Google Dorking

Google dorking is a passive reconnaissance method that uses Google search operators to discover public pages and files that help you map the target, such as admin panels, exposed directories, API documentation, JavaScript files, and older archived content.

It is mainly used to:

Expand endpoint discovery
Find useful files and documentation
Identify extra subdomains and environments
Collect URLs before active enumeration

What You Actually Need

Operator

Meaning

Example

site:

Limit results to a domain

site:example.com

inurl:

Match words in the URL

inurl:admin

intitle:

Match words in page title

intitle:"login"

ext:

Match a file extension

ext:pdf

"..."

Exact match

"reset password"

OR

Search alternatives

login OR signin

-

Exclude a keyword

-blog

()

Group logic

(admin OR dashboard)

Scoping

Use scoping first so you don’t waste time on unrelated results.

Main domain only

site:example.com

Include subdomains

site:*.example.com

Remove noise

site:example.com -inurl:blog -inurl:support -inurl:docs

This helps you locate panels, portals, dashboards, and authentication entry points.

Common login keywords

site:example.com (inurl:login OR inurl:signin OR inurl:auth)

Admin and management pages

site:example.com (inurl:admin OR inurl:dashboard OR inurl:panel)

Title-based matches

site:example.com (intitle:"sign in" OR intitle:"admin")

Finding Open Directories ("index of")

Sometimes Google indexes open directory listings which can expose files.

site:example.com intitle:"index of"

To narrow results:

site:example.com intitle:"index of" (backup OR uploads OR logs)

Finding Files That Help Recon

This category is about finding files that reveal endpoints, configs, or internal structure.

Backups and archives

site:example.com (ext:zip OR ext:tar OR ext:gz OR ext:rar OR ext:7z OR ext:bak OR ext:old)

Configuration formats

site:example.com (ext:env OR ext:ini OR ext:yml OR ext:yaml OR ext:json OR ext:xml)

Logs and exports

site:example.com (ext:log OR ext:sql OR ext:csv OR ext:xls OR ext:xlsx)

API Discovery Through Search

This helps you locate API endpoints and documentation pages.

API paths

site:example.com inurl:/api/

Common API docs

site:example.com (inurl:swagger OR inurl:swagger-ui OR inurl:openapi OR inurl:api-docs)

GraphQL pages

site:example.com (inurl:graphql OR inurl:graphiql)

JavaScript Recon

JavaScript is frequently indexed and often reveals:

API base URLs
internal paths
service names
external integrations

Find JS files

site:example.com ext:js

Find source maps

site:example.com ext:map
site:example.com "sourceMappingURL"

Keyword hunting inside indexed JS

site:example.com ext:js ("api" OR "token" OR "key" OR "endpoint")

Repository and Development Artifacts

These results help identify the stack and project layout.

site:example.com (".git" OR ".svn" OR "package.json" OR "composer.json" OR "yarn.lock")

Documents (PDF / Office Files)

Documents can contain:

internal naming
usernames/emails
environment references
system descriptions

site:example.com (ext:pdf OR ext:doc OR ext:docx OR ext:ppt OR ext:pptx OR ext:xls OR ext:xlsx)

You can also search for keywords:

site:example.com ("internal" OR "confidential" OR "password")

Error Pages and Debug Text

Sometimes error output becomes indexed and helps identify frameworks and paths.

site:example.com ("stack trace" OR "Traceback (most recent call last)" OR "Fatal error" OR "Exception")

Cloud Links and External Platforms

Many websites reference cloud storage or external services inside public pages.

site:example.com ("s3.amazonaws.com" OR "storage.googleapis.com" OR "blob.core.windows.net")

Firebase references:

site:example.com ("firebaseio.com" OR "firebasestorage.googleapis.com")

Dev / Test / Staging Environments

This helps you locate non-production environments that are sometimes accessible.

site:*.example.com (inurl:dev OR inurl:test OR inurl:stage OR inurl:staging OR inurl:beta)

How to Use This Page?

Start with scoped searches: site:example.com and site:*.example.com
Locate entry points: login, admin, portals
Look for open directories and file types: backups, configs, logs, exports
Search for API docs and API paths: swagger, openapi, graphql, /api/
Collect JavaScript files and map files: endpoints are often there
Save useful URLs and move to active recon tools

Compact Start Queries

Use these first if you want fast results:

site:*.example.com (inurl:admin OR inurl:login OR inurl:dashboard)
site:example.com intitle:"index of"
site:example.com (ext:env OR ext:sql OR ext:log OR ext:zip OR ext:gz)
site:example.com (inurl:swagger OR inurl:openapi OR inurl:graphql OR inurl:api-docs)
site:example.com ext:js ("api" OR "endpoint")

PreviousWeb Reconnaissance NextInput Validation Testing

Last updated 2 months ago

Was this helpful?

Good afternoon

hashtagGoogle Dorking

hashtagWhat You Actually Need

hashtagScoping

hashtagFinding Login Pages and Admin Areas

hashtagFinding Open Directories ("index of")

hashtagFinding Files That Help Recon

hashtagBackups and archives

hashtagConfiguration formats

hashtagLogs and exports

hashtagAPI Discovery Through Search

hashtagJavaScript Recon

hashtagRepository and Development Artifacts

hashtagDocuments (PDF / Office Files)

hashtagError Pages and Debug Text

hashtagCloud Links and External Platforms

hashtagDev / Test / Staging Environments

hashtagHow to Use This Page?

hashtagCompact Start Queries