Source Code Disclosure via Exposed .git Folder
Greetings! everyone,
I hope you all are doing well. Today i am going to write about source code disclosure through exposed .git folder in a website/work environment. This will also be important for programmers/web developers as to know and secure their source code(s) in their development environment. So, without any delay, let’s get straight to it. Now, the first question arises, why you should care or learn about open git folders in your website/working environment? Because:
- It is easy to detect.
- Analyzing the source code can reveal other vulnerabilities that are more critical.
- Anyone can use your source code for malicious intents, causing you financial/reputational damages.
- Finding files containing sensitive information like credentials, tokens, new endpoints, etc
What is .git Folder?
I am assuming here that you know about Git, if not then check here and here. So, what is a .git folder? According to stackoverflow , it is a folder that contains all the information necessary for your project in version control and all the information about commits, remote repository address, etc. All of them are present in this folder. It also contains a log that stores your commit history so that you can roll back to history.
Why is Git Used in Web Development?
Git is mostly used when you create your website on your computer and use Git to push a copy of those files to a web server. If anything happens to your computer, you still have a full copy on the web server. You can then configure this web server repository to push live changes to your website. This gives an advantage to developers and provides them ease of development. Additionally, you would like to check this. Threats of exposed git folders are already discussed in the beginning (See- “why you should care or learn about open git folders in your website/working environment?”)
Time for Real Fun:
Do you remember i said it is easy to find an exposed .git folder? But how? Let’s see. Note that i will be using three different Google dorks in this article which can be found here , here and here on Google Hacking Database (GHDB). But, before proceeding note that:
- If you get a 404 error, then .git/ doesn’t exist on the server. But if you get a 403 forbidden error, it exist. The folder’s root won’t be directly accessible if directory listing is disabled on the server.
- If you’re lucky and directory listing is enabled, then you could directly browse the .git folder’s contents as shown in images below.
- Use Google dorks for a particular website to see if it is leaking source code(s).
- This guide can also be used by bug hunters in various bug bounty programs.
- Confirm the bug by manually browsing the .git folder.
- Confirm that the .git folder’s contents are accessible (even if .git/ itself isn’t) by trying to open these different common file names, for example:
https://example.com/.git/logs/HEAD
https://example.com/.git/index
https://example.com/git/config
- Once the existence of the Git folder is confirmed and directory listing is enabled, it is simply a matter of downloading it using wget by using:
wget -r http://www.example.com/.git/
Now, open a web browser of your choice, open google.com and use Google dorks as mentioned in this article.
Google Dork 1 → Shows publicly accessible Git directories and allows direct code access.
Google Dork 2 → Contains information related to what the target uses as IDE, and many other software related to development. Great for footprinting.
Google Dork 3 → web servers serving the git repository. This potential flaw can be used to download content from the web server that might otherwise be private.
Let’s Go for Automation:
This is the fun part! browsing .git/ manually is good for proof of concept, but also a tedious job. If you want to retrieve as many files as possible, even with directory listing disabled, the tool to use is GitTools.
- You have to analyze the local repository manually.
Hackerone reports:
- https://hackerone.com/reports/248693
- https://hackerone.com/reports/173811
- https://hackerone.com/reports/218465
- https://hackerone.com/reports/221298
The Mitigation:
- Don’t leave your .git folder in the production environment! or at least move it out of the root directory.
- Block direct access by disabling directory listing.
- when you’re setting a rule to block access to files and folders that begin with “.” you should take the following exceptions into consideration:
Nginx:
location ~ /\.(?!well-known\/) {
deny all;
}
Apache:
<Directory ~ "/\.(?!well-known\/)">
Order deny,allow
Deny from all
</Directory>
If you would like to find out more about the research that inspired this blog post, see https://lynt.cz/blog/global-scan-exposed-git-repos/ . I hope you liked this blog post. Stay tuned for more exciting content like this. And stay happy.