GitHub is a treasure trove of open-source projects, but did you know it can also be a goldmine for attackers looking for exposed credentials? This technique, known as GitHub Dorking, is the practice of using advanced search queries to uncover sensitive data, such as API keys, database credentials, and private SSH keys. While this method is often exploited by malicious actors, security professionals can use it ethically to identify and secure leaked information.
In this post, I will explain how to perform GitHub Dorking, provide useful search queries, and discuss tools that can automate the process.
What is GitHub Dorking?
GitHub Dorking is the process of searching for exposed secrets and misconfigured repositories using GitHub's search functionality. By leveraging GitHub's search operators, users can narrow down specific files, repositories, and keywords to identify vulnerabilities.
How to Perform GitHub Dorking
Step 1: Understand GitHub's Search Syntax
GitHub supports various search operators that can refine search results. Below are some of the most useful ones:
filename:– Searches for specific filenames. Example:filename:.env(Searches for.envfiles, which often contain sensitive credentials)
extension:– Filters search results by file extensions. Example:extension:sql(Finds SQL files, which may contain database dumps)
path:– Searches for files in specific directories. Example:path:config(Finds configuration files)
in:– Searches for a term in specific parts of the repository.Example:password in:readme(Finds occurrences of 'password' in README files)
repo:– Searches within a specific repository. Example:repo:username/repositoryname "API_KEY"(Looks for API keys in a specific repository)
org:– Searches within a specific organization. Example:org:microsoft "client_secret"(Finds client secrets within Microsoft’s organization)
language:– Filters results by programming language. Example:language:python "AWS_SECRET_ACCESS_KEY"(Finds AWS keys in Python files)
Step 2: Common GitHub Dorking Queries
Finding API Keys & Credentials
filename:.env DB_PASSWORD
filename:.env AWS_ACCESS_KEY_ID
filename:config.json auth
filename:settings.py SECRET_KEY
Finding Hardcoded Credentials
password extension:ini
password extension:sql
apikey extension:json
Finding Private SSH Keys
filename:id_rsa private
filename:.ssh
Finding Database Credentials
filename:wp-config.php
filename:.htpasswd
Finding Open Firebase Databases
".firebaseio.com" "authDomain"
Step 3: Automating GitHub Dorking
There are several tools that you can use to automate GitHub dorking instead of manually searching for sensitive information, such as:
- GitHub-Dorker – Automates GitHub dorking using predefined queries.
- Gitrob – Scans repositories for exposed secrets.
- TruffleHog – Searches through commit history to find secrets.
Following is the example of using github-dorker:
python github-dorker.py -q "filename:.env" -t YOUR_GITHUB_TOKEN
Step 4: Using Google Dorking with GitHub
You can use Google dorking as it can also index GitHub repositories, making it possible to find exposed data using Google search queries:
site:github.com "DB_PASSWORD"
site:github.com "AWS_SECRET_ACCESS_KEY"Ethical Considerations
While GitHub Dorking is a powerful method for identifying security risks, it should only be used ethically. I am listing down some key ethical guidelines:
- Do NOT use GitHub dorking for malicious purposes.
- Always follow ethical hacking and responsible disclosure policies.
- If you discover sensitive information, notify the repository owner immediately.
- Secure your own repositories by using
.gitignoreand GitHub’s secret scanning feature.
Conclusion
GitHub Dorking is a valuable technique for security researchers, DevSecOps professionals and ethical hackers to discover leaked credentials and secure their systems. By understanding GitHub search operators, leveraging automated tools, and following ethical best practices, organizations can reduce the risk of accidental data exposure.
See you in the next blog post :)
Post a Comment
0Comments