keys ## Algolia API Misconfiguration Today’s week 14 tip is centered around Algolia API hacking. In doing some research this week, I came across this vulnerability which I was previously unaware of: Algolia API’s are basic REST API’s that use an AppID and API Key to define a client. Both are meant to be public and are visible to any attacker using a proxy tool like Burp Suite. As an attacker, you can directly retrieve the permissions for an API key using the below link: **`APPID`**`-dsn.algolia-net/1/keys/`**`APIKEY`**`?x-algolia-application-id=`**`APPID`**`&x-algolia-api-key=`**`APIKEY`** After filling in your clients **APPID** and **APIKEY**, this link will spit out the key’s permissions in JSON. Often, the keys will be misconfigured. If they are setup correctly, they should only have the ‘search’ permission. MANY times, they have other permissions like: 1. listIndexes -> Get list of all existing indexes -> Information Disclosure 2. editSettings -> Update Index settings -> Allows for Stored XSS 3. addObject -> Add or update records -> Could be used for defacement 4. logs -> Query the logs -> Information disclosure As you can see, the impact of misconfigured Algolia API keys can be huge. The ‘listIndexes’ permission often results in the disclosure of internal company data stored within an Algolia index. The ‘editSettings’ permission is the worst case, as it allows an attacker to specify a JavaScript payload that is executed every time a search is called. ![SRC: https://www.secjuice.com/api-misconfiguration-data-breach/](/files/OFaeN6d9c0GYP0KkVGyw) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.webhackingtips.com/weekly-tips/week-14-algolia-api-keys.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.