Dorker: Using Selenium to Circumvent Google's Anti-Bot Defenses for Security Research
Hook
Google blocks automated search queries within minutes, yet security researchers need to run hundreds of dorks to find exposed databases and vulnerable endpoints. Dorker's answer? Pretend to be a real browser—because you actually are one.
Context
Google dorking—using advanced search operators to find security vulnerabilities, exposed credentials, and misconfigured servers—has been a cornerstone of OSINT and bug bounty reconnaissance since the early 2000s. A dork like site:example.com filetype:sql "MySQL dump" can reveal database backups accidentally indexed by Google. The challenge isn't crafting dorks; it's automating them at scale.
Most dorking tools hit an immediate wall: Google's aggressive bot detection. Use the Custom Search API and you're rate-limited to 100 queries per day on the free tier. Scrape search results with requests or curl and you'll face CAPTCHAs within 10-20 queries. Google's anti-automation systems detect headless browsers, recognize patterns in user agents, and flag datacenter IP ranges. Dorker attempts to solve this through full browser automation with Selenium and Firefox, rendering JavaScript and mimicking human behavior to stay under the radar longer. It's slower and still not bulletproof, but for security researchers who need more than 100 queries without paying for API access, it's one of the few viable approaches.
Technical Insight
Dorker's architecture is deliberately simple: Selenium WebDriver controls a Firefox instance (via geckodriver) to perform actual Google searches, extract result URLs, and write them to output files. Unlike headless Chrome tools that Google has learned to fingerprint, Dorker defaults to headless Firefox with configurable options to run in visible mode when debugging.
The core workflow processes dorks either individually via command-line argument or in batch mode from a text file. Here's how you'd run a batch operation:
python3 dorker.py -f dorks.txt -o results.txt
This reads each line from dorks.txt, executes the Google search through Selenium, and appends discovered URLs to results.txt. The tool supports piping results directly to vulnerability scanners, which is where it fits into bug bounty workflows:
python3 dorker.py -d "site:target.com inurl:admin" -o - | dalfox pipe
This pattern searches for admin panels on a target domain and immediately feeds discovered URLs to dalfox for XSS testing—no intermediate file storage needed.
The Selenium implementation focuses on survival rather than speed. Dorker navigates to google.com/search?q=YOUR_DORK, waits for the results page to fully render (including all JavaScript execution), then uses CSS selectors to extract <a> tags from search result containers. The headless browser means no GUI overhead, but you're still loading Google's entire frontend stack, executing analytics scripts, and rendering ads. This is why Dorker processes roughly 5-10 dorks per minute compared to 100+ queries per minute with direct HTTP requests (before getting blocked).
The anti-detection strategy relies on three factors: full browser fingerprinting (Selenium+Firefox looks more legitimate than bare HTTP clients), randomized timing between requests (though not explicitly implemented in the current codebase), and the assumption that users will rotate IPs via VPN. The README explicitly states "Google might try to block you from using their services" and recommends VPN usage—an acknowledgment that evasion is temporary, not permanent.
One architectural limitation is the lack of built-in proxy rotation or CAPTCHA solving. When Google presents a CAPTCHA challenge, Dorker fails silently or crashes depending on how strictly it's parsing the results page. More sophisticated tools in this space integrate with 2captcha or similar services to programmatically solve challenges, or implement proxy pool rotation to distribute queries across IP addresses. Dorker assumes the operator handles this manually by switching VPN servers between batches.
The output format is intentionally minimal—just URLs, one per line—making it trivial to pipe to grep, httpx, nuclei, or any other security tool. This Unix philosophy approach (do one thing well, support composability) makes Dorker a building block rather than an all-in-one solution. You're expected to build workflows around it rather than expecting it to handle vulnerability scanning, content analysis, or result deduplication internally.
Gotcha
Despite using real browser sessions, Dorker cannot outrun Google's rate limiting indefinitely. In testing scenarios, users report getting blocked or CAPTCHA-challenged after 30-50 queries even with Selenium, especially from residential IP addresses with no prior Google activity history. Google's detection systems analyze mouse movements, scroll patterns, and timing behaviors that automated Selenium scripts don't naturally replicate. Dorker makes no attempt to add human-like random delays, cursor movements, or scroll actions that more sophisticated browser automation frameworks implement.
The dependency chain is also problematic for deployment. You need Python 3.x, Selenium, Firefox browser installed (not just the binary, the full browser), and geckodriver matching your Firefox version. This works fine on a personal Kali Linux VM but becomes painful in containerized environments or CI/CD pipelines where you're now pulling a 200MB+ Firefox container image just to run dorking queries. The README provides installation commands but doesn't offer a Docker image, meaning every operator deals with dependency hell independently. Compared to API-based tools that need only an HTTP client library, the operational overhead is substantial.
Verdict
Use Dorker if you're conducting targeted bug bounty reconnaissance or OSINT investigations where you need to run 50-200 Google dorks across multiple targets and you're willing to manually rotate VPNs between batches. It's effective for ad-hoc security research where you're already working from a GUI environment with Firefox installed, and you need results piped directly into vulnerability scanners. The tool shines in scenarios where API quota limits are unacceptable and you're running queries infrequently enough that getting blocked isn't catastrophic. Skip Dorker if you need reliable, high-volume automation (Google will block you regardless of evasion techniques), if you're working in headless server environments where browser dependencies are prohibitive, or if you can afford Google Custom Search API credits for predictable rate limits. Also skip it for production OSINT systems—the lack of proxy rotation, CAPTCHA solving, and error handling makes it unsuitable for anything requiring reliability or scale beyond personal research workflows.
