Menu
The search query filetype:xls inurl:password.xls is a classic example of Google Dorking, a technique used to find sensitive information inadvertently indexed by search engines. Functionality of the Query
This specific command directs Google to find publicly accessible files that meet two criteria:
filetype:xls: Limits results strictly to Microsoft Excel binary spreadsheet files (.xls).
inurl:password.xls: Filters for pages where the specific string "password.xls" appears in the URL path, often indicating a file named exactly that. Informative Features & Risks filetype xls inurl password.xls
Sensitive Data Exposure: This query is frequently used by security researchers or malicious actors to uncover spreadsheets containing plain-text usernames and passwords.
Directory Indexing: It often reveals "Index of" pages where servers have been misconfigured to allow public browsing of their file directories.
Security Implications: While Excel allows for password protection and encryption, files found through this dork are often either unprotected or contain credentials for other systems in a plain-text format. The search query filetype:xls inurl:password
False Positives: The query can also return non-sensitive results, such as "password service" templates or files that are legitimately public but simply share the naming convention.
Organizations typically prevent this type of information leakage by enforcing strict security policies and disabling directory listing on their web servers. Protection and security in Excel - Microsoft Support
Let’s translate the command.
filetype:xls : This operator tells Google to restrict results to files with the .xls extension (the classic Microsoft Excel 97-2003 format). More modern versions might use .xlsx, but .xls is still prevalent in legacy systems and certain automated exports.inurl:password.xls : This operator tells Google to look for the exact string password.xls within the URL of the file. This typically means the web server is hosting a file explicitly named password.xls or located in a folder path that contains that name (e.g., https://example.com/backup/password.xls).Combined meaning: The search query is asking Google to index and return live, publicly accessible Excel spreadsheet files, named "password.xls," anywhere on the internet.
grepRun regular server-side scans for dangerous filenames:
find /var/www -type f \( -name "*.xls" -o -name "*.xlsx" \) -exec grep -l "password\|pass\|pwd\|secret" {} \;
If you were to run this search (and for ethical reasons, you should only do so as a security researcher with permission or in a controlled lab), the results can be terrifying. Here are real-world examples of what security experts have historically found: Part 1: Breaking Down the Dork Let’s translate
IP Address, Username: root, Password: P@ssw0rd123. With this, an attacker has full control of the company’s infrastructure.password.xls might not contain passwords for servers but might be an export from an SQL database containing user emails and plaintext passwords for a live website.Prevent search engines from indexing sensitive file types:
User-agent: *
Disallow: /*.xls$
Disallow: /*.xlsx$
Disallow: /*password*
Warning: robots.txt is a public instruction, not a security barrier. Malicious actors will ignore it. Only use this to prevent indexing, never to rely on for security.