Broad Domain Search
Info Recon A02
Maps the target domain while excluding common noise subdomains. Good starting point to understand indexed scope.
site:example.com -www -shop -share -ir -mfa ⚠
For authorized use only. These queries are intended for legitimate security research, bug bounty programs, and penetration testing engagements where you have explicit written authorization to test the target system. Unauthorized use against systems you do not own or have permission to test may violate the Computer Fraud and Abuse Act (CFAA), GDPR, and equivalent laws in your jurisdiction. Use responsibly.
93 dorks · 12 categories
Bug Bounty Dork Reference
Enter your target domain to auto-populate all dorks. Click any query to open it in Google, or copy it to your clipboard. Filter by category and severity to focus on what matters.
/
Searches run against the first domain entered. Multiple comma-separated entries are for same-org scope tracking only (e.g. corp.com, subsidiary.io)
Showing 93 dorks
OWASP 2025
Subdomain Enumeration
Info Recon A02
Discovers all Google-indexed subdomains. Wildcards reveal dev, staging, and internal subdomains left publicly accessible.
site:*.example.com -www PHP Files with Parameters
Low Recon A05
Finds PHP endpoints with query parameters — the primary attack surface for SQLi, XSS, and LFI in PHP applications.
site:example.com filetype:php inurl:? Juicy File Extensions
High Recon A02
Broad sweep for sensitive file types left indexed by misconfigured servers. Any hit warrants immediate manual review.
site:example.com filetype:log | filetype:txt | filetype:conf | filetype:cnf | filetype:ini | filetype:env | filetype:sh | filetype:bak | filetype:backup | filetype:swp | filetype:old | filetype:git | filetype:svn | filetype:htpasswd | filetype:htaccess | filetype:json High-Value URL Keywords
Medium Recon A02
Targets URLs containing keywords that frequently lead to sensitive or admin functionality.
inurl:conf | inurl:env | inurl:cgi | inurl:bin | inurl:etc | inurl:root | inurl:sql | inurl:backup | inurl:admin | inurl:php site:example.com Directory Listing Enabled
Medium Recon A01 A02
Open directory listings expose the file tree of web directories, often revealing sensitive files not meant to be public.
site:example.com intitle:"index of" "parent directory" SSN Exposure (Documents & Files)
Critical PII & Data A04
Finds any indexed file — spreadsheets, PDFs, logs, CSVs — containing Social Security Number references. Consistently the highest-value critical finding in bug bounty; SSN in any public file is a P1 on virtually every program.
site:example.com filetype:pdf | filetype:xls | filetype:xlsx | filetype:csv | filetype:txt | filetype:log | filetype:dat "SSN" | "Social Security" | "Social Security Number" | "ss#" | "ssn:" SSN + DOB Combination (PII Combo)
Critical PII & Data A04
Pages displaying SSN alongside date of birth confirm a full identity-theft-enabling data exposure. This combination is the definition of a critical PII leak.
site:example.com "social security" "date of birth" | "dob" | "birth date" Credit Card Data Exposure
Critical PII & Data A04
Finds pages with credit card field references. Any indexed PCI-scoped data is an automatic critical — PCI-DSS violations carry significant fines.
site:example.com "credit card" "cvv" | "card number" | "expiry" | "cardholder" Medical Records / PHI Exposure
Critical PII & Data A04
Finds potential HIPAA-covered Protected Health Information (PHI). Medical data breaches have the highest regulatory penalty of any PII class.
site:example.com "patient" "diagnosis" | "prescription" | "medical record" | "MRN" | "health record" Passport / Government ID
Critical PII & Data A04
Government-issued ID numbers on public pages. Nearly every bug bounty program rates government ID exposure as critical.
site:example.com "passport number" | "passport no" | "driver license" | "drivers license" | "national id" Exported User Data (Email/Password Lists)
High PII & Data A04
Exported user data files in spreadsheet formats. Common result of misconfigured automated reports, data exports, or BI tool leakage.
