Command-line tool to scan Google search results for vulnerabilities
Switch branches/tags
Nothing to show
Clone or download


Scan Google (or other) search results for vulnerabilities.

dorkbot is a modular command-line tool for performing vulnerability scans against sets of webpages returned by Google search queries or other supported sources. It is broken up into two sets of modules:

  • Indexers - modules that return a list of targets
  • Scanners - modules that perform a vulnerability scan against each target

Targets are stored in a local database file until they are scanned, at which point a standard JSON report is produced containing any vulnerabilities found. Indexing and scanning processes can be run separately or combined in a single command (up to one of each).


usage: [-h] [-c CONFIG] [-d DATABASE] [-f] [-i INDEXER] [-l]
                  [-o INDEXER_OPTIONS] [-p SCANNER_OPTIONS] [-s SCANNER]

optional arguments:
  -h, --help            show this help message and exit
  -c CONFIG, --config CONFIG
                        Configuration file
  -d DATABASE, --database DATABASE
                        SQLite3 database file or postgresql:// URI
  -f, --flush           Flush table of fingerprints of previously-scanned
  -i INDEXER, --indexer INDEXER
                        Indexer module to use
  -l, --list            List targets in database
                        Indexer-specific options (opt1=val1,opt2=val2,..)
                        Scanner-specific options (opt1=val1,opt2=val2,..)
  -s SCANNER, --scanner SCANNER
                        Scanner module to use


Python 2.7.x / 3.x (cross-platform) psycopg2 (if using PostgreSQL)


As needed, dorkbot will search for tools in the following order:

  • Directory specified via relevant module option
  • Located in dorkbot's tools directory, with the subdirectory named after the tool
  • Available in the user's PATH (e.g. installed system-wide)


Create a Google Custom Search Engine and note the search engine ID, e.g. 012345678901234567891:abc12defg3h. Download either Arachni or Wapiti, unpack it into the tools directory, and rename the subdirectory to arachni or wapiti as appropriate.

$ sudo apt install phantomjs
$ ./ -i google -o engine=012345678901234567891:abc12defg3h,query="filetype:php inurl:id"
$ ./ -s arachni
$ ./ -s wapiti

Indexer Modules


Search for targets in a Google Custom Search Engine (CSE) via custom search element.

Requirements: PhantomJS


  • engine - CSE id
  • query - search query
  • phantomjs_dir - phantomjs base directory containing bin/phantomjs (default: tools/phantomjs/)
  • domain - limit searches to specified domain


Search for targets in a Google Custom Search Engine (CSE) via JSON API.

Requirements: none


  • key - API key
  • engine - CSE id
  • query - search query
  • domain - limit searches to specified domain


Search for targets within results via



  • domain - pull all results for given domain or subdomain
  • cc_py_dir - base directory containing the file (default: tools/
  • year - limit results to data sets from given year (17 or 18, defaults to all)


Search for targets via Bing Web Search API.

Requirements: none


  • key - API key
  • query - search query


Read targets from standard input, one per line.

Requirements: none

Options: none

Scanner Modules

(general options)

These options are applicable regardless of module chosen

  • blacklist - file containing (regex) patterns to blacklist from scans (default: config/blacklist.txt)
  • report_dir - directory to save vulnerability report (default: reports/)
  • log - log file to append scan activity (default: prints to stdout)
  • label - friendly name field to include in vulnerability report
  • count - number of urls to scan, or -1 to scan all urls (default: -1)
  • random - scan urls in random order


Scan targets with Arachni command-line scanner.

Requirements: Arachni


  • arachni_dir - arachni base directory containing bin/arachni and bin/arachni_reporter (default: tools/arachni/)
  • checks - space-delimited list of vulnerability checks to perform (default: "active/*")
  • timeout - maximum scan time in hours:minutes:seconds (default: disabled)
  • single-thread - set browser pool and max concurrency to one each
  • throttle - maximum requests per second (default: disabled)


Scan targets with Wapiti command-line scanner.

Requirements: Wapiti


  • wapiti_dir - wapiti base directory containing bin/wapiti (default: tools/wapiti/)
  • modules - space-delimited list of modules to perform (default: "blindsql exec file permanentxss sql xss")