is your .git folder exposed? How dangerous is that you know?

SFW Cybersecurity Solutions
3 min readJun 23, 2020

How to download the <.git> exposed directory

I recently found a .git folder exposed on an Independent bug bounty program and used it to reconstruct the Web app’s source code. I can’t disclose specific details yet but wanted to share with you this tutorial on how to find and exploit this kind of bugs.

Downloading the website’s source code from the .git exposed directory

So let’s get to the interesting part — How do we download and restore the aforementioned repositories to get access to the website’s source code? Basically there are two ways to do it:

  • Open Indexed Directory, if the webserver has directory listing enabled
  • Forbidden Directories, otherwise

As mentioned before, most version control systems manage the repository in a lot of small files (objects). The filenames are often the result of a hash function, so guessing them is hard. We need to find a way to obtain as many of those files as possible.

Whether Open Indexed Directory or Forbidden Directory doesn’t matter

First of all, it’s considered bad practice to have directory listing enabled on your production server.

Directory-listing helps the attacker a lot because all he has to do is to issue one command to download all files.

Open Indexed Directory

Forbidden Directory

If you see above directory is forbidden, then just at the end

https://example.com/.git/config — you can see something like below image

There is a tool in GitHub

git clone https://github.com/arthaud/git-dumper.git

cd git-dumper

pip3 install -r requirements.txt

python3 git-dumper.py https://www.example.com/.git/ download_dir

How does it work?

The tool will first check if directory listing is available. It is, then it will just recursively download the .git directory (what you would do with wget).

If directory listing is not available, it will use several methods to find as many files as possible. Step by step, git-dumper will:

  • Fetch all common files (.gitignore, .git/HEAD, .git/index, etc.);
  • Find as many refs as possible (such as refs/heads/master, refs/remotes/origin/HEAD, etc.) by analyzing .git/HEAD, .git/logs/HEAD, .git/config, .git/packed-refs and so on;
  • Find as many objects (sha1) as possible by analyzing .git/packed-refs, .git/index, .git/refs/* and .git/logs/*;
  • Fetch all objects recursively, analyzing each commits to find their parents;
  • Run git checkout . to recover the current working tree

Finally, you’ve achieved to download the source code

How to get rid of this issue?

Use deployment tools

  1. https://deployer.org/. — only for PHP Based Projects
  2. https://www.deploybot.com/
  3. https://aws.amazon.com/codebuild/
  4. https://www.gocd.org/ — GoCD is an open-source build and release tool from ThoughtWorks. GoCD supports modern infrastructure and helps enterprise businesses get software …

Conclusion

There are a lot of renowned sites that don’t deny access to the/.git/ directories — anybody may download their source code and perhaps other delicate information. This issue isn’t difficult to relieve, so pause for a moment to ensure that your webserver isn’t misconfigured.

Want to Secure your web-based product? Reach me hello@edwinsturt.in

https://www.linkedin.com/in/sturtedwin

--

--