git directory exposure

What is Git Directory Exposure (.git)? Ways to Exploit, Examples and Impact

Discover how exposed .git folders leak source code and secrets. Learn manual and automated exploitation methods and how to secure your web server today.

Siddhartha Katiyar

5 min read
What is Git Directory Exposure (.git)? Ways to Exploit, Examples and Impact

When developers deploy web applications, they often rely on Git for version control. However, a common and critical misconfiguration occurs when the internal .git directory is inadvertently uploaded to the production web server's public root. This exposure allows anyone on the internet to download the entire version control history, potentially leading to a full source code leak, the discovery of hardcoded credentials, and a total compromise of the application environment.

In this guide, we will explore the technical details of Git directory exposure, how attackers exploit it, and the steps you can take to secure your infrastructure. To proactively monitor your organization's external attack surface and catch exposures before attackers do, try Jsmon.

Understanding the Git Directory Structure

To understand why an exposed .git folder is dangerous, we must first understand what lives inside it. When you initialize a repository using git init, Git creates a hidden directory named .git. This folder acts as the "brain" of your repository, containing every change ever made, every branch created, and configuration data.

The Internal Components of .git

  • objects/: This is the database of Git. It contains compressed versions of every file (blobs), directory structures (trees), and commit metadata. Even if the current version of the site is obfuscated, the history in the objects folder usually contains the original, readable source code.
  • refs/: This directory holds pointers to commit objects, specifically for branches (heads) and tags. By reading these, an attacker can see the different development streams, such as feature/api-integration or fix/db-credentials.
  • config: This file contains local configuration settings. It often reveals the remote repository URL (e.g., on GitHub or GitLab), which might include internal usernames or even authentication tokens if the developer used a poorly formatted remote URL.
  • index: This is a binary file that lists the paths of all files in the repository and their corresponding object IDs. It serves as a map for the entire project structure.
  • logs/: This contains the reflog, which tracks every change to the HEAD. It is a goldmine for seeing what the developers were doing recently.

How Does Git Exposure Occur?

Git exposure is rarely a bug in Git itself; it is almost always a deployment workflow error. Here are the most common scenarios:

  1. Direct git clone in Web Root: A developer logs into a production server and runs git clone <repo_url> . inside /var/www/html. This pulls the .git folder directly into the publicly accessible directory.
  2. Recursive Copying: Using commands like cp -R or scp -r to move a local development folder to a server without excluding hidden files.
  3. CI/CD Misconfiguration: Automated deployment scripts that mirror the entire repository directory to an S3 bucket or a web server without a cleanup step to remove the .git metadata.
  4. Lack of Server-Level Deny Rules: Even if the folder exists, a properly configured web server should return a 403 Forbidden error when someone tries to access it. If the server is configured to serve all files by default, the exposure becomes exploitable.

Detecting Exposed .git Directories

Attackers and security researchers use several methods to find these exposures. Since the directory is hidden (starting with a dot), it won't show up in standard directory listings unless specifically enabled, but it remains accessible via a direct URL.

Manual Verification

The simplest way to check for this vulnerability is to append /.git/config to a website's URL:

https://example.com/.git/config

If the browser downloads a file or displays text containing [core] and [remote "origin"], the directory is exposed.

Google Dorking for .git Folders

Search engines index exposed directories if they aren't blocked by robots.txt. Attackers use "Dorks" to find thousands of vulnerable sites at once:

intitle:"index of" ".git"

Automated Scanning Tools

Tools like ffuf or dirsearch are commonly used to find hidden directories. A simple scan might look like this:

ffuf -u https://example.com/FUZZ -w common_wordlist.txt -e .git

Exploiting Git Exposure: From Discovery to Source Code

Once an attacker confirms the presence of a .git directory, the goal shifts from detection to full