Conduct search engine discovery reconnaissance for information leakage
OWASP Web Security Testing Guide 4.2 > 1. Information Gathering > 1.1. Conduct search engine discovery reconnaissance for information leakage
| ID | Link to Hackinglife | Link to OWASP | Objectives |
|---|---|---|---|
| 1.1 | WSTG-INFO-01 | Conduct Search Engine Discovery Reconnaissance for Information Leakage | - Identify what sensitive design and configuration information of the application, system, or organization is exposed directly (on the organization's website) or indirectly (via third-party services). |
This is merely passive reconnaissance.
Use multiple search engines
- Baidu
- Bing
- binsearch.info
- Common crawl
- Duckduckgo
- Wayback machine
- Startpage (based on google but trackers and logs)
- Shodan.
Use operators
Google Dorks
| Google Dorking Query | Expected results |
|---|---|
| intitle:"api" site: "example.com" | Finds all publicly available API related content in a given hostname. Another cool example for API versions: inurl:"/api/v1" site: "example.com" |
| intitle:"json" site: "example.com" | Many APIs use json, so this might be a cool filter |
| inurl:"/wp-son/wp/v2/users" | Finds all publicly available WordPress API user directories. |
| intitle:"index.of" intext:"api.txt" | Finds publicly available API key files. |
| inurl:"/api/v1" intext:"index of /" | Finds potentially interesting API directories. |
| intitle:"index of" api_key OR "api key" OR apiKey -pool | This is one of my favorite queries. It lists potentially exposed API keys. |
Use cache operator
Github
| Github Dowking Query | Expected results |
|---|---|
| applicationName api key | After getting results, filter by issue and you may find some api keys. It's common to leave api keys exposed when rebasing a git repo, for instance |
| api_key | - |
| authorization_bearer | - |
| oauth | - |
| auth | - |
| authentication | - |
| client_secret | - |
| api_token | - |
| client_id | - |
| OTP | - |
| HOMEBREW_GITHUB_API_TOKEN | - |
| SF_USERNAME | - |
| HEROKU_API_KEY | - |
| JEKYLL_GITHUB_TOKEN | - |
| api.forecast.io | - |
| password | - |
| user_password | - |
| user_pass | - |
| passcode | - |
| client_secret | - |
| secret | - |
| password hash | - |
| user auth | - |
| extension: json nasa | Results show some extensions that include json, so they might be API related |
| shodan_api_key | Results show shodan api keys |
| "authorization: Bearer" | This search reveal some authorization token. |
| filename: swagger.json | Go to Code tab and you will have the swagger file. |
Shodan
| Shodan Dowking Query | Expected results |
|---|---|
| "content-type: application/json" | This type of content is usually related to APIs |
| "wp-json" | If you are using wordpress |
WaybackMachine with WayBackUrls
waybackurls inspects back URLs saved by Wayback Machine and look for specific keywords. Installation:
Basic usage:
Dork for API endpoints discovery:
| Waybackmachine Dowking Query | Expected results |
|---|---|
| Path to a API | We are trying to see is there is a recorded history of the API. It may provide us with endpoints that used to exist but allegedly not anymore. |