PayloadsAllTheThings/Insecure Source Code Management
2024-11-10 14:37:48 +01:00
..
Files ESC9 - No Security Extension 2022-09-03 12:07:24 +02:00
Bazaar.md Normalize page header for GraphQL, Deserialization, SCM 2024-11-10 14:37:48 +01:00
Git.md Normalize page header for GraphQL, Deserialization, SCM 2024-11-10 14:37:48 +01:00
Mercurial.md Normalize page header for GraphQL, Deserialization, SCM 2024-11-10 14:37:48 +01:00
README.md Normalize page header for GraphQL, Deserialization, SCM 2024-11-10 14:37:48 +01:00
Subversion.md Normalize page header for GraphQL, Deserialization, SCM 2024-11-10 14:37:48 +01:00

Insecure Source Code Management

Insecure Source Code Management (SCM) can lead to several critical vulnerabilities in web applications and services. Developers often rely on SCM systems like Git and Subversion (SVN) to manage their source code versions. However, poor security practices, such as leaving .git and .svn folders in production environments exposed to the internet, can pose significant risks.

Summary

Methodology

Exposing the version control system folders on a web server can lead to severe security risks, including:

  • Source Code Leaks : Attackers can download the entire source code repository, gaining access to the application's logic.
  • Sensitive Information Exposure : Embedded secrets, configuration files, and credentials might be present within the codebase.
  • Commit History Exposure : Attackers can view past changes, revealing sensitive information that might have been previously exposed and later mitigated.

The first step is to gather information about the target application. This can be done using various web reconnaissance tools and techniques.

Once a potential SCM folder is identified, check the HTTP response codes and contents. You might need to bypass .htaccess or Reverse Proxy rules.

The NGINX rule below returns a 403 (Forbidden) response instead of 404 (Not Found) when hitting the /.git endpoint.

location /.git {
  deny all;
}

For example in Git, the exploitation technique doesn't require to list the content of the .git folder (http://target.com/.git/), the data extraction can still be conducted when files can be read.

Labs

References