🧑‍💻 My Experience

When I first started bug hunting, I underestimated GitHub recon. I thought: "It's just code, right?" — until I found a .env file with live DB credentials exposed.

That one discovery changed my perspective. GitHub isn't just for developers — it's an open goldmine of API keys, tokens, secrets, and even .git repos.

Since then, I've built a strong workflow combining manual dorks, automation tools, and validation techniques that helped me find high-impact bugs and account takeovers.

This is the exact playbook I use.

🎯 Step 1: Understand the Attack Surface

Why GitHub matters for recon:

• Developers push code, configs, and credentials by mistake.
• Third-party vendors store company-related code.
• CI/CD pipelines leak secrets.
• Exposed .git/ directories can be dumped.

Impact = API keys, DB creds, Slack tokens, AWS access → Direct account takeover or critical infra compromise.

🗂 Step 2: GitHub Dorking (Sensitive Data Exposure)

With the right GitHub search operators (a.k.a. dorks), you can uncover exposed secrets fast. Below are practical examples using target.com as the target.

🔍 GitHub Search Dorks

API Keys & Credentials

filename:.env "target.com" DB_PASSWORD
filename:config.json "target.com" AWS_ACCESS_KEY_ID
filename:settings.py "target.com" SECRET_KEY
"target.com" api_key
"target.com" auth_token
"target.com" access_token
"target.com" client_secret

Database Connection Strings

filename:.env "target.com" MYSQL_PASSWORD
filename:database.yml "target.com" production
filename:wp-config.php "target.com" DB_PASSWORD
"target.com" database
"target.com" mongodb
"target.com" postgres

Cloud & Infrastructure

"target.com" filename:.dockercfg
"target.com" filename:id_rsa
"target.com" "BEGIN RSA PRIVATE KEY"
"target.com" filename:.pem
"target.com" aws_secret_access_key
"target.com" google_api_key

Generic Sensitive Keywords

"target.com" password
"target.com" pwd
"target.com" passwd
"target.com" secret
"target.com" config
"target.com" token
"target.com" bearer

Organization-wide

org:teslamotors password
org:teslamotors api_key
org:teslamotors secret

👉 Add filters to reduce noise:

"tesla.com" password NOT test NOT example
"tesla.com" api_key NOT test NOT example

🗝 Keyword Lists (must use)

Leverage curated keyword lists to expand your recon:

• jhaddix/Secret-Keywords
• random-robbie/keywords.txt
• 0xpugazh/Awesome-Dorks
• techgaun/github-dorks

👨‍💻 Manual Recon Examples

Search directly on GitHub:

"target.com" "dev"
"dev.target.com"
"api.target.com"
"target.com" password
"target.com" api_key

Remove noise:

"target.com" password NOT test NOT example

🤖 Step 3: Automate Recon

GitDorker

git clone https://github.com/obheda12/GitDorker.git
cd GitDorker
pip3 install -r requirements.txt

python3 GitDorker.py -d Dorks/medium.txt -tf Tokens/TOKENSFILE -q tesla.com -lb

GitGraber

git clone https://github.com/hisxo/gitGraber.git
cd gitGraber
pip3 install -r requirements.txt
chmod +x gitGraber.py
python3 gitGraber.py -k wordlists/keywords.txt -q "tesla.com"

Trufflehog

trufflehog github --org=teslamotors --only-verified --token=<github_token>

🗂 Step 4: Hunting Exposed .git Repositories

Exposed .git directories are a high-impact bug — they can leak the entire source code history, including deleted secrets, API keys, and configs.

1️⃣ Scan for Exposures with Nuclei

Nuclei already has templates for .git exposures. Run across multiple domains:

cat domains.txt | nuclei -t /home/samael/nt/gitExposed.yaml

⚡ This quickly detects .git folders that are publicly accessible.

2️⃣ Use DOTGit Browser Extension

If you prefer a browser-based check:

• Install the DOTGit extension.
• It automatically checks if a .git/ path is accessible when visiting sites.
• If found, it allows you to download the entire repo for inspection.

3️⃣ Automate with HTTPX

Quick one-liner to detect .git exposures across targets:

cat domains.txt | httpx-toolkit -sc -server -cl -path "/.git/" -mc 200 -location -ms "Index of" -probe

👉 This quickly identifies .git directories with status 200 OK.

4️⃣ Dump the Repository

Once .git is exposed, you can dump the full repo:

Option A — Bash GitDumper (slower, but thorough):

./gitdumper.sh https://moarvm.org/.git yourdir

Option B — Python Git-Dumper (faster):

git-dumper https://moarvm.org/.git yourdir

5️⃣ Inspect the Dumped Repo

Navigate to the dumped repo:

cd yourdir
git status
tree

• git status → shows even deleted files.
• tree → reveals full structure → look for sensitive files (.env, config.json, wp-config.php, id_rsa).

⚠️ Pro Note: 403 Forbidden Doesn't Mean Safe

If a site returns 403 Forbidden on /git/, don't assume it's blocked. Often the restriction applies only to the .git root path, not the internal files.

👉 Try dumping anyway — tools can still retrieve the repo.

✅ Step 5: Validate Secrets

Never report blindly. Validate first.

• Use KeyHacks to check if keys are alive.
• Test AWS keys, Slack tokens, Google API keys.
• Many creds are hidden in base64 → decode them first:

echo "c2VjcmV0X2tleT1hbHBoYTEyMw==" | base64 -d

👉 Boom. A working secret is impact.

💡 Bonus Tips (Pro Hunter Moves)

• Always use NOT test NOT example to filter noise.
• Try keyword variations: pwd, passwd, secret, auth, apikey.
• Check for commented-out creds in code.
• If you find API keys → try them against endpoints → sometimes it's 0-click account takeover.
• Automate GitHub recon in your recon pipeline with GitDorker + Trufflehog.
• Keep hunting .git directories with Nuclei and httpx.

⚠️ Disclaimer

This guide is for educational and bug bounty purposes only. Do not misuse these techniques. The author (samael_0x4) is not responsible for illegal activity. Always hunt ethically and within program scope.

GitHub recon is one of the most underrated but high-impact skills in bug bounty hunting. From a single leaked API key to a dumped .git repo, the attack surface is massive.

Remember the workflow:

• Dork smart (Step 2)
• Automate scans (Step 3)
• Dump & analyze repos (Step 4)
• Validate secrets (Step 5)

One valid key can turn into critical impact + bounty.

⚡ Published by: samael_0x4 Hack smart. Hack ethical.