search
Infiltr8ForumGitHub
githubEdit

Exposed Git Repositories

OWASP A3:2017-Sensitive Data Exposure

hashtag
Theory

The exposure of Git repositories on a webserver often occurs due to misconfigurations, where the .git directory is left accessible without proper access controls.

If we encounter an application with an exposed .git directory, we can retrieve the entire repository. This enables us to extract valuable information, such as the remote repository address, commit history, logs, and various metadata. Accessing these details may reveal sensitive data, including proprietary code, hard-coded API keys, and credentials, which can then be leveraged to escalate our attack and further compromise the application's security.

hashtag
Practice

hashtag
Enumeration

To detect exposed Git repositories, we can utilize tools and commands below.

We may use httpxarrow-up-right to identify exposed repositories across a list of domains using the command below. It checks if the .git/HEAD file contains refs/heads .

Note that this one-liner will only identify repositories if directory listing is enabled.

cat domains.txt | httpx -path /.git/HEAD -silent -mr "refs/heads"

hashtag
Dump

Once an exposed Git repository is identified, the next step is to perform a repository dump to extract its contents.

gitdumper from GitToolsarrow-up-right can be used to download as much as possible from the found .git repository from webservers which do not have directory listing enabled.

./gitdumper.sh http://target.com/.git/ dest-dir

extractor.sh from GitToolsarrow-up-right can then be used in combination with gitdumper in case the downloaded repository is incomplete. This tool extract commits and their content from a broken repository.

./extractor.sh /tmp/mygitrepo /tmp/mygitrepodump

hashtag
Hunting

After successfully dumping an exposed Git repository, the next step is to hunt for valuable secrets within the retrieved data.

hashtag
Noseyparker

Noseyparkerarrow-up-right is a command-line program that finds secrets and sensitive information in textual data and Git history. We can use this tool to recursively search sensitive information in a repository.

circle-info

You may use this tools to search sensitives files in a mounted NFS share, a mounted SMB share, or even exiltrated data.

hashtag
Bash

Alternatively, find command can be use to find configuration files by recursively searching files with a specific extension or name and the grep command can be use to find passwords in files by recursively searching text patterns.

hashtag
Resources

LogoOWASP Top Ten 2017 | A3:2017-Sensitive Data Exposure | OWASP Foundationowasp.orgchevron-right
LogoGit Exposed — How to Identify and ExploitMediumchevron-right
LogoExposed .git Directory ExploitationMediumchevron-right

Last updated