$loading...
Use Google dorks for passive reconnaissance — find exposed files, login portals, config leaks, and forgotten subdomains with advanced search operators, ethically and in scope.
Dorking is just precise search. site: scopes a domain, filetype: targets extensions, intitle:/inurl: match page metadata, and quotes force exact phrases. Combine them to narrow millions of results to a handful.
site:example.com
site:example.com filetype:pdf
intitle:"index of" "parent directory"
Open directory listings and backup files are a classic source of leaks. Hunt for archives, SQL dumps, and config files that were never meant to be indexed.
site:example.com intitle:"index of"
site:example.com ext:sql | ext:bak | ext:old | ext:env
site:example.com filetype:log
Enumerate authentication surfaces and management interfaces to map the attack surface before testing (only within scope).
site:example.com inurl:admin | inurl:login
site:example.com intitle:"dashboard" | intitle:"control panel"
Source files, env files, and public paste/repos sometimes expose API keys and passwords. Search for the tell-tale tokens — then report, never reuse.
site:example.com "api_key" | "apikey" | "secret"
"example.com" site:pastebin.com
site:github.com "example.com" password
Negative matches and exclusions surface forgotten subdomains and staging hosts that often have weaker controls than production.
site:*.example.com -www
site:example.com inurl:staging | inurl:dev | inurl:test
Dorking is passive, but acting on findings is not — stay within written scope, don't access data you find, and document responsibly. Automate repeatable queries with the Search Dork Generator and pull findings into your recon workflow.
site:example.com filetype:env DB_PASSWORD
cache:example.com # view Google's snapshot, no direct hit
Level up your security testing
Install the CLI
npx payload-playgroundExplore All Tools
Encoding, hashing, JWT & more
Browse Cheat Sheets
Quick-reference payload guides