All your Git is Mine! Oh wait.. Env too?

Git Expose

Exposed .git repositories is not something new. In fact, it has been reported many many times. But the question remains... "Why does it still affect companies?"

The goal of my current project which I named it Git The World, is to find out how open data sources like Rapid7's open data could be used as a weapon to put companies at jeopardy.

The severity of an exposed .git repository could lead to a complete take over by an attacker, simply because the attacker literally just downloaded your source code. It is a common sight to see hard-coded values in some web applications, but also dangerous.

Developers are trained to develop. Git IS a very great tool. But when not used and deployed in the correct manner, it could lead to serious security implications. For example, if a developer decides to put a "convinient" file upload service, all he needs to do is to google for an open source project that allows him to do the work. Next, he just need to change the name of the directory, and as long it is a non standard directory name, viola! Dirb or Gobuster would not catch it! He then proceeds to hard code credentials into the source code to "secure" it (just in case he shares the environment internally maybe?), and he calls it a "File management system" for "websites". Essentially, it is also known as an attack vector in the attacker's perspective. Somehow, .git was exposed in this website. The attacker is able to dump the git files. But how? It is as simple as following the steps in the following GitTools git repository (https://github.com/internetwache/GitTools). Inside, you have the two scripts any attacker needs! Finder and Dumper! Once Dumper is used, your source code is essentially compromised! If you happen to have the latest working production source code GIT repository in your web folder, then the attacker would get the same.

Once it is downloaded, all the attacker had to do was do a static analysis for hard-coded passwords, and also maybe... that secure "File management system" which you thought you renamed it, would not be found...

What happens after that, is totally up to your imagination. Exposed DB passwords? Lets try to login! Stored sensitive info on web root folder (Personal identification of customers, etc...), or how about that directory you renamed to upload files? Can I upload my own files too?

That is in short, how a simple misconfiguration could lead to a corporate IT nightmare. What's even worse, attackers can use open source data such as data from Rapid7 to do such probing! (https://opendata.rapid7.com/)

The Finder script in the GitTools repository allows the discovery of an accessible .git repository. And with Rapid7 having a vast amount of open data, it is possible to list the number of domains with such misconfiguration!

Env Expose

So... I asked myself... If the Finder was able to find .git files, how about modifying the script from finding .git to find .env? I modified the Finder script, and tested it on the open data which I downloaded. To my horror (and surprise), it worked! Information like SMTP accounts, Database Accounts, External API Keys, AWS Keys, and even the APP SECRET of the framework, was exposed! (Of course I did not use it)

Now let's think... If someone like me who just started cybersecurity is able to achieve this, what would someone with years of experience and the right resource achieve?

Never put sensitive information online.
Or just configure your .htaccess file correctly.

Cheers.