British cybersecurity researcher Liam Galvin created a tool Gitjacker, which not only searches the Internet for accidentally left open and publicly accessible .git folders, but also allows downloading someone else’s repository, with all confidential files and source code. Gitjacker was written in Go and is freely available on GitHub.Basically, in its simplest application, the tool allows users to scan a domain and locate the /.git folder. At the same time, the researcher emphasizes that the /.git folders should in no case be accessible from the Internet.
“The .git directory contains all of your [Git] repository data, such as configuration, commit history, and the actual content of each file. If you can get the complete contents of the .git folder for a particular site, you can access the raw source code for that site, and often other interesting configuration data such as database passwords, password salts, and more”, – wrote Galvin on his blog.
The developer complains that not everyone understands this. It’s not uncommon for people to accidentally copy their entire repository online, including the /.git folder, and forget to delete it. In addition, /.git folders are sometimes included in automated build chains or added to Docker containers.
Thus, hackers can scan the Internet for such folders, download their contents and gain access to confidential data and even to the source code.
“Web servers with directory listing enabled make these attacks particularly easy because it’s just a matter of recursively downloading each file in the .git directory and doing a git checkout. The attack is possible even if directory lists are disabled, but then it is often difficult to get the full repository”, — says the author of Gitjacker.
Galvin explains that Gitjacker was designed specifically to download and fetch repositories even when directory listing is disabled. At the same time, the researcher was creating a tool for use in penetration tests, but, most likely, the capabilities of Gitjacker will appreciated the attackers, who often use open source solutions for attacks, and, for example, legal projects like Pastebin for the distribution of malware.
Unfortunately, /.git folders are still often found in the public domain. For example, in 2018, a Czech expert crawled over 230 million sites and found that 390,000 of them contained open /.git folders, and as a result, this problem was fixed in only 150,000 cases.
Let me remind you that researchers present tools for scanning computers for BlueKeep vulnerability.
User Review( votes)