site:example.com filetype:csv | filetype:xls | filetype:xlsx "email" | "username" | "password" | "user_id" Bank Account / Financial Data
Critical PII & Data A04
Bank account and routing numbers in indexed content. Financial data exposure is consistently a maximum-severity finding.
site:example.com "account number" "routing" | "bank account" | "IBAN" | "SWIFT" Generic API Key Exposure
Critical Credentials A04
Broad search for API key references in indexed content. Hardcoded or accidentally exposed API keys are consistently critical findings.
site:example.com "api_key" | "apikey" | "api-key" | "access_key" | "secret_key" | "client_secret" AWS Access Key Exposure
Critical Credentials A04
AWS IAM access keys start with "AKIA". Exposed keys can mean full cloud account compromise — S3 data, EC2 control, IAM escalation.
site:example.com "AKIA" | "aws_access_key_id" | "aws_secret_access_key" | "AWSSecretKey" Private Key Exposure (RSA/SSH)
Critical Credentials A04
Exposed private cryptographic keys in page source. Private key exposure is always critical — enables TLS impersonation or SSH access.
site:example.com "-----BEGIN RSA PRIVATE KEY-----" | "-----BEGIN PRIVATE KEY-----" | "-----BEGIN OPENSSH PRIVATE KEY-----" | "-----BEGIN EC PRIVATE KEY-----" Database Connection Strings
Critical Credentials A04
Database connection strings with embedded credentials. Commonly found in error pages, config files exposed via directory listing, or debug endpoints.
site:example.com "mysql://" | "postgres://" | "postgresql://" | "mongodb://" | "jdbc:mysql" | "Server=;Database=;User Id=" JWT Tokens in Exposed Files
High Credentials A07
JWT tokens always start with "eyJ" (base64 header). Exposed JWTs in indexed files may allow session hijacking or API auth bypass.
site:example.com "eyJ" filetype:json | filetype:txt | filetype:log | filetype:yaml OAuth / Bearer Token Exposure
High Credentials A07
OAuth tokens or bearer tokens in indexed content. Token theft enables account takeover without needing a password.
site:example.com "access_token" | "bearer" | "oauth_token" | "refresh_token" Stripe Secret / Restricted Keys
Critical Credentials A04
Stripe secret keys (sk_live_) grant full access — charges, refunds, customer data. An indexed live key is an immediate critical.
site:example.com "sk_live_" | "rk_live_" | "sk_test_" Email Service Keys (SendGrid/Mailgun)
High Credentials A04
Email API keys enable sending phishing at scale from a trusted domain and exfiltrating contact lists.
site:example.com "SG." | "sendgrid_api_key" | "mailgun" "api_key" | "MAILGUN_API_KEY" GCP Service Account Key File
Critical Credentials A04
GCP service account JSON key files grant broad API access. Accidentally committed or served from misconfigured storage.
site:example.com "type": "service_account" | "private_key_id" "client_email" Hardcoded Passwords in Config Files
Critical Credentials A04
Configuration files with username/password fields. Legacy applications frequently store credentials in plain text config.
site:example.com "password" "username" filetype:xml | filetype:conf | filetype:cnf | filetype:ini | filetype:cfg | filetype:txt | filetype:ora .env File Exposure
Critical Files A02 A04
.env files contain all application secrets: database passwords, API keys, JWT secrets. Indexed .env = automatic critical.
site:example.com filetype:env | inurl:"/.env" | inurl:"/.env.local" | inurl:"/.env.production" Exposed .git Directory
Critical Files A01 A03
Exposed .git allows downloading complete source code history including any secrets ever committed. Use git-dumper to extract.
site:example.com inurl:"/.git/HEAD" | inurl:"/.git/config" | intitle:"Index of /.git" SQL Database Dump Files
Critical Files A04
Exposed SQL dumps contain entire database contents including password hashes, PII, and business data.
site:example.com filetype:sql | filetype:dump "INSERT INTO" | "CREATE TABLE" | "DROP TABLE" Backup Files (Source / Data)
High Files A02
Backup files of PHP/ASP scripts expose server-side source code. Web server backups of config files expose credentials.
