Original Post: Git Gone Wrong: Application Compromise via Exposed .git Directory | by Cyber Sekler | Jul, 2024
The blog post discusses an experience during a penetration test where an exposed .git directory was discovered on an application. Using tools such as feroxbuster for content discovery and git-dumper to extract content, the author succeeded in downloading and decompressing the content from the .git/objects folder. This revealed source code, including sensitive information like hardcoded credentials. Using gitleaks, the author quickly identified two passwords within seconds. Attempting a common username ("admin") with the discovered passwords, the author successfully gained administrator access to the application.
For comprehensive vulnerability assessment, the author used the Snyk extension in Visual Studio Code to scan the source code, uncovering even more potential vulnerabilities.
The key takeaway is the critical importance of securing .git directories and regularly scanning codebases to prevent security breaches.
Go here to read the Original Post