GitHub is one of the most popular code-sharing platforms used by developers worldwide. It provides a central repository for developers to store, collaborate on, and share their code with others. However, it is also a treasure trove of information that can be exploited by cybercriminals to carry out attacks or gain unauthorized access to sensitive information.
To help security researchers, ethical hackers, and other professionals identify potential security vulnerabilities or other issues with GitHub repositories, GitHub dorks have been created. GitHub dorks are search queries that can be used to find specific types of data, such as sensitive information, credentials, network devices, and other data on GitHub.
In this GitHub dork cheatsheet, we have compiled a comprehensive list of dorks that can be used to search for various types of data on GitHub. These dorks are grouped into categories to make it easier to find the specific dork that you need. Some of the categories covered in this cheatsheet include:
- Sensitive information: This category includes dorks that can help you find files that may contain sensitive information, such as API keys, database passwords, and other configuration settings that should not be exposed publicly.
- Credentials: This category includes dorks that are specifically designed to find various types of credentials, such as AWS access keys, Google Cloud Platform credentials, and database passwords used in WordPress installations.
- Network devices: This category includes dorks that help you locate various types of network devices, such as VPN servers, remote access servers, network gateways, firewalls, and network switches.
- Software configuration files: This category includes dorks that can help you find configuration files for various types of software tools, including Git, Docker, Terraform, and Jenkins, that may contain sensitive information or other details that could be useful for attackers.
By using these GitHub dorks, you can easily search for specific types of data on GitHub and identify potential security risks or other issues that may need to be addressed. It is important to use these dorks ethically and responsibly, and only for legitimate purposes. Using them for malicious purposes or unauthorized access can result in legal consequences.
Sensitive files and configurations
These dorks can help you find files that contain sensitive information, such as passwords, API keys, and configuration files. They can be used to identify potential security vulnerabilities in a codebase.
| Dork | Description |
|---|---|
filename:.env | Searches for files containing sensitive environment variables |
filename:credentials | Searches for files containing sensitive credentials |
filename:config | Searches for files containing sensitive configuration information |
filename:database | Searches for files containing database credentials or configurations |
filename:wp-config.php | Searches for WordPress configuration files containing sensitive information |
Publicly accessible AWS S3 buckets
These dorks can help you identify publicly accessible AWS S3 buckets. This is important because publicly accessible S3 buckets can expose sensitive data to the public.
| Dork | Description |
|---|---|
site:s3.amazonaws.com | Searches for publicly accessible AWS S3 buckets |
site:s3.amazonaws.com ext:json | Searches for JSON files in publicly accessible AWS S3 buckets |
site:s3.amazonaws.com ext:yaml | Searches for YAML files in publicly accessible AWS S3 buckets |
Exposed API keys
These dorks can help you find API keys that may have been accidentally exposed in code or configuration files. API keys can be used to gain unauthorized access to services, so it’s important to keep them secure.
| Dork | Description |
|---|---|
filename:api_key | Searches for files containing API keys |
filename:config.json api_key | Searches for API keys in JSON configuration files |
filename:config.json auth | Searches for authentication tokens in JSON configuration files |
Again, it is important to use GitHub dorks ethically and only for legitimate purposes. Using them for malicious activities is not only unethical, but also illegal.
Exposure of sensitive information
These dorks can help you find plaintext passwords, SSH keys, and other sensitive information that may have been accidentally exposed in code or configuration files. This information can be used to gain unauthorized access to systems and should be kept secure.
| Dork | Description |
|---|---|
extension:sql password | Searches for SQL files containing plaintext passwords |
extension:txt ssh | Searches for plaintext SSH private keys |
filename:.bash_history | Searches for bash history files, which can reveal commands and sensitive information |
filename:.gitconfig | Searches for Git configuration files, which can contain sensitive information such as usernames and passwords |
Source code leaks
These dorks can help you identify vulnerabilities in a codebase, such as WordPress configuration files, Apache htpasswd files, and IIS configuration files.
| Dork | Description |
|---|---|
filename:wp-config.php | Searches for WordPress configuration files containing sensitive information |
filename:.htpasswd | Searches for Apache htpasswd files containing passwords |
filename:web.config | Searches for IIS configuration files containing sensitive information |
Vulnerable software
These dorks can help you find vulnerable software, such as Vim swap files, WordPress login pages, and backup files. These vulnerabilities can be exploited to gain unauthorized access to systems.
