A lot of people use git to manage their source codes, this widespread used tool helps developers to deal with their software versions (and much more…)
Unfortunately, most people use git on their website without paying attention to an important and particular folder named .git which is created in the very moment the tool is used.
The peculiarity of this folder is its odd function to keep many important files, such as source codes of the project, within.
.git on a website
Keeping in mind what has just been said, it’s not hard to figure out the importance of this folder: in fact, it can be very dangerous for the owner of the website.
If not managed properly, it could leak out all the source codes and other useful information as previous versions, commit descriptions, excluded git files path and sometimes credentials that may be used to access your repository.
The worst scenario is having a git folder on a server which has the directory listing enabled.
If the directory listing isn’t enabled, you will be prompted to a 403 error code while trying to reach the folder.
Anyway, the error is referred to the folder, not to each file. The folder won’t let you see the files list, yet you could be able to reach each file through its own path.
Last but not least, another important file that could be leaked is the config file that could contain important information about the git as:
- repository’s URL
- password (almost never used)
Keep in mind that this could happen to everyone: both to a normal user who doesn’t even know about the existence of this folder, and an advanced user who probably knows about it but misconfigures some server files.
Some months ago i decided to create a browser extension that allowed me finding the exposed .git folder by automatically scanning the websites i visited. Keep reading to find out how it works.
The way it works is very easy: for each visited domain the extension will make a HTTP request looking for the .git folder.
i.e: if we visit “https://example.com/dir/” the extension will check if “https://example.com/.git/” exists in the path.
The extension will notify you every time it finds a .git folder in a website you are visiting.
(Notifications can be disabled in the options)
The download button is used to download the .git folder (and its content) even if the directory listening is not active.
Without going too much into details, this is possible due to information within some files.
Thanks to this, it is possible to trace all the file objects/pack, that contain commits, sources and references to other files.
Once you downloaded the folder, it’s possible to extract the sources using “git checkout -- .“ or “git reset --hard”.
It may happen that many files are missing. In this case it would be useful to use this tool:
After 3/4 months using my extension i found more than 200 websites exposing the .git folder, unfortunately most of them didn’t even reply to my reports.
Download source: https://github.com/davtur19/DotGit
Download Firefox: https://addons.mozilla.org/it/firefox/addon/dotgit/
Download Chrome: https://chrome.google.com/webstore/detail/dotgit/pampamgoihgcedonnphgehgondkhikel
Special thanks to Internetwache.org for publishing the article which inspired me: https://en.internetwache.org/dont-publicly-expose-git-or-how-we-downloaded-your-websites-sourcecode-an-analysis-of-alexas-1m-28-07-2015/
Disclaimer: The usage of this extension may be illegal in some countries, even if the downloaded information is accessible to anyone on the web, use it at your own risk.