Please remove that .git folder

Have you ever tried to browse http://yoursite.com/.git/?

If you get a 403 error, that’s normal. It means directory browsing is disabled, which is basic security. However, many files in the .git/ folder could be accessible, putting you at risk.


This content originally appeared on DEV Community and was authored by jmau111

Have you ever tried to browse http://yoursite.com/.git/?

If you get a 403 error, that's normal. It means directory browsing is disabled, which is basic security. However, many files in the .git/ folder could be accessible, putting you at risk.

.git/ folder leakage: easy exploit

N.B.: use the tool below at your own risks

GitHub logo WangYihang / GitHacker

🕷️ A Git source leak exploit tool that restores the entire Git repository, including data from stash, for white-box auditing and analysis of developers' mind

GitHacker

Desciption

This is a multiple threads tool to detect whether a site has the .git folder leakage vulnerability. It is able to download the target .git folder almost completely. This tool also works when the DirectoryListings feature is disabled. It is worth mentioning that this tool will download almost all files of the target git repository and then rebuild them locally, which makes this tool State of the art in this area. For example, tools like [githack] just simply restore the latest version. With GitHacker's help, you can view the developer's commit history, which makes a better understanding of the character and psychology of developers, so as to lay the foundation for further code audition.

PROCLAMATION (IMPORTANT)

Several VULNERABILITIES have been reported recently, if you are using GitHacker <= 1.1.0, please update your tool as soon as possible.

The remote .git folder maybe malicious, so to prevent you from…

Anyone can use automated scripts such as the above repository to download your source code and view the entire git history. Git is also a filesystem that follows some conventions, so you can guess directories and files easily.

Most projects use master or main as master branch, so it's easy to guess "hidden" paths in the /.git/ folder. Note that the tool can even brute force branches and tags if that's necessary.

If the scan succeeds, you get a result folder on your local machine (you can customize the folder name with the --output-dir option).

A typical result is the equivalent of git checkout master for free!

Don't deploy the .git/ folder or, at least, forbid access

The .git/ folder can contain lots of information, including the source code itself but also names, mails, and, in the worst-case scenario, hard coded credentials (e.g. databases, tokens, keys).

For a hacker, it's like Christmas!

You should completely disable public access to such folder. Modern CI/CD and deployment solutions are relatively easy to configure and allow cleaning such directories that have nothing to do with the production environment.

Note that some web hosting providers disable access to the folder for security purpose, but it's not always the case and it's not the default configuration, so check it before deploying anything.

I recommend doing all hardenings available. While it might seem a bit overkill, it's often a good idea to take into account any misconfiguration that could occur in the future or a miscalculated migration, so:

  1. Disable public access in the .git/ folder by default on your server
  2. Add a rule to forbid access to the folder in your source code, for example, in the .htaccess file for Apache configurations
  3. Don't even deploy such folder in public directories if that's possible

If you don't want to touch sensitive files such as the .htaccess, you can add a smaller .htaccess at the root of the .git/ folder on your server with just the following line inside:

Deny from all

However, it's even better to return a 404 for the .git/ folder in your server config or main .htaccess, so hackers won't be able to guess anything:

RedirectMatch 404 /\.git

Again, I recommend adding both rules if you can, as two layers of security. In case someone modifies the main .htaccess and delete the rule accidentally, there's still a fallback in the .git/ folder.

When migrating from one server to another, misconfigurations and oversights do happen.


This content originally appeared on DEV Community and was authored by jmau111


Print Share Comment Cite Upload Translate Updates
APA

jmau111 | Sciencx (2022-06-22T11:08:59+00:00) Please remove that .git folder. Retrieved from https://www.scien.cx/2022/06/22/please-remove-that-git-folder/

MLA
" » Please remove that .git folder." jmau111 | Sciencx - Wednesday June 22, 2022, https://www.scien.cx/2022/06/22/please-remove-that-git-folder/
HARVARD
jmau111 | Sciencx Wednesday June 22, 2022 » Please remove that .git folder., viewed ,<https://www.scien.cx/2022/06/22/please-remove-that-git-folder/>
VANCOUVER
jmau111 | Sciencx - » Please remove that .git folder. [Internet]. [Accessed ]. Available from: https://www.scien.cx/2022/06/22/please-remove-that-git-folder/
CHICAGO
" » Please remove that .git folder." jmau111 | Sciencx - Accessed . https://www.scien.cx/2022/06/22/please-remove-that-git-folder/
IEEE
" » Please remove that .git folder." jmau111 | Sciencx [Online]. Available: https://www.scien.cx/2022/06/22/please-remove-that-git-folder/. [Accessed: ]
rf:citation
» Please remove that .git folder | jmau111 | Sciencx | https://www.scien.cx/2022/06/22/please-remove-that-git-folder/ |

Please log in to upload a file.




There are no updates yet.
Click the Upload button above to add an update.

You must be logged in to translate posts. Please log in or register.