Last updated
Was this helpful?
Last updated
Was this helpful?
The exposure of Git repositories on a webserver often occurs due to misconfigurations, where the .git directory is left accessible without proper access controls.
If we encounter an application with an exposed .git directory, we can retrieve the entire repository. This enables us to extract valuable information, such as the remote repository address, commit history, logs, and various metadata. Accessing these details may reveal sensitive data, including proprietary code, hard-coded API keys, and credentials, which can then be leveraged to escalate our attack and further compromise the application's security.
To detect exposed Git repositories, we can utilize tools and commands below.
We may use to identify exposed repositories across a list of domains using the command below. It checks if the .git/HEAD file contains refs/heads .
Note that this one-liner will only identify repositories if directory listing is enabled.
Once an exposed Git repository is identified, the next step is to perform a repository dump to extract its contents.
gitdumper from can be used to download as much as possible from the found .git repository from webservers which do not have directory listing enabled.
extractor.sh from can then be used in combination with gitdumper in case the downloaded repository is incomplete. This tool extract commits and their content from a broken repository.
After successfully dumping an exposed Git repository, the next step is to hunt for valuable secrets within the retrieved data.
is a command-line program that finds secrets and sensitive information in textual data and Git history. We can use this tool to recursively search sensitive information in a repository.
You may use this tools to search sensitives files in a , a , or even .
Even if can do it for us, we may manually search for sensitive informations in previous commits.
OWASP A3:2017-Sensitive Data Exposure
