A powerful secret scanner for HTTP responses
API Keys • Tokens • Credentials • Misconfigurations
$ ./urleaker -h
usage: urleaker [-h] -f FILE [-sv SEVERITIES] [-api] [-t] [-cr] [-k] [-g]
[-html] [-c CONCURRENT] [-s] [-nc]
URLeaker - By HunterDep ^^
options:
-h, --help show this help message and exit
-f FILE, --file FILE Put file to scan. Ex: -f urls-js.txt
-sv SEVERITIES, --severities SEVERITIES
Choice severities to scan (-sv
unknown,low,medium,high,critical)
-api, --api Find APIKeys (Google, AWS, Firebase, etc)
-t, --tokens Find Tokens (Discord, Slack, Github, etc)
-cr, --credentials Find Credentials (Email, passowrds, etc)
-k, --keys Find private key
-g, --generic Find generic API Key
-html, --html Find intersting object html
-c CONCURRENT, --concurrent CONCURRENT
Number of concurrent threads (default: 20)
-s, --silent Skip banner mode -nc, --no_color Remove colors from output
$ █
git clone https://github.com/yHunterDep/urleaker
cd urleaker
chmod +x urleaker./urleaker -f urls.txt./urleaker -f urls.txt./urleaker -f urls.txt -api./urleaker -f urls.txt -t./urleaker -f urls.txt -cr./urleaker -f urls.txt -sv high,critical./urleaker -f urls.txt -sv low,medium./urleaker -f urls.txt -t -api./urleaker -f urls.txt -c 50./urleaker -f urls.txt -s./urleaker -f urls.txt -nc- 🌐 Scans any HTTP response body (not limited to JS)
- 🔑 API Key detection (AWS, Google, Stripe, etc)
- 🔐 Token leaks (Discord, GitHub, Slack, JWT)
- 📧 Credentials (emails, passwords, FTP)
- 🔒 Private keys detection
- 🧩 Generic secrets & misconfig patterns
- ⚡ Multithreaded scanning
- 🎯 Severity filtering (low → critical)
https://example.com/app.js
https://target.com/api
https://site.com/index.html[AWS_SECRET_KEY] (high) [https://target.com/api] [ABCD1234...]
[DISCORD_TOKEN] (critical) [https://target.com/script.js] [MTIzNDU2...]
[EMAIL] (info) [https://target.com/page] [admin@example.com]This tool is for educational purposes and authorized security testing only.
Do not use against targets without permission.
HunterDep
https://github.com/yHunterDep