site:example.com filetype:bak | filetype:backup | filetype:old | filetype:orig | filetype:temp | filetype:tmp | filetype:swp Log Files with Sensitive Data
High Files A09
Application logs containing credentials or tokens. Verbose logging in auth flows frequently captures tokens in log lines.
site:example.com filetype:log "password" | "token" | "secret" | "Authorization" | "api_key" htpasswd / htaccess Files
High Files A04
htpasswd contains bcrypt/MD5-hashed HTTP Basic Auth credentials. htaccess reveals server configuration and access rules.
site:example.com filetype:htpasswd | inurl:".htpasswd" | inurl:".htaccess" Configuration File Exposure
High Files A02
Configuration files expose database credentials, API keys, and infrastructure details. Often the root cause of credential leaks.
site:example.com filetype:xml | filetype:conf | filetype:cnf | filetype:ini | filetype:cfg | filetype:config | filetype:properties Kubernetes Config / Secrets
Critical Files A02 A08
Kubernetes YAML files expose cluster credentials, service account tokens, and internal service topology.
site:example.com "kubeconfig" | filetype:yaml "kind: Secret" | "apiVersion:" "kind: Deployment" Docker Compose / Dockerfile Exposure
Medium Files A02
Docker Compose files contain environment variables with credentials and reveal internal service architecture.
site:example.com inurl:"docker-compose" | inurl:"docker-compose.yml" | filetype:yml "services:" "image:" Confidential Documents
Medium Files A04
Business documents marked confidential accidentally indexed. Often contains internal architecture, financial data, or HR records.
site:example.com filetype:pdf | filetype:doc | filetype:docx | filetype:xls | filetype:xlsx | filetype:ppt | filetype:pptx "confidential" | "internal use only" | "do not distribute" Deserialization Endpoints (Java / PHP)
Critical Files A08
Java serialised objects (start with rO0AB in base64) and PHP unserialize sinks. User-controlled deserialisation is a direct path to RCE via ysoserial or PHPGGC gadget chains.
site:example.com inurl:deserialize | inurl:unserialize | inurl:readObject | filetype:ser | "java.io.ObjectInputStream" | "O:8:" | "rO0AB" Software Update / Plugin Upload Endpoints
High Files A08
Update and plugin install endpoints that accept uploaded files. Without signature or checksum verification this is an integrity failure — arbitrary files can be loaded as trusted code.
site:example.com inurl:/update | inurl:/upgrade | inurl:/plugin/upload | inurl:/theme/upload | inurl:/extension/install | inurl:/module/install Login Pages
Medium Admin A07 A06
Maps all login endpoints for auth testing: brute force, credential stuffing, auth bypass, and rate limit bypass.
site:example.com inurl:login | inurl:signin | inurl:sign-in | intitle:"login" | intitle:"sign in" | inurl:auth Admin Panels
High Admin A01
Administrative interfaces typically have less testing coverage, weaker auth, and higher-privilege functionality.
site:example.com inurl:/admin/ | inurl:administrator | inurl:adminpanel | inurl:admin-panel | inurl:backend | intitle:"admin panel" phpMyAdmin / Database Admin Tools
Critical Admin A02 A07
Database admin tools exposed to the internet. Unauthenticated or default-credential phpMyAdmin = full database access.
site:example.com inurl:phpmyadmin | inurl:/pma/ | inurl:mysqladmin | inurl:pgadmin | inurl:adminer.php Test / Staging / Dev Environments
High Admin A02 A06
Test environments: weaker security controls, debug features enabled, production data copies, and reduced monitoring.
site:example.com inurl:test | inurl:staging | inurl:dev | inurl:development | inurl:sandbox | inurl:debug | inurl:uat | inurl:qa | inurl:demo | inurl:preprod Jenkins CI/CD Exposed
Critical Admin A01 A02
Exposed Jenkins allows code execution via build pipelines and the Script Console (Groovy). Unauthenticated Jenkins = RCE.
