Git’ing Exposed — Hacking Publicly Exposed Git Repositories

Shahrukh Iqbal Mirza
4 min readApr 6, 2021

Git is a Version Control System used to track and monitor modifications made in files/folders during application development. Git works by helping developers easily ‘commit’ changes to a source code during development or testing and that then gets ‘pushed’ onto the live application. This provides developers with an advantage of ease of development.

A .git repository in our case are folders having source code files and configurations of a project. It contains version history of a project as well as all the changes made to a project over a certain period of time. It also maintains logs of each version (or commit history) to provide a roll-back option.

Looking for Exposed .git Repositories and Reconstructing the Source Code:

Looking for exposed .git folders is as easy as appending .git to the end of a project URL, for example: https://my-project.com/.git/

There are three possible results to this approach:

  1. A 404 error, meaning that the repository is unavailable.
  2. A 403 error, meaning that it is forbidden to access the root of the repo, however some common files inside the repo (like HEAD, index, and config) should always be checked because usually the repository’s root is inaccessible but the files and folders within can be accessed.
  3. A 200 ok, giving you a complete directory listing of the repository.

OSINT’ing for exposed .git repositories is also extremely easy with the help of these Google Dorks from the Google Hacking Database — GHDB:

- “.git” intitle:”Index of”- filetype:git -github.com inurl:”/.git”

After a publicly exposed .git repository has been found, tools like GitHack and GitTools can be used to automatically reconstruct and dump the source files.

Impact of Exposed .git Repositories

If a .git repository is publicly exposed, then there is a chance that the entire source code of the application can be reconstructed, which in turn may contain sensitive information like API keys, database configurations, credentials to access certain services like web, database and file servers, AWS secret keys etc.

In some recent hacks, I had been able to dump and responsibly disclose the exposure of source code files, database configuration files and WordPress source files including the wp-config.php file, for a few organizations (that wish to remain unnamed).

Dumped .git repo
Reconstructed Source Code from an exposed .git repo
WordPress source files dumped from an exposed .git repo
Another WordPress source files dumped from an exposed .git repo

According to the Co-Owner of one such organization: “While we do not believe anyone but yourself accessed our data here’s what could potentially have been accessed: (1) PHP source files and (2) DB Configs.”

Although this is an extremely easy to find bug, the impact can be extremely critical as you can see from the above screenshots.

Security researcher and fellow hacker John Jackson, and the hacking group Sakura Samurai hacked the United Nations and the Indian Government due to exposed git repositories.

Preventing Exposure of .git Repositories

Firstly and most importantly don’t put sensitive content and credentials in publcily accessible assets (pointed out by Kyle Cribbs).

Secondly, removing the .git folder from your webserver, or restricting all access to .git folders and files.

For Apache:

Put the following in your httpd.conf file:

<DirectoryMatch "^/.*/\.git/"> 
Order deny,allow
Deny from all
</DirectoryMatch>

For Nginx:

Put the following in server-block in your nginx.conf file:

location ~ /.git/ {
deny all;
}

For IIS:

Put the following in your web.config file:

<configuration>
<system.webServer>
<security>
<requestFiltering>
<hiddenSegments>
<add segment=”.git” />
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
</configuration>

References:

Google Dorks:

Hacking Git Repositories by Vickie Li:

A couple of public HackerOne Reports:

--

--

Shahrukh Iqbal Mirza

A passionate hacker/pentester/red-teamer, part-time CTF player and ocassional bug bounty hunter. Advocate for “Hacking Is NOT A Crime.”