Github Dorking for sensitive information

I consider myself, in my infinite laziness, to be primarily an information disclosure-oriented hunter. This is, of course, subject to change, but due to work commitments and whatnot, this is what I am at this moment in time.

The most effective method of finding info disclosure bugs is arguably dorking. Google Dorking, DuckDuckGo dorking, Github dorking, Trello dorking... the list goes on. I wrote a tool for automating the DuckDuckGo dorking process, but the very strict rate limitations placed by DuckDuckGo have seriously hindered its efficiency. Anyhow, I'll get to the point.

Larger companies - that is, companies with bigger scope that have many sub-organisations under it - tend to have more repositories on Github. This is self-evident. It is safe to say that average employee stupidity is proportional to company size. The most efficient way to find repositories that are accidentally public is to dork for subdomains that are used for testing - for example, staging.example.com, dev.example.com, and so on. This usually reveals some repositories on users' personal profiles that belong to the company, if the company is big / stupid enough. Then, dorking for keywords like secret, token, pass, password within these repositories can reveal some really nice things.

As a case study (on a private program so I won't be naming any names) - I have found a .keystore file containing private keys, with the password for the keystore hardcoded in the repository. This was found by dorking for the company's internal development subdomain, then dorking for "password". I currently have a bug in triage in which the FTP password for one of the company's servers was hardcoded. Since the subdomain was external, I was able to use those credentials and, as a POC, upload a picture of a monkey. To find this, I dorked for the company's name until I found some internal-esque repositories, then dorked within them for secrets and passwords. I was able to uncover a set of database passwords in the same repository.

Dorking on various platforms is a very efficient way of either 1) securing an easy low or potentially critical bug or 2) gathering information about a company and its employees. It is likely that there are more services out there that are dorkable, that we just don't know about. Not only that, but dorking is difficult to automate, as much of the process involves human judgement. Not that I haven't tried.

To see the Bounty Hunters Discord Server's Github repository, visit https://github.com/bugbountyhunters. We are currently working on expanding our range of tools.

To join the Bounty Hunters Discord Server, visit https://discord.gg/bugbounty.

Show Comments