site:example.com inurl:/jenkins/ | intitle:"Dashboard [Jenkins]" | inurl:jenkins/job | inurl:jenkins/script Internal Monitoring Dashboards
Medium Admin A01
Internal dashboards expose business metrics, user counts, system health, and sometimes internal API endpoints.
site:example.com inurl:dashboard | inurl:monitoring | inurl:/metrics | inurl:status | intitle:"internal dashboard" Session Tokens / Auth Tokens in URLs
High Admin A07
Session or auth tokens embedded in URLs get logged in server logs, browser history, and referer headers. Any indexed URL with a live token is an immediate account takeover vector.
site:example.com inurl:sessionid= | inurl:PHPSESSID= | inurl:JSESSIONID= | inurl:token= | inurl:auth_token= | inurl:access_token= | inurl:api_key= Default Credentials Pages
Critical Admin A07
Setup wizards and first-run pages that may still be accessible post-deploy. These often have default credentials or allow re-initialization of the application.
site:example.com "admin" "password" "default" | inurl:setup | inurl:install | inurl:wizard | inurl:first-run | inurl:first_run XSS-Prone Parameters
High Parameters A05
Parameters commonly reflected in templates or responses. Reflected XSS is highly likely in legacy PHP/Java apps that don't encode output.
inurl:q= | inurl:s= | inurl:search= | inurl:query= | inurl:keyword= | inurl:lang= | inurl:term= | inurl:name= inurl:& site:example.com SQL Injection-Prone Parameters
High Parameters A05
Database identifier parameters used in WHERE clauses. High SQLi likelihood if application doesn't use parameterized queries.
inurl:id= | inurl:pid= | inurl:category= | inurl:cat= | inurl:action= | inurl:sid= | inurl:num= | inurl:order= | inurl:itemid= inurl:& site:example.com SSRF-Prone Parameters
High Parameters A05
Parameters accepting URLs — prime SSRF targets. Can reach cloud metadata (169.254.169.254), internal services, and AWS IMDSv1.
inurl:url= | inurl:path= | inurl:dest= | inurl:html= | inurl:data= | inurl:domain= | inurl:feed= | inurl:host= | inurl:webhook= | inurl:uri= site:example.com LFI-Prone Parameters
High Parameters A05
File path parameters. Local File Inclusion can read /etc/passwd, /proc/self/environ, and chain to RCE via log poisoning.
inurl:include= | inurl:file= | inurl:folder= | inurl:inc= | inurl:locate= | inurl:doc= | inurl:conf= | inurl:template= | inurl:page= inurl:& site:example.com RCE-Prone Parameters
Critical Parameters A05
Parameters with execution semantics. If any reach a shell or eval(), it's Remote Code Execution — always a critical finding.
inurl:cmd= | inurl:exec= | inurl:code= | inurl:do= | inurl:run= | inurl:read= | inurl:ping= | inurl:command= | inurl:execute= inurl:& site:example.com Open Redirect Parameters
Medium Parameters A01
Open redirects enable phishing with a trusted domain URL and OAuth token theft when used in auth redirect_uri parameters.
inurl:url= | inurl:return= | inurl:next= | inurl:redirect= | inurl:redir= | inurl:ret= | inurl:to= | inurl:goto= | inurl:link= inurl:http site:example.com IDOR-Prone Parameters
High Parameters A01
Direct object reference parameters. Increment/change numeric or GUID values to access other users' data (IDOR).
inurl:user_id= | inurl:account= | inurl:uid= | inurl:userid= | inurl:profile= | inurl:member= | inurl:account_id= | inurl:order_id= site:example.com Mass Assignment Parameters
High Parameters A06
Registration and update endpoints accepting privilege-related parameters. Mass assignment allows any user to set role=admin or isAdmin=true if the server binds request params directly to the model.
