The API Secret Sprawl

How we discovered over 18,000 API secret tokens by analyzing 1 million domains on the web
Download report
Header imageArrow

Our methodology

Focus on real world scenarios

Custom security rules icon

Escape’s web crawler analyzed applications in their actual usage scenarios, examining everything from APIs to frontends, including elements that run in the background like JavaScript.

This approach shows how and where API secret keys and tokens are exposed in real-world settings, not only in code repositories.

Our data collection process was a significant undertaking, both in terms of scale and technical complexity. To manage this, we deployed our containerized web spider on a Kubernetes cluster. The cluster was capable of scaling up to 150 concurrent worker instances.

The collection spanned over 69 hours, with our system analyzing an average of 4 domains per second.

In total, our process led us to visit 189,466,870 URLs. This extensive coverage was key to ensuring that our analysis was as thorough and inclusive as possible.

By examining such a large number of URLs, we were able to gain deep insights into the current state of secret sprawl across a wide spectrum of the internet.

Our scanning process

Discover our findings

Including OpenAI and Javascript packing trends
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Agentless API Discovery & API Security for rapidly scaling companies
Book a live demo
Product Use Cases
Ensure API security at scale
Shift left with continous security in CI/CD
Get full security observability
Integrate security into your workflows
Find business logic flaws before production
Simplify compliance management
Deploy Developer-focused remediation
Company
About
We're hiring
Resources
Blog
Case studies
Docs
API Security Academy
API Security Checklist
The Elephant in AppSec Podcast
State of GraphQL Security 2024
State of Public APIs 2023
GraphQL Security
GraphQL Armor
ChatGPT Security
Connect
Book a live demo
Contact us
Slack support
Escape vs Competitors
Escape vs Noname Security
Escape vs Salt Security
Escape vs Rapid7
Escape vs Invicti
Legal
Privacy policy
Terms of service
© 2023 Escape. Made with ❤️, 🥖 and ☕ in San Francisco, Paris and Biarritz.