Special Google searches called “dorks” can be used to reveal sensitive data and identify targets for bug bounty hunting and penetration testing.
Cloud storage services like Amazon S3, Microsoft Azure Blob Storage, Google Cloud, and Google Drive can often contain sensitive information.
To find buckets and sensitive data, use the following dorks:
site:s3.amazonaws.com "example.com"
site:blob.core.windows.net "example.com"
site:googleapis.com "example.com"
site:drive.google.com "example.com"
Add terms like confidential
, privileged
, not for public release
to narrow your results.
To find Bug Bounty programs and Vulnerability Disclosure Programs (VDPs), use the following dork:
"submit vulnerability report" | "powered by bugcrowd" | "powered by hackerone"
Another use for Google Dorks is to find sites that use Content Management Systems (CMS). CMSs tend to have known vulnerabilities that can be exploited.
Google Dorks to find WordPress, Drupal, and Joomla sites for further testing:
inurl:/wp-admin/admin-ajax.php
intext:"Powered by" & intext:Drupal & inurl:user
site:*/joomla/login
XSS is a vulnerability class that allows an attacker to inject arbitrary javascript which can then be executed by a victim’s browser.
Find parameters commonly vulnerable to XSS with this dork:
inurl:q= | inurl:s= | inurl:search= | inurl:query= inurl:& site:example.com
One of the most common web vulnerability classes is Open Redirect. This vulnerability allows attackers to redirect users to malicious websites.
To find parameters vulnerable to Open Redirects, try this dork:
inurl:url= | inurl:return= | inurl:next= | inurl:redir= inurl:http site:example.com
Once you find an open redirect vulnerability, try using javascript:alert()
as the parameter value to escalate it to an XSS vulnerability.
It is also possible to combine open redirects with SSRF to bypass whitelists and access restricted resources.
These are just a few examples of the many Google Dorks that can be used to augment your bug bounty hunting or pentesting. The list of Google Dorks is constantly growing, and it’s a good idea to keep up with the latest dorks and tools.
Keep in mind that using Google Dorks for malicious purposes is illegal and unethical. Use them for security testing and bug bounty hunting only.
Great Google Dork resources:
https://www.openbugbounty.org/blog/devl00p/top-100-xss-dorks