| Dork | Description |
|---|---|
extension:swp | Searches for Vim swap files that can contain plaintext passwords and other sensitive information |
filename:wp-login.php | Searches for WordPress login pages that can be vulnerable to brute-force attacks |
filename:backup | Searches for backup files that can contain sensitive information |
Exposed secrets and tokens
These dorks can help you find authentication tokens and other secrets that may have been accidentally exposed in code or configuration files.
| Dork | Description |
|---|---|
filename:.npmrc _auth | Searches for NPM configuration files containing authentication tokens |
filename:.bashrc password | Searches for bash configuration files containing plaintext passwords |
filename:.dockercfg auth | Searches for Docker configuration files containing authentication tokens |
filename:prod.exs password | Searches for Elixir configuration files containing plaintext passwords |
Technology stack
These dorks can help you identify the technology stack used by a project and its dependencies, such as Python, Ruby, JavaScript, and Java. This information can be useful for security and auditing purposes.
| Dork | Description |
|---|---|
language:python filename:requirements.txt | Searches for Python projects and their dependencies |
language:ruby filename:Gemfile | Searches for Ruby projects and their dependencies |
language:javascript filename:package.json | Searches for JavaScript projects and their dependencies |
language:java filename:build.gradle | Searches for Java projects and their dependencies |
Exposed database credentials
These dorks can help you find database credentials that may have been accidentally exposed in code or configuration files. This information can be used to gain unauthorized access to databases and should be kept secure.
| Dork | Description |
|---|---|
filename:.env DB_USERNAME NOT homestead | Searches for Laravel configuration files containing database usernames |
filename:.env DB_PASSWORD NOT homestead | Searches for Laravel configuration files containing database passwords |
filename:wp-config.php DB_PASSWORD | Searches for WordPress configuration files containing database passwords |
Exposed AWS credentials
These dorks can help you find AWS access and secret keys that may have been accidentally exposed in code or configuration files. AWS credentials can be used to gain unauthorized access to AWS services, so it’s important to keep them secure.
| Dork | Description |
|---|---|
filename:credentials aws_access_key_id | Searches for AWS credentials files containing access keys |
filename:credentials aws_secret_access_key | Searches for AWS credentials files containing secret keys |
Exposed private repositories
These dorks can help you find private repositories that may have been accidentally made public. This information can be useful for security and auditing purposes.
| Dork | Description |
|---|---|
filename:.npmrc _auth | Searches for NPM configuration files containing authentication tokens |
filename:.pypirc password | Searches for Python configuration files containing plaintext passwords |
filename:.npmrc _auth | Searches for NPM configuration files containing authentication tokens |
filename:.dockercfg auth | Searches for Docker configuration files containing authentication tokens |
Exposed Git metadata
These dorks can help you find Git metadata files that may have been accidentally exposed in code or configuration files. Git metadata can contain sensitive information, such as commit messages and file paths.
| Dork | Description |
|---|---|
filename:.gitconfig password | Searches for Git configuration files containing plaintext passwords |
filename:.git-credentials | Searches for Git credentials files |
filename:.git/FETCH_HEAD | Searches for Git fetch logs |
Exposed web servers
These dorks can help you find web servers that may be publicly accessible. This information can be used to identify potential security vulnerabilities and to assess the security posture of a system.
| Dork | Description |
|---|---|
http.status:200 "Server: Microsoft-IIS" | Searches for Microsoft IIS web servers |
http.status:200 "Server: Apache" | Searches for Apache web servers |
http.status:200 "Server: nginx" | Searches for Nginx web servers |
Exposed FTP servers
These dorks can help you find FTP servers that may be publicly accessible. FTP servers can be used to transfer files between systems, so it’s important to keep them secure.
| Dork | Description |
|---|---|
ftp | Searches for FTP servers |
Network devices
These dorks help locate various types of network devices, such as VPN servers, remote access servers, network gateways, firewalls, and network switches.
| Dork | Description |
|---|---|
hostname:vpn | Searches for VPN servers |
hostname:remote | Searches for remote access servers |
hostname:gateway | Searches for network gateway devices |
hostname:firewall | Searches for firewall devices |
hostname:switch | Searches for network switches |
Miscellaneous
These dorks help find configuration files for various types of software tools, including Git, Docker, Terraform, and Jenkins, that may contain sensitive information or other details that could be useful for attackers.
| Dork | Description |
|---|---|
filename:.gitconfig | Searches for Git configuration files |
filename:.dockerconfigjson | Searches for Docker configuration files |
filename:.terraformrc | Searches for Terraform configuration files |
filename:jenkinsfile | Searches for Jenkins pipeline files |
Finding API
API keys
| Dork | Description |
|---|---|
filename:.npmrc _auth | Searches for NPM configuration files containing authentication tokens |
filename:.pypirc password | Searches for Python configuration files containing plaintext passwords |
filename:.dockercfg auth | Searches for Docker configuration files containing authentication tokens |
filename:.gem/credentials | Searches for Ruby Gem configuration files containing authentication tokens |
filename:wp-config.php WP_SECRET_KEY | Searches for WordPress configuration files containing secret keys |
filename:.env MAILCHIMP_API_KEY | Searches for Laravel configuration files containing Mailchimp API keys |
filename:.env S3_BUCKET | Searches for Laravel configuration files containing Amazon S3 bucket names |
API endpoints
| Dork | Description |
|---|---|
filename:swagger.yml | Searches for Swagger API documentation files |
filename:openapi.yml | Searches for OpenAPI API documentation files |
filename:api_key | Searches for API keys in files |
filename:api_secret | Searches for API secrets in files |
These dorks can help you find potential vulnerabilities in API keys and endpoints, and can be used to improve the security of your system. Again, it’s important to use GitHub dorks responsibly and only for legitimate purposes.
Tools
Programming languages
| Dork | Description |
|---|---|
language:python | Searches for repositories written in Python |
language:javascript | Searches for repositories written in JavaScript |
language:ruby | Searches for repositories written in Ruby |
language:java | Searches for repositories written in Java |
Frameworks
| Dork | Description |
|---|---|
framework:laravel | Searches for Laravel projects |
framework:ruby-on-rails | Searches for Ruby on Rails projects |
framework:vue | Searches for Vue.js projects |
framework:react | Searches for React projects |
Operating systems
| Dork | Description |
|---|---|
os:windows | Searches for repositories related to Windows |
os:mac | Searches for repositories related to macOS |
os:linux | Searches for repositories related to Linux |
Package managers
| Dork | Description |
|---|---|
filename:package.json | Searches for NPM projects |
filename:Gemfile | Searches for Ruby Gem projects |
filename:requirements.txt | Searches for Python package requirements |
These dorks can help you find tools and software written in various programming languages, using different frameworks, and running on different operating systems. This can be useful for discovering new projects, exploring existing ones, or searching for solutions to specific problems.
AWS/S3 recon
| Dork | Description |
|---|---|
site:s3.amazonaws.com filetype:sql | Searches for SQL files in S3 buckets |
site:s3.amazonaws.com filetype:json | Searches for JSON files in S3 buckets |
site:s3.amazonaws.com filetype:xml | Searches for XML files in S3 buckets |
site:s3.amazonaws.com ext:cfg | Searches for configuration files in S3 buckets |
site:s3.amazonaws.com ext:log | Searches for log files in S3 buckets |
site:s3.amazonaws.com inurl:server-status | Searches for S3 buckets with server status pages |
site:s3.amazonaws.com inurl:policy | Searches for S3 buckets with access policies |
site:s3.amazonaws.com inurl:bucket | Searches for S3 buckets with “bucket” in their URL |
site:s3.amazonaws.com intext:"AccessKeyId" | Searches for S3 buckets with AWS access keys |
These dorks can help you find public S3 buckets or related information that may be exposed on GitHub. Please note that accessing and modifying resources on other people’s S3 buckets without their consent is a violation of AWS’s terms of service and could result in legal action.
FAQ
1. What are GitHub dorks?
GitHub dorks are search queries that can be used to find specific types of data on GitHub. These dorks can help security researchers, ethical hackers, and other professionals identify potential security vulnerabilities or other issues with GitHub repositories.
2. How can GitHub dorks be used?
GitHub dorks can be used to search for specific types of data on GitHub, such as sensitive information, credentials, network devices, and software configuration files. By using these dorks, you can quickly identify potential security risks or other issues that may need to be addressed.
3. Are GitHub dorks legal to use?
Yes, GitHub dorks are legal to use. However, it is important to use them ethically and responsibly, and only for legitimate purposes. Using them for malicious purposes or unauthorized access can result in legal consequences.
4. Can GitHub dorks be used for any code-sharing platform other than GitHub?
No, GitHub dorks are specifically designed to search for data on GitHub. However, similar dorks may exist for other code-sharing platforms.
5. Can GitHub dorks be used to find any type of data?
GitHub dorks can be used to find a variety of data, including sensitive information, credentials, network devices, and software configuration files. However, not all data may be accessible through GitHub dorks, and some repositories may have security measures in place to prevent data from being exposed.