inurl:register | inurl:update | inurl:edit | inurl:create inurl:role= | inurl:isAdmin= | inurl:admin= | inurl:is_admin= | inurl:permission= site:example.com Business Logic — Price / Quantity Parameters
Medium Parameters A06
Pricing and quantity parameters passed client-side. Insecure design allows setting price=0, negative quantities, or stacking unlimited discounts when the server trusts the submitted value.
inurl:price= | inurl:amount= | inurl:qty= | inurl:quantity= | inurl:total= | inurl:discount= | inurl:coupon= | inurl:fee= inurl:& site:example.com Rate-Limit Probe — OTP / Login / Reset
Medium Parameters A06 A07
Endpoints for OTP, token verification, and code submission that may lack rate limiting. Missing brute-force protection on these is an insecure-design finding, not just an auth bug.
site:example.com inurl:verify | inurl:otp | inurl:token | inurl:code inurl:& inurl:attempt | inurl:retry | inurl:resend XXE / XML Endpoints
High Parameters A05
XML-consuming endpoints. XXE injection can read server files, trigger SSRF, or in some parsers lead to DoS.
site:example.com filetype:xml | inurl:.xml? | inurl:xml | inurl:soap | inurl:wsdl REST API Versioned Endpoints
Medium API A02
Maps versioned REST endpoints. Older API versions (v1, v2) often lack security controls present in newer versions.
site:example.com inurl:/api/ | inurl:/rest/ | inurl:/v1/ | inurl:/v2/ | inurl:/v3/ | inurl:/api/v1 | inurl:/api/v2 GraphQL Endpoints
High API A01 A02
GraphQL with introspection enabled exposes full schema. Misconfigured resolvers enable IDOR, mass assignment, and auth bypass.
site:example.com inurl:/graphql | inurl:/graphiql | inurl:/playground | intitle:"GraphQL Playground" | intitle:"GraphiQL" API Docs (Swagger / OpenAPI / Redoc)
Medium API A02
API docs reveal all endpoints, parameters, auth schemes, and response models — a complete attack surface map.
site:example.com inurl:swagger | inurl:api-docs | inurl:apidocs | inurl:redoc | inurl:openapi | intitle:"Swagger UI" | intitle:"API Reference" WSDL / SOAP Web Services
Medium API A02
WSDL exposes SOAP service definitions. SOAP endpoints are often legacy code with minimal security review or testing.
site:example.com filetype:wsdl | inurl:?wsdl | inurl:?WSDL | inurl:asmx | inurl:.asmx? Postman Collections / Environment Files
High API A04
Postman collections often contain hardcoded API keys, auth tokens, and internal endpoint documentation.
site:example.com | site:github.com "postman_collection" | "postman_environment" "example.com" AWS S3 Buckets
High Cloud A01 A02
Finds S3 buckets referencing the target. Public buckets lead to data exposure; misconfigured write ACLs enable file upload.
site:s3.amazonaws.com "example.com" AWS S3 (Alt Endpoints)
High Cloud A01 A02
Alternative S3 regional and dual-stack endpoints that may host public buckets referencing the target.
site:s3-external-1.amazonaws.com | site:s3.dualstack.us-east-1.amazonaws.com "example.com" Azure Blob Storage
High Cloud A01 A02
Azure Blob containers with public access expose stored files — backups, exports, user uploads, and build artifacts.
site:blob.core.windows.net "example.com" Google Cloud Storage
High Cloud A01 A02
GCP Cloud Storage buckets with public access. Often contains application data, ML training sets, or user uploads.
site:storage.googleapis.com "example.com" Firebase / Firestore
High Cloud A02
Firebase Realtime Database and Firestore. Misconfigured security rules allow unauthenticated read/write of all data.
site:firebaseio.com "example.com" | site:firebaseapp.com "example.com" Google Drive / Docs (Public)
Medium Cloud A01
Publicly shared Google Drive files or Docs referencing the target — often contain internal documentation or data.
