Source Code Reconstruction from .git Directory Exposure
By Team, Inspectiv
Nadia and her developer team were working tirelessly on their company’s new, groundbreaking web application that would disrupt the way the world exchanged currency. A few days later, Nadia received an alert that their source code was available on GitHub. “No way,” she thought. Once Nadia went to the GitHub link, she couldn’t believe it—their git repository was published for the world (and their competitors) to see and exploit to their heart’s content. Upon further investigation, the company’s incident response team found the server that hosted the git repository wasn’t configured correctly, and their entire directory was visible online for attackers.
In 2018, a security researcher was able to access the entire source code for various businesses, including India’s largest telecom service provider, due to a git repository misconfiguration which left components publicly accessible. And according to another security researcher’s findings, 400,000 websites were unearthed with exposed .git folders.
Obtaining a target application’s source code from a .git directory leak enables attackers to perform easier, in-depth reconnaissance. Attackers use tools, such as static code analysis (SCA), to then find code vulnerabilities to assist in exploit creation against the target application.
Below, you will discover how threat actors can take control of your entire source code through unintentional Git leaks. We will also share common mitigation techniques and how our security researchers can assist you in verifying that your Git repositories are not inadvertently exposed.
How attackers obtain your source code from .git leaks
Identify target web applications
Threat actors start by using tools to compile lists of target web application domains and subdomains to then check for git repository disclosures in the next step.
Detect .git directory exposures
Publicly disclosed .git directories could be found using both automated and manual techniques. Bruteforcing tools enumerate through directory keywords to locate exposed repositories.
Attackers can also locate the .git directory manually by typing https://example.com/.git or https://example.com/git/ in their browser and analyzing the response. If the response is a 404 error, the .git directory doesn’t exist on the server. If it’s a 403 forbidden response, it does exist. If there is no error and the .git directory tree displays, hackers can rejoice in the ease of access.
Extract .git directory contents
After the .git directories are located, bad actors download the directory contents and can restructure the project source code from there. If the full directory isn’t visible, there are methods to reconstruct each folder by searching for the expected files in a / .git folder directory listing.
The extracted source code can then be used to search for exploitable vulnerabilities and sensitive information, such as hardcoded credentials, tokens, encryption keys, new or deprecated endpoints for further study, developer comments, and more information gold.
Git repository leaks can present a significant threat to your company’s reputation by showing that attackers can breach the confidentiality of your proprietary source code. Below are common ways to mitigate the risk of code exposure resulting from unintended git repository disclosures.
.git directory leak vulnerability mitigation
Primary risk mitigation techniques to protect against git repository leaks include:
- Configuring server permission rules to ensure the git files are not publicly exposed.
- Verifying it is not possible to index the .git directory or subdirectories.
- Using a .gitignore file to ensure sensitive files are not added to the directory.
- Working with security researchers to identify and mitigate git repository vulnerabilities.
Git repository exposures can present serious risks to the integrity of your web and mobile applications and can hurt your reputability among consumers. Without proper server and git repository management, you put your applications, source code, and sensitive data at risk.
At Inspectiv, we are here to help protect your business from source code exposure, among other known and unknown attack scenarios. Inspectiv program managers work with both you and our security researchers to identify, verify, and validate security vulnerabilities in your web and mobile applications, such as source code exposure, which can lead to targeted attacks.
Inspectiv manages the entire bug-hunting process—there's no need to hire costly in-house security testers. Inspectiv provides you with actionable guidance to mitigate vulnerabilities and prevent potential security breaches and data theft.
Contact us to discover how our crowdsourced security platform can aid in protecting your company from ever-present threats and vulnerabilities to your online applications.