A new tool called Gitjacker can help developers discover when they’ve accidentally uploaded /.git folders online and have left sensitive information exposed to attackers.
In its simplest form, the tool lets users scan a domain and identify the location of a /.git folder on their production systems.
/.git folders should never be uploaded online.
“A .git directory stores all of your [Git] repository data, such as configuration, commit history, and actual content of each file in the repository,” Galvin said in a blog post last month when he launched Gitjacker.
“If you can retrieve the full contents of a .git directory for a given website, you will be able to access raw source code for that site, and often juicy configuration data like database passwords, password salts, and more,” he added.
All developers know this; however, accidents happen.
For example, developers working on a website or a web app can accidentally copy their entire Git repository online, including the /.git folder, and forget to remove it. Furthermore, /.git folders can also be included in automated build chains and added to Docker containers that are later installed as web servers.
Gitjacker not only finds /.git folders but can also fetch their content
Attackers can scan the internet for these types of folders, identify accidentally exposed systems, download their content, and gain access to sensitive configuration data or even to an app’s source code.
“Webservers with directory listings enabled make this kind of attack especially easy, as it’s simply a matter of recursively downloading every file in the .git directory and running the following to pull files from the stored object files: git checkout — .“, Galvin said.
“The attack is still possible when directory listings are disabled, but it’s often difficult to retrieve a complete repository in such cases,” Galvin added.
However, this is where Gitjacker comes in. Galvin said he developed Gitjacker to handle the download and extraction of a git repository for users, even in cases where web directory listings are disabled.
Galvin said he developed the tool to be used in penetration tests, but due to its capabilities, Gitjacker will most likely be abused by threat actors as well (as threat actors have a long history of abusing open source tools for their operations).
And why not? Gitjacker’s capabilities allow attackers to retrieve sensitive configuration files with a few keyboard strokes.
In addition, there’s an incentive for attackers to look for /.git folders. Even after years of warnings [1, 2, 3, 4], /.git exposure is still in high numbers, meaning attackers will have an easy time finding domains with /.git folders left exposed online.
For example, in 2018, a Czech developer scanned more than 230 million sites and found that 390,000 were exposing /.git folders, but only 150,000 of these were fixed.