Source Code Disclosure via Exposed .git Folder
Today i am going to share about `source code disclosure through exposed .git folder in Web Applications / Work environment`, A couple of months ago i participated in a CTF (capture the flag). One challenge i faced was the task of restoring a git repository from a directory listing enabled web server and find the vulnerability to obtain flag. I want you to aware about this exposure vulnerability. Some websites host their version control repository (e.g. .git/) in production. Hackers can use tools to download/restore the repository to gain access to your website’s source code.
Why you should aware about exposed git folders, .git exposure can pay well or not, depending on the assets found. But it is interesting anyway because:
- It is easy to detect.
- Analyzing the source code can reveal other vulnerabilities that are more critical.
- Anyone can use your source code for malicious intents, causing you financial/reputational damages
- Finding files containing sensitive information like credentials, tokens, new endpoints, etc
What is .git Folder?
The . git folder contains all the information that is necessary for your project in version control and all the information about commits, remote repository address, etc. All of them are present in this folder. It also contains a log that stores your commit history so that you can roll back to history. (Know More)
Why do developers use Git?
Git is an open source version control system. It is being used widely by developers to track changes made to both open source and commercial projects. The developers can further use Git with major operating systems and integrated development environments (IDEs). (Know More)
HTTP error codes and enumeration
Fun Part : To Exploit
Once you have a solid list of Web applications, use forced browsing to see if a .git folder is accessible on them. If file & directory bruteforce tools are allowed, you can use dirsearch or dirb (with common.txt dictionary). They both check for .git/. If the git directory is exposed, it looks like this
To download and restore the git repo , Simply use automated tools like GitHack , GitHacker, GitTools .
If the Directory listing is enabled on the production server, we will only have to use one simple command to download all the files.
wget --mirror -I .git example.com/.git/
Once the download is complete, we can view all the status of the entire local changes and compare them with the data we had gotten in the target web server repository
This status search only shows the deleted files since we only have the .git folder downloaded from the web server. That’s not a problem, though. Running the git checkout -- .
or git restore .
command will reset the repository to the last commit.
There are other way to restore the repositories
How to fix .git Source Code Exposure Vulnerabilities?
To fix this vulnerability, either remove the git folder from your webserver or ensure that you deny all access to the .git folders
it's easy to deny access to .git folders
Apache ( )
<DirectoryMatch “^/.*/\.git/”>
Order deny,allow
Deny from all
</DirectoryMatch>
Nginx
Put this in the first entry in your server
-block in the nginx.conf
file.
location ~ /.git/ {
deny all;
}
Lighttpd
Put this into your lighttpd.conf
.
server.modules += ( "mod_access" )
After that, we can block access to the .git
folder
$HTTP["url"] =~ "^/\.git/" {
url.access-deny = ("")
}