site:drive.google.com "example.com" | site:docs.google.com "example.com" DigitalOcean Spaces
High Cloud A01 A02
DigitalOcean Spaces (S3-compatible) with public access expose all stored objects including backups and uploads.
site:digitaloceanspaces.com "example.com" JFrog Artifactory
High Cloud A03
JFrog instances may expose internal packages, build artifacts, and deployment credentials in artifact metadata.
site:jfrog.io "example.com" Elasticsearch / Kibana Exposed
Critical Cloud A01 A02
Unauthenticated Elasticsearch allows full read/write of all indexed data. A classic mass data breach source — often contains logs with PII.
site:example.com inurl:/_search | inurl:/_cat/indices | inurl:/_cluster/health | intitle:"Kibana" inurl:app/kibana Azure DevOps / SharePoint
Medium Cloud A03
Azure DevOps repos or SharePoint sites may expose source code, credentials, or internal documentation.
site:dev.azure.com "example.com" | site:sharepoint.com "example.com" Stack Traces & Server Errors
Medium Server A02 A10
Stack traces reveal internal file paths, framework versions, and sometimes database details — useful for tailoring injection attacks.
inurl:"error" | intitle:"exception" | intitle:"failure" | "database error" | "SQL syntax" | "undefined index" | "unhandled exception" | "stack trace" site:example.com Symfony Debug / Profiler
Critical Server A02 A10
Symfony debug toolbar exposes full request details, environment variables (including database passwords), and session data.
site:example.com inurl:/_profiler | inurl:/_wdt | intitle:"Symfony Profiler" Laravel Debug Mode / Telescope
Critical Server A02 A10
Laravel APP_DEBUG=true shows .env variables in error pages. Telescope exposes all HTTP requests, queries, and job payloads.
site:example.com intitle:"Whoops!" "laravel" | inurl:/telescope | "APP_DEBUG=true" Spring Boot Actuator
Critical Server A02 A04
/actuator/env dumps all environment variables including passwords and API keys. /heapdump is a full JVM heap dump often containing secrets.
site:example.com inurl:/actuator/env | inurl:/actuator/health | inurl:/actuator/beans | inurl:/actuator/heapdump Runtime Exceptions Exposed to Users
Medium Server A10
Runtime exceptions rendered in HTTP responses — Java NPEs, Python tracebacks, PHP fatals. Exposes internal class names, file paths, and line numbers. A10:2025 specifically targets these mishandled exceptional conditions.
site:example.com "NullPointerException" | "IndexOutOfBoundsException" | "Traceback (most recent call last)" | "Fatal error:" | "Division by zero" | "Unhandled promise rejection" Fail-Open Auth Indicators
Critical Server A10 A07
Pages suggesting fail-open behaviour — where an error condition grants access rather than denying it. A classic A10:2025 flaw: exception thrown → auth check skipped → access granted as guest/default user.
site:example.com inurl:error | inurl:exception "access granted" | "guest access" | "bypassed" | "anonymous" "welcome" Log Aggregation Dashboards (Splunk / Graylog / ELK)
Critical Server A09
Exposed log aggregation dashboards. Splunk, Graylog, and the ELK stack aggregate logs from all systems — an unauthenticated instance leaks credentials, session tokens, PII, and the full internal infrastructure map.
site:example.com intitle:"Splunk" | inurl:en-US/app/search | intitle:"Graylog" | inurl:graylog/search | inurl:kibana | inurl:logstash | inurl:fluentd Exposed Audit / Access Logs
High Server A09
Exposed audit trails and access logs that should be internal-only. These reveal user actions, admin operations, and sometimes authentication events with tokens.
site:example.com inurl:/audit | inurl:audit-log | inurl:access-log | inurl:activity-log | intitle:"audit trail" | "audit log" Server Version Disclosure
Low Server A02
Server version disclosure enables targeting specific CVEs. Always worth noting even if low-severity on its own.
site:example.com intitle:"Apache" | intitle:"nginx" | intitle:"IIS" | intitle:"Tomcat" "version" WordPress Endpoints
Medium CMS A01 A02
WordPress admin, REST API user enumeration, and uploads directory. /wp-json/wp/v2/users leaks all usernames.
