Blog: Data leak via exposed .git directories

Intro / TLDR;

An analysis of over 2.5 million domains for public code repositories (Git) showed that more than 1000 public code repositories were found. In the code repositories you can find harmless things like templates or static HTML pages, but also complete code of web applications including their configuration with passwords for logins, databases, Office 365 logins, email accounts with passwords or private keys to communicate with payment providers. We even found usernames and passwords in the metadata of the repository itself, which allowed access to complete code management of companies. Even if there is no directory listing for the .git folder you can download the data.

Public git directory

What is a Git repository?

In software development today it is standard to use a code management system. A system of this kind is Git (https://de.wikipedia.org/wiki/Git).

In a code management system the entire history of the source code is stored. It is possible to follow each change and to jump back to every previous version of the source code. However, some meta information about the project is stored in it.

What is the risk of an exposed Git repository?

When deploying a web application or website, the code is often loaded from the code management system. It can then happen through an incorrect configuration that the hidden .git folder is accessible. So the entire source code can often be retrieved with all the configuration files. For example: https://example.com/.git/

It is possible that the files in the .git folder are listed directly. But even if listing the files on the server is disabled, the files in the .git folder can be accessed directly. Often access to the .git folder is also possible if you omit www or vary http and https.

For example:
Access via https://www.example.com/.git/ is not possible. But access via https://example.com/.git is possible.

Why is direct access to the .git folder dangerous?

The entire code including old versions is visible. If an attacker has the complete code in front of him, it is much easier to find security holes and exploit them.

Often configuration files are stored in the Git repository. These can be usernames, passwords, access tokens and so on. These can then be abused to connect directly to the database, for example.

In the metadata of a Git repository, usernames and passwords can also be present in plain text. This allows an attacker to directly access the code management system and download all of a company's projects.

Stats from the scan

We have scanned over 2.5 million domains.

In some repositories only templates of the website were stored. In others the complete code of the website was available. We also found various usernames and passwords. These ranged from email accounts to database connections to usernames for the complete code management of companies.

  • 1053 fully or partially public .git folders
  • 161 with username in metadata
  • 12 with username and password in metadata

Take away

Check if your webserver blocks the delivery of the .git folder

You can protect yourself from accidentally make the .git folder public by scanning your systems with nuclei a corresponding template, or you can use a service like this to automate the scan for all your subdomains.

register now

Secure git directory