Google Dorking makes it easy to spot things like unsecured websites, exposed databases, and sensitive credentials that slipped through the cracks.
The more you know about crafting the right search, the easier it is to see just how important it is to lock down your data and tighten up your security practices. This guide explores how security professionals leverage search operators to find vulnerable data.
Domain and File-Type Specific Searches
Site-Specific Search
site:example.com confidential
- Purpose: Limits search results to a specific domain.
File-Type Search
filetype:pdf "company budget"
- Purpose: Finds specific file types.
Search Text in URL
inurl:admin
- Purpose: Searches for specific text in URLs.
Search Text in Title
intitle:"index of /"
- Purpose: Searches for specific text in page titles.
Sensitive Information Exposure
Password Exposure
site:example.com intext:password filetype:txt
- Purpose: Finds plaintext passwords or credentials.
Exposing Database Credentials
"DB_PASSWORD" filetype:env
- Purpose: Finds database passwords in environment configuration files.
Exposing Passwords in .bash_history
"password" filetype:bash_history
- Purpose: Finds passwords stored in bash history files.
Private Keys in PEM Files
"BEGIN RSA PRIVATE KEY" filetype:pem
- Purpose: Finds private keys in PEM files.
Passwords in Configuration Files
"password" filetype:config OR filetype:xml
- Purpose: Finds passwords stored in configuration files.
Exposing .htpasswd
Files
"htpasswd" filetype:htpasswd
- Purpose: Reveals
.htpasswd
files used for basic HTTP authentication.
Exposing Private Keys in PEM or PPK Files
"id_rsa" OR "id_dsa" filetype:pem OR filetype:ppk
- Purpose: Reveals SSH private keys in PEM or PPK files.
API & Cloud Service Keys
Finding API Keys in .env
Files
"api_key" OR "apikey" filetype:env
- Purpose: Finds exposed API keys in
.env
files.
AWS Access Keys
"aws_access_key_id" filetype:env OR filetype:json OR filetype:yaml
- Purpose: Locates AWS keys in environment or configuration files.
Heroku API Keys
"HEROKU_API_KEY" filetype:json OR filetype:shell
- Purpose: Finds Heroku API keys in configuration files.
Google Cloud Credentials
"type": "service_account" filetype:json
- Purpose: Finds Google Cloud service account keys.
Firebase Credentials
"FIREBASE_API_JSON" OR "firebaseio" filetype:json
- Purpose: Finds Firebase credentials in JSON files.
Exposing Configuration Files
Config File Leaks
site:example.com ext:xml | ext:conf | ext:cnf | ext:reg | ext:inf | ext:rdp | ext:cfg | ext:txt | ext:ora | ext:ini
- Purpose: Exposes configuration files with system details or credentials.
WordPress Configuration
"DB_PASSWORD" filetype:php "wp-config"
- Purpose: Finds WordPress configuration files containing database credentials.
Directories and Backup Files
Open Directories
intitle:"Index of" inurl:ftp
- Purpose: Reveals directories with unrestricted access to files.
Exposed Backup Files
site:example.com ext:bak | ext:old | ext:backup | ext:txt
- Purpose: Finds forgotten backup files.
Exposed .git Directories
site:example.com inurl:".git" -github.com -gitlab.com
- Purpose: Locates exposed .git directories.
Vulnerabilities in Web and Application Layers
Vulnerable Parameters
site:example.com inurl:php?id= | inurl:asp?id= | inurl:jsp?id=
- Purpose: Locates potentially vulnerable parameters.
Finding Exposed API Endpoints
site:example.com inurl:api | inurl:json | inurl:xml | inurl:swagger
- Purpose: Finds exposed API endpoints.
Locating Admin or Login Pages
site:example.com inurl:admin | inurl:login | inurl:signin | inurl:portal
- Purpose: Locates admin or login pages.
Discovering Subdomains
site:*.example.com -www
- Purpose: Finds subdomains of a given domain.
Locating Vulnerable JavaScript Files
site:example.com ext:js inurl:jquery
- Purpose: Finds potentially vulnerable JavaScript files.
Exposed Log Files
site:example.com ext:log | ext:txt intext:"error" | intext:"warning"
- Purpose: Locates exposed log files that may contain sensitive error or warning messages.
Database Credentials
Exposing SQL Dump Files
"password" filetype:sql "mysql dump"
- Purpose: Exposes SQL dump files containing MySQL credentials.
Database Usernames and Passwords in SQL Files
"db_password" OR "db_username" filetype:sql
- Purpose: Exposes database credentials in SQL dump files.
PostgreSQL Passwords in .pgpass
"pgpass" filetype:conf OR filetype:txt
- Purpose: Discover PostgreSQL credentials stored in
.pgpass
files.
Miscellaneous Sensitive Information
Exposing .git-credentials
"username" "password" filetype:git-credentials
- Purpose: Finds Git credentials stored in
.git-credentials
files.
Uncovering .npmrc
Authentication Tokens
"_auth" filetype:npmrc
- Purpose: Locates npm tokens used in
.npmrc
files.
Exposing .ftpconfig
"ftp" "password" filetype:ftpconfig
- Purpose: Finds FTP configuration files containing login details.
MongoDB Credentials in Config Files
"mongolab.com password" filetype:yaml OR filetype:json
- Purpose: Finds MongoDB credentials used in hosted services like MongoLab.
Advanced Search Refinement
Excluding Common Directories
"password" filetype:env -site:github.com -site:gitlab.com
- Purpose: Avoid results from GitHub and GitLab to reduce false positives.
Narrowing Down to Specific Domains
"aws_access_key_id" site:example.com
- Purpose: Focus Google Dorking on a specific domain or company.
Other resources
Looking for more? We recommend the following resources to read up on more Google Dorking techniques.
→ https://github.com/chr3st5an/Google-Dorking
→ https://github.com/Proviesec/google-dorks
Don’t forget to follow us on LinkedIn for more content!
https://linkedin.com/company/huntrix
To schedule a time to chat: