Defensive Dorking: How to Audit Your Own Website

Most security breaches don't start with a complex zero-day exploit. They start with a simple configuration error that exposes sensitive data to the public internet. "Defensive Dorking" is the practice of using Google search operators to audit your own organization.

>> Why Audit Your Own Site?

Google is constantly crawling your website. If you accidentally upload a file containing passwords for just 5 minutes, Google might index it. Even if you delete the file later, it could remain in Google's cache.

Step 1: Digital Footprint Analysis

The first step is to see everything Google knows about your domain. Use the site: operator without any other keywords.

Scroll through the results. Do you see test pages? Subdomains you thought were private? Old marketing PDFs?

Step 2: Hunt for Sensitive Files

As a defender, you should regularly run the same queries an attacker would use. Check for documents that shouldn't be public:

• Confidential Files: site:yourdomain.com filetype:pdf confidential
• Exposed Spreadsheets: site:yourdomain.com filetype:xlsx password
• Config Files: site:yourdomain.com filetype:env

Step 3: Removal Protocol

If you find a file that exposes sensitive data, deleting it from your server is not enough. You must follow this protocol:

1. Delete the file from your server immediately.
2. Verify it returns a 404 Not Found or 403 Forbidden error.
3. Use the Google Search Console Removals Tool to request the immediate removal of the URL from search results.

>> Conclusion

Security is a continuous process. We recommend setting up Google Alerts for your own domain combined with keywords like "password" or "confidential" to be notified immediately if sensitive data gets indexed.