Algopwn
Algopwn is an interactive Python tool for security researchers and bug-bounty hunters to audit Algolia API keys. It detects ACLs, distinguishes read-only vs sensitive permissions, enumerates indexes, and — with explicit confirmation — performs a controlled PoC and prints a verification URL. Built for responsible use only.
Install / Use
/learn @Suryesh/AlgopwnREADME
Algopwn
Algopwn — Algolia API Key Analyzer & (authorized) Exploiter
Algopwn helps security practitioners quickly assess Algolia API key exposures. The tool prompts for App ID and API key, fetches key metadata and ACLs, and classifies keys as informative (read-only) or sensitive (modifiable). For sensitive keys, Algopwn lists indexes, fetches index data and settings, and — only after interactive confirmation — can apply a reversible PoC update and print a copy-paste verification URL.
⚠️ Important: Only use Algopwn against applications you own or have explicit written permission to test (bug bounty scope, pentest engagement, etc.). Misuse may be illegal and unethical.
Features
- Prompt-based interactive workflow (no required CLI args).
- Fetches key metadata and ACLs from Algolia.
- Distinguishes informative (read-only) ACLs vs sensitive (modify/delete) ACLs.
- If sensitive ACLs are present, lists indexes and allows you to:
- fetch index data (single index),
- fetch index settings,
- optionally update
highlightPreTagto a PoC value (e.g.,"hacked").
- Prints a copy-paste PoC verification URL after a successful update.
- Colorised terminal output for readability.
- Small, dependency-light: uses
requestsandcolorama.
Installation
-
Clone the repo:
git clone https://github.com/Suryesh/Algopwn.git cd Algopwn -
Install dependencies:
pip install requests colorama
Help
python3 algopwn.py -h
⚠️ Important: You need to change one line of code before using this tool:
Line number 82: payload = {"highlightPreTag": "Hacked by Suryesh"}
- change highlightPreTag syntax with your name i.e, {"highlightPreTag": "Hacked by (yourname-xyz)"}
Usage
- Run the script
python3 algopwn.pyand follow the prompts: - Enter the Algolia App ID and API key when prompted.
- The tool prints key info (JSON), then:
- If the key is informative only (e.g.,
search,listIndexes,settings), the tool reports this and exits. - If the key is sensitive (e.g.,
editSettings,addObject,deleteIndex), the tool asks if you want to proceed with exploitation steps.
- If the key is informative only (e.g.,
- If you choose to proceed, you can pick an index, view its data/settings, and confirm an update. After updating, a PoC URL is printed.
python3 algopwn.py
_ _ ___
/_\ | | __ _ ___ / _ \__ ___ __
//_\\| |/ _` |/ _ \ / /_)/\ \ /\ / / '_ \
/ _ \ | (_| | (_) / ___/ \ V V /| | | |
\_/ \_/_|\__, |\___/\/ \_/\_/ |_| |_|
|___/
Algolia API Key Exploiter by Suryesh
You can follow me on Twitter/X: https://x.com/Suryesh_92
Subscribe to my Youtube Channel: https://www.youtube.com/@HackWithSuryesh
Enter Algolia Application ID: MH9A52MZTO
Enter Algolia API Key: 4d89644522b528406ec821a713da60fe
{ "info": { ... } }
This key only has ['search'] permissions. So, it is Informative only.
If a sensitive key is detected:
This key has sensitive ACLs: ['editSettings', 'deleteObject', etc.]
Do you want to proceed with exploitation? (y/n): y
Indexes available:
1. products_v1
2. users_public
Enter the index name to work with: products_v1
[fetch data]
[fetch settings]
Do you want to update this index's settings with payload (highlightPreTag=Hacked by Suryesh)? (y/n): y
[+] Update Response: {...}
[+] PoC Verification URL:
https://MH9A52MZTO-dsn.algolia.net/1/indexes/products_v1/settings?x-algolia-application-id=MH9A52MZTO&x-algolia-api-key=4d896...
Video PoC:
References/Write-up:
You may follow my social media:
<p align="center"> <a href="https://x.com/Suryesh_92"><img src="https://img.shields.io/badge/Twitter-@Suryesh__92-blue?logo=twitter&logoColor=white" alt="Twitter"></a> <a href="https://www.youtube.com/@HackWithSuryesh"><img src="https://img.shields.io/badge/YouTube-Subscribe-red?logo=youtube&logoColor=white" alt="YouTube"></a> <a href="https://medium.com/@hackwithsuryesh"><img src="https://img.shields.io/badge/Medium-Blog-black?logo=medium&logoColor=white" alt="Medium"></a> <a href="https://instagram.com/suryesh_92"><img src="https://img.shields.io/badge/Instagram-Follow-pink?logo=instagram&logoColor=white" alt="Instagram"></a> <a href="https://www.linkedin.com/in/dhananjay-kumar-suryesh-535995220/"><img src="https://img.shields.io/badge/LinkedIn-Connect-blue?logo=linkedin&logoColor=white" alt="LinkedIn"></a> <a href="https://discord.com/invite/EfgnVNbh3N"><img src="https://img.shields.io/badge/Discord-Join-5865F2?logo=discord&logoColor=white" alt="Discord"></a> </p>License
This project is licensed under the MIT License. See the 
file for details.
💰 You can help me by Donating
Disclaimer
This tool is intended for educational and ethical testing purposes only. Do not use it for any illegal or unauthorized activities. The author is not responsible for any misuse of this tool.
Related Skills
proje
Interactive vocabulary learning platform with smart flashcards and spaced repetition for effective language acquisition.
YC-Killer
2.7kA library of enterprise-grade AI agents designed to democratize artificial intelligence and provide free, open-source alternatives to overvalued Y Combinator startups. If you are excited about democratizing AI access & AI agents, please star ⭐️ this repository and use the link in the readme to join our open source AI research team.
research_rules
Research & Verification Rules Quote Verification Protocol Primary Task "Make sure that the quote is relevant to the chapter and so you we want to make sure that we want to have it identifie
groundhog
398Groundhog's primary purpose is to teach people how Cursor and all these other coding agents work under the hood. If you understand how these coding assistants work from first principles, then you can drive these tools harder (or perhaps make your own!).
