Defensive Dorking: How to Audit Your Own Website

Most security breaches don't start with a complex zero-day exploit. They start with a simple configuration error that exposes sensitive data to the public internet. "Defensive Dorking" is the practice of using Google search operators to audit your own organization.

Why Audit Your Own Site?

Google is constantly crawling your website. If you accidentally upload a file containing passwords for just 5 minutes, Google might index it. Even if you delete the file later, it could remain in Google's cache.

Step 1: Check Your Digital Footprint

The first step is to see everything Google knows about your domain. Use the site: operator without any other keywords.

site:yourdomain.com

Scroll through the results. Do you see test pages? Subdomains you thought were private? Old marketing PDFs?

Step 2: Hunt for Sensitive Files

As a defender, you should regularly run the same queries an attacker would use. Check for documents that shouldn't be public:

• Confidential PDF/DOCX: site:yourdomain.com filetype:pdf confidential
• Spreadsheets: site:yourdomain.com filetype:xlsx password

Step 3: How to Remove Content from Google

If you find a file that exposes sensitive data, deleting it from your server is not enough. You must:

1. Delete the file from your server.
2. Verify it returns a 404 Not Found or 403 Forbidden error.
3. Use the Google Search Console Removals Tool to request the immediate removal of the URL from search results.

Conclusion

Security is a continuous process. We recommend setting up Google Alerts for your own domain combined with keywords like "password" or "confidential" to be notified immediately if sensitive data gets indexed.