Here are powerful Google dorks for bug bounty hunting,

organized by vulnerability type:

Imran Niaz

~2 min read · April 29, 2026 (Updated: April 29, 2026) · Free: Yes

organized by vulnerability type:

Authentication & Login Issues

site:target.com inurl:login | inurl:signin | inurl:auth
site:target.com inurl:admin | inurl:dashboard | inurl:panel
site:target.com intitle:"admin" inurl:"/admin"

Exposed Files & Directories

site:target.com ext:log | ext:txt | ext:conf | ext:cnf | ext:ini | ext:env
site:target.com ext:sql | ext:db | ext:backup | ext:bak | ext:old
site:target.com inurl:"/backup" | inurl:"/dump" | inurl:"/old"
site:target.com ext:php intitle:"phpinfo()"

Sensitive Config & Credentials

site:target.com ext:env "DB_PASSWORD" | "AWS_SECRET" | "API_KEY"
site:target.com inurl:.git | inurl:".git/config"
site:target.com ext:xml | ext:json inurl:config | inurl:settings
site:target.com "index of" inurl:"/config"

Open Redirects & URL Params

site:target.com inurl:redirect= | inurl:url= | inurl:next= | inurl:return=
site:target.com inurl:returnUrl= | inurl:goto= | inurl:dest=

Potential Injection Points

site:target.com inurl:id= | inurl:pid= | inurl:item= | inurl:page=
site:target.com inurl:search= | inurl:query= | inurl:keyword=
site:target.com inurl:file= | inurl:path= | inurl:folder=
site:target.com inurl:load= | inurl:read= | inurl:display=

Exposed API Endpoints

site:target.com inurl:/api/ | inurl:/v1/ | inurl:/v2/ | inurl:/v3/
site:target.com inurl:/api/swagger | inurl:/api-docs | inurl:/openapi
site:target.com ext:json inurl:api | inurl:swagger

Directory Listing & Index Pages

site:target.com intitle:"index of /"
site:target.com intitle:"index of" "parent directory"
site:target.com intitle:"directory listing"

Error Messages & Stack Traces

site:target.com intitle:"error" | intitle:"exception" | intitle:"warning"
site:target.com "sql syntax" | "mysql error" | "ORA-" | "syntax error"
site:target.com intext:"stack trace" | intext:"debug info"

Misconfigured Cloud Storage

site:s3.amazonaws.com "target"
site:blob.core.windows.net "target"
site:storage.googleapis.com "target"

JS Files for Endpoints & Keys

site:target.com ext:js inurl:main | inurl:app | inurl:bundle
site:target.com ext:js "apiKey" | "api_key" | "token" | "secret"

Subdomains & Dev/Staging Environments

site:*.target.com inurl:dev | inurl:staging | inurl:test | inurl:uat
site:*.target.com inurl:demo | inurl:beta | inurl:sandbox

Pro Tips

Tip Example Combine operators site:target.com ext:env -ext:php Exclude false positives site:target.com inurl:id= -inurl:help Find bug bounty scopes `"responsible disclosure" Use * wildcard site:*.target.com for all subdomains

Legal reminder: Only test on domains explicitly listed in the program's scope. Unauthorized testing is illegal. Always follow the rules of the bug bounty program (HackerOne, Bugcrowd, etc.).

#bug-bounty

< Go to the original

Here are powerful Google dorks for bug bounty hunting,

organized by vulnerability type:

organized by vulnerability type:

Authentication & Login Issues

Exposed Files & Directories

Sensitive Config & Credentials

Open Redirects & URL Params

Potential Injection Points

Exposed API Endpoints

Directory Listing & Index Pages

Error Messages & Stack Traces

Misconfigured Cloud Storage

JS Files for Endpoints & Keys

Subdomains & Dev/Staging Environments

Pro Tips

Reporting a Problem