Hey there, fellow bug hunters and curious minds!

If you haven’t already, check out my article about the exciting journey of reconnaissance, the significant steps and essential tools.

Now, we will dive into one specific type of recon — Google dorking (for OSINT — Open Source Intelligence).

What is Google dorking?

At its core, Google dorking refers to the practice of using specific search queries (known as “dorks”) to uncover sensitive information and vulnerabilities in online systems. We need to strategically craft these search queries, and bypass the traditional search results, and then access hidden or unprotected data. This is usually not available on a website (not intended for public viewing). Google dorking is one of the most effective way of finding sensitive information of any website.

Let us uncover some hidden end-points and sensitive data like a pro.

Start simply:

Start with “site:<domain>”. This returns a list of all indexed URLs from the specified domain. The second example below searches for any “help” related content from all the “.com” websites.

site:target.com
site:.com "help"

Using cache:

This returns the cached version of a website. This is the same as clicking on the “Cached” link on Google’s main results page.

cache:target.com

inurl:

This will restrict the results to the documents containing that word in the url. Put simply, it searches for the word in the URL. The below example queries for all the URLs containing target.php. Another operator is “allinurl” — This returns the results whose URL contains all the specified characters.

inurl:"admin"
allinurl:target.php

intext:

This locates the web pages that contain certain characters or strings inside the text.

intext:"index of /" site:target.com

I will further provide a list of google dork search queries to be used in the recon phase.