Technique Attack and Defense Source Code Expose in .git Folder
Hack the Planet, Save the World.
In 2018 there were more than 390,000 Website Owners Not Protecting them “.git” Directory Properly — Czech security specialist Vladimir Vladimirovich Smitka scanned 230 million domains and found those site administrators very often leave unprotected .git catalogs accessible to third party. So a total of over 390,000 websites and them.git directories are available for download.
The expert decided to do global research after studying Czech and Slovak sites, where he found nearly 2000 resources with an open .git catalog.
Smith explains that the situation is very bad because attackers can find such catalogs and dig up a variety of information, ranging from site structure data, and ending with passwords, API keys, IDE settings and so on.
attack technique
- Prepare tools GitTools can be downloaded here.
- Then look for the target that you want to test, in this example I will do a pentest on the “Sales SIM Application” (I run the application on a virtual machine).
- After getting the target, do a scan using the tools you can use: wfuzz, dirb, dirsearch etc. The following is the result of scanning the website application.
- In the picture above we find that there is an exposed .git folder, so we will download the files in that folder using the GitTools tools
./gitdumper.sh <url> <save-folder>
- After dumping the .git folder, then extracting the folder that we got, here are the results.
/extractor.sh <result-dump-git> <save-folder>
- After getting admin credentials, now login to the website.
Defense technique
After performing the attack technique, now is the time to fix the vulnerability, here are the steps.
- Configure the server file on the file, as follows.
nano /etc/apache2/sites-available/000-default.conf
- Then add the <DirectoryMatch> tag in which there is a Regex for filtering folders starting with (dot) such as: .git, .idea etc., here is an additional configuration.
<DirectoryMatch "^\.|\/\.">
Order allow,deny
Deny from all
</DirectoryMatch>
- Then restart the apache2 service, the command is run as follows.
systemctl restart apache2
After doing the configuration, now do a retest to check for the vulnerability. Here is the result.
That way the .git folder has been successfully repaired, and is no longer publicly exposed.
Thanks
Reference :