Insecure Source Code Management

Most software engineers use a version control system like Git to track changes in the project’s source code during software development. But when a software engineer uses Git, they usually include a git directory located at the root of the website to store all the version control information of the project, including the commit history of some files.

Following the best practices in cybersecurity, the .git directory should not be accessible to the public, but some software engineers are neglecting this practice and are simply uploading the entire project to the internet, and this is when information leaks occur.

Besides Git, there are many other version control systems out there such as CVS (Concurrent Version System), SVN (Apache Subversion), BZR (Bazaar), and HG (Mercurial).

Finding .git directory

There are many ways to find a .git directory, here are some of them:

  • Google Search Engine
    By simply searching for the following Google Dork intitle:"Index of /.git", any user can find websites with a publicly exposed and accessible Git Repository.
Photo from Google Search Results
  • Shodan
    Shodan is the search engine for everything on the internet. Using the following query http.title:"Index of /" http.html:".git", it will return you a list of websites with exposed .git repository.
Results from Shodan
  • Open-Source Tools
    There are many open-source tools that could help you find a .git directory.

GitTools – A tool created by @internetwache to Find, Dump, and Extract git.

Bruteforcing Tools like DirBuster, Dirsearch, Wfuzz, and dirb.
- DirBusterhttps://tools.kali.org/web-applications/dirbuster
- Dirsearchhttps://github.com/maurosoria/dirsearch
- Wfuzzhttps://github.com/xmendez/wfuzz
- Dirbhttps://tools.kali.org/web-applications/dirb

To check if the .git directory is publicly exposed, simply go to the root directory of the website then append /.git at the end of the URL.

Exposed .git repository of a website

Dumping the exposed .git repository


Using a tool called wget you can easily download or copy the whole directory recursively.

Downloading the .git repository recursively

You may also use GitTool’s Dumper - https://github.com/internetwache/GitTools/tree/master/Dumper.

.git Structure

Executing the list command will give us the following:

  • config - a file containing the configuration of the project.
  • HEAD - a file containing a reference to the master branch.
Structure of a .git repository
Displaying the content of config, HEAD, and master files

Extracting the Files

Once you have the hash for the master branch, you can now execute the command git cat-file -p <master hash>  to get the hash for the tree object which leads you to the files of the project by executing the same command.

List of Files

To extract the source code of the website into a compressed file, execute the following command: git archive --format zip --output "source.zip" <master-hash>

Extracted Source Code

And there you have it! You successfully downloaded the whole source code of the website.

Finding Juicy Information

Now that you have the source code, you can easily find hardcoded credentials, keys, or tokens using grep or by manually reading each file.

Protecting .git repository

There are many ways to protect your .git repository, and these are some of them:

  • Deny users’ request to access .git through Nginx, Lighttpd, IIS, or Apache;
  • Change the File Permission for .git directory; or
  • Remove the directory before deploying the project/website online.

Real Life Findings