site:example.com inurl:/wp-admin | inurl:/wp-login.php | inurl:/wp-json/wp/v2/users | inurl:/wp-content/uploads WordPress admin-ajax.php
Medium CMS A02
The WordPress AJAX handler processes many plugin actions, some accessible without authentication via nopriv hooks.
site:example.com inurl:/wp-admin/admin-ajax.php Drupal Sites
Medium CMS A02
Drupal login and node paths. Identify version to check for Drupalgeddon (CVE-2018-7600, SA-CORE-2019-003).
site:example.com "Powered by Drupal" | inurl:/node/ | inurl:?q=user/login | inurl:/user/register Joomla Sites
Medium CMS A01 A02
Joomla admin panel and component paths. Components are frequent SQLi and auth bypass targets.
site:example.com inurl:/administrator | inurl:option=com_ | "Joomla" | inurl:index.php?option= Adobe Experience Manager (AEM)
High CMS A02 A05
AEM has numerous known issues: SSRF via DAM, CRXDE Lite RCE, SlingPostServlet data exposure, and GQL endpoint IDOR.
site:example.com inurl:/content/dam | inurl:/jcr:content | inurl:/libs/granite | inurl:/crx/de | inurl:/bin/wcm | inurl:/content/usergenerated Salesforce Communities / Experience Cloud
High CMS A01 A02
Salesforce communities with misconfigured guest profiles expose CRM data: contacts, leads, opportunities, cases.
site:example.com inurl:force.com | site:*.force.com | site:*.salesforce.com inurl:/s/ | inurl:/apex/ Pastebin / Paste Site Leaks
High Code Leaks A04
Paste sites frequently contain dumped credentials, API keys, and internal data shared accidentally or by malicious insiders.
site:pastebin.com | site:paste.ee | site:hastebin.com "example.com" GitHub / Gist Code Leaks
High Code Leaks A03 A04
GitHub search for target domain + secret keywords. Developers frequently commit credentials — and GitHub search is persistent even after deletion.
site:github.com | site:gist.github.com "example.com" password | secret | api_key | token | credential GitLab Code Leaks
High Code Leaks A03 A04
GitLab public repos and snippets referencing the target. Source code, CI configs, and hardcoded credentials are common finds.
site:gitlab.com "example.com" Bitbucket Code Leaks
High Code Leaks A03 A04
Bitbucket public repos referencing the target. Often associated with Atlassian-stack companies and Java/enterprise codebases with hardcoded credentials.
site:bitbucket.org "example.com" JSFiddle / CodePen Leaks
Medium Code Leaks A04
Code sharing sites where developers paste snippets with hardcoded endpoints, tokens, or internal API logic.
site:jsfiddle.net | site:codepen.io | site:codebeautify.org "example.com" Trello / Notion Public Boards
Medium Code Leaks A04
Public Trello boards and Notion pages often contain credentials, internal URLs, architecture diagrams, or employee PII.
site:trello.com | site:notion.so "example.com" Disclosed Vulnerabilities (OpenBugBounty)
Info Code Leaks
Shows publicly disclosed XSS and other vulnerabilities on the target. Use to understand existing attack surface before testing.
site:openbugbounty.org inurl:reports "example.com" Bug Bounty / VDP Program Discovery
Info No Domain
no domain
Discovers companies running bug bounty or VDP programs. Use this to expand your target list.
"submit vulnerability report" | "powered by bugcrowd" | "powered by hackerone" | "responsible disclosure program" | "vulnerability disclosure policy" security.txt with Bounty
Info No Domain
no domain
security.txt files that mention bounties. The RFC 9116 standard makes bug bounty program discovery systematic.
site:*/security.txt "bounty" | site:*/security.txt "hackerone" | site:*/security.txt "bugcrowd" 🔎
No dorks match your filters.
Try adjusting the category, severity, or search term.
Original dork list by TakSec