British cybersecurity researcher Liam Galvin has created a tool Gitjacker, which will not only help you find accidentally left open and public .git folders on the Internet, but also allow you to download someone else's repository, with all confidential files and source code. Gitjacker was written in Go and is already free available on github…
Basically, in its simplest application, the tool allows users to scan a domain and locate the /.git folder. At the same time, the researcher emphasizes that the /.git folders should in no case be accessible from the Internet.
“The .git directory stores all of your (Git) repository data, such as configuration, commit history, and the actual content of each file.
If you can get the complete contents of the .git folder for a particular site, you can access the raw source code for that site, and often other interesting configuration data such as database passwords, password salts, and more, ”wrote Galvin in my blog…
The developer complains that not everyone understands this. It's not uncommon for people to accidentally copy their entire repository online, including the /.git folder, and forget to delete it. In addition, /.git folders are sometimes included in automated build chains or added to Docker containers.
Thus, hackers can scan the Internet for such folders, download their contents and gain access to sensitive data and even source code.
“Web servers with directory listing enabled make these attacks particularly easy because it's just a matter of recursively downloading each file in the .git directory and doing a git checkout -. The attack is possible even if directory lists are disabled, but then it is often difficult to get the full repository, ”says the author of Gitjacker.
Galvin explains that Gitjacker was designed to be able to download and fetch repositories even when directory listing is disabled. At the same time, the researcher was creating a tool for use in penetration tests, but most likely, the capabilities of Gitjacker will soon be appreciated by attackers who often use open source solutions for attacks.
Unfortunately, /.git folders are still often found in the public domain. For example, in 2018 a Czech expert crawled over 230,000,000 sites and found that 390,000 of them contained open /.git folders and ended up fixing this problem in only 150,000 cases.