Subtitle:
Byline:
By N0aziXss | Security Researcher | HackerOne & BugCrowd Validated
Introduction:
GitHub — The Goldmine of Exposed Secrets In 2024, over 10 million API keys and credentials were exposed on GitHub repositories. As a security researcher, I've found that GitHub Dorking isn't just a skill — it's a superpower that reveals the hidden vulnerabilities of organizations worldwide.
Section 1: Understanding GitHub Dorking
What is GitHub Dorking? GitHub Dorking involves using advanced search operators to find sensitive information accidentally exposed in public repositories. It's like being a digital archaeologist, uncovering secrets buried in code.
The Scale of the Problem
· 12% of all public repositories contain some form of sensitive data · Average bounty for exposed credentials: $500-$5,000 · Top exposed items: API keys, database credentials, cloud service tokens
Section 2: Essential GitHub Search Operators
Core Search Syntax
# Basic operators
filename: # Search within specific files
extension: # Filter by file extension
path: # Search in specific paths
org: # Limit to organization
repo: # Search specific repository
# Advanced filters
pushed: # Based on last push date
created: # Repository creation date
language: # Programming language
Combination Operators
# Multiple conditions
filename:.env AND "API_KEY"
org:companyname extension:json "password"Section 3: Critical GitHub Dorks for Security Research
Finding Configuration Files
# Environment variables
filename:.env "API_KEY"
filename:.env "DATABASE_URL"
filename:.env "SECRET_KEY"
# Configuration files
filename:config.json "password"
filename:settings.py "SECRET_KEY"
filename:application.properties "spring.datasource.password"
Hunting Exposed Credentials
# AWS credentials
"AWS_ACCESS_KEY_ID" AND "AWS_SECRET_ACCESS_KEY"
filename:.aws/credentials
"AKIA" extension:env
# Database connections
"mongodb://" "password"
"postgresql://" "username"
"mysql://" "root:@"
# API Keys and Tokens
"api_key" extension:json
"gh_token" OR "github_token"
"x-api-key" filename:.config
Corporate Secrets and Internal Data
# Company-specific secrets
org:targetcompany "internal"
filename:internal "confidential"
"proprietary" extension:md
# Financial information
"stripe_key" OR "stripe_secret"
"paypal_client_id" "paypal_secret"
"braintree" "merchant_id"Section 4: Advanced Hunting Techniques
Temporal Analysis
# Recent exposures
pushed:>2024-01-01 filename:.env "password"
created:>2023-12-01 "API_KEY"
# Historical commits
"remove password" pushed:<2023-01-01
"fix security" created:2022-01-01..2022-12-31
Language-Specific Hunting
# Python projects
language:python "SECRET_KEY" filename:settings.py
language:python "os.environ.get" filename:.py
# JavaScript/Node.js
language:javascript "process.env" filename:.js
language:typescript "config.password" filename:.ts
# Java applications
language:java "getProperty.*password" filename:.javaSection 5: Real-World Case Studies Case Study 1:
Exposed AWS Root Keys
# Discovery Query:
filename:.env "AWS_ACCESS_KEY_ID" AND "AWS_SECRET_ACCESS_KEY"
# Impact:
- Full AWS account compromise
- 50+ EC2 instances accessible
- S3 buckets with customer data exposed
- Bounty: $2,500
Case Study 2: Database Credentials in Docker Configs
# Discovery Query:
filename:docker-compose.yml "MYSQL_ROOT_PASSWORD"
filename:docker-compose "DATABASE_URL"
# Impact:
- Production database access
- 100,000 user records exposed
- Payment information accessible
- Bounty: $3,000Section 6: Automation Tools for Efficient Hunting
Recommended Tools
# GitLeaks
gitleaks detect --source=/path/to/repo --verbose
# TruffleHog
trufflehog filesystem /path/to/repo
# Repo-supervisor
npx repo-supervisor --repo https://github.com/user/repo
Custom Automation Script
#!/usr/bin/env python3
import requests
import re
def github_dork_search(query):
headers = {'Authorization': 'token YOUR_GITHUB_TOKEN'}
url = f"https://api.github.com/search/code?q={query}"
response = requests.get(url, headers=headers)
return response.json()
# Example usage
results = github_dork_search('filename:.env+API_KEY+org:targetcompany')Section 7: Responsible Disclosure Framework
Reporting Template
Subject: Security Report - Exposed Credentials on GitHub
## Summary
Discovered exposed [type of secret] in your GitHub repository.
## Details
- Repository: [URL]
- File: [filename]
- Exposed Data: [specific credentials]
- Risk Level: [High/Medium/Low]
## Impact Analysis
- [Potential consequences]
- [Recommended actions]
## Proof of Concept
[Code snippets or screenshots]
## Remediation Steps
1. Immediately rotate exposed credentials
2. Remove sensitive files from git history
3. Implement pre-commit hooks
Section 8:
Defensive Measures for Developers
Prevention Strategies
# .gitignore essentials
.env
.key
.pem
config/.json
# Pre-commit hooks
#!/bin/bash
if git diff --cached --name-only | grep -E '\.env|config.json'; then
echo "Potential secrets in commit. Aborting."
exit 1
fiDetection and Monitoring
· Regular repository scanning · GitHub security alerts · Automated secret rotation · Employee security training
Section 9: Legal and Ethical Considerations Rules of Engagement
· Only search public repositories · Never access exposed systems · Follow responsible disclosure · Respect platform terms of service
Best Practices
· Report findings through proper channels · Provide clear remediation steps · Maintain professional communication · Document everything for credibility
Section 10: The Future of GitHub Dorking Emerging Trends
· AI-powered secret detection · Real-time monitoring solutions · Integration with SDLC · Automated remediation workflows
Staying Ahead
· Continuous learning of new patterns · Collaboration with developer communities · Contribution to security tools · Knowledge sharing with the community
Conclusion:
The Power of Knowledge GitHub Dorking represents both a significant risk and a tremendous opportunity. For organizations, it's a wake-up call to implement better security practices. For researchers, it's a legitimate method to improve internet security while earning bounties.
Key Takeaways:
· GitHub Dorking is a valuable skill for security professionals · Responsible disclosure is crucial for ethical practice · Automation can significantly enhance hunting efficiency · Continuous education is essential in this evolving field
Final Thought: With great power comes great responsibility. Use these techniques to make the internet safer, not to cause harm.
Call to Action:
Developers: Implement strict input validation Researchers: Always redact sensitive information in reports Organizations: Value ethical security research
About the Author
N0aziXss is an experienced security researcher specializing in web application security and bug bounty hunting, with multiple validated discoveries across various platforms.