⚠️ Disclaimer: Tools and techniques discussed in this blog is only meant for educational, ethical OSINT & vulnerability research purposes. Author not responsible for any misuse!

New to UrlScan Dorking ? Check from beginning 👇

List: Secret Dork Hunting for Bug Hunters | Curated by Abhirup Konwar | Medium

Secret Dork Hunting for Bug Hunters · 8 stories on Medium

medium.com

🌐 Site: urlscan[.]io

1️⃣ Finding endpoints based on MIME TYPE

  • Might lead to PII leak + fuzzing this with good wordlists
domain:example.com AND page.mimeType:"application/json"
None
None

Choosing good wordlists (Assetnote)

None
wordlists.assetnote.io

No results ? Then use cewl and make a customized wordlists.

GitHub - digininja/CeWL: CeWL is a Custom Word List Generator

CeWL is a Custom Word List Generator. Contribute to digininja/CeWL development by creating an account on GitHub.

github.com

2️⃣PDF Files

  • Might lead to internal docs exposed
page.mimeType:"application/pdf" AND domain:example.com
None

Not all available files are indexed. From here we get to know which subdomain needs further deep dive recon.

3️⃣ ZIP Files

  • Might lead to source code or backup files disclosure
None

4️⃣ Reverse DNS Recon

page.ptr:domain.com
None

Now search this IP using shodan at https://shodan.io/host/<ipv4>

This can help to find untouched endpoints in big organizations & companies who has own IP/network : subnet/range and not borrowing from Cloud belonging to other providers.

Never forget vhost discovery 🤘

None
shodan.io

5️⃣ Filename Search Operator

filename:setup-config.php
None
filename:phpinfo.php
None
filename:debug.php
filename:install.php
None

List: Advanced Shodan Dorking | Curated by Abhirup Konwar | Medium

Advanced Shodan Dorking · Learn customized and advanced shodan dorks to find highly valuable and crucial endpoints to…

medium.com

List: FOFA Dorking | Curated by Abhirup Konwar | Medium

FOFA Dorking · Most important feature why I love FOFA dorking is, it can match any keyword directly within Javascript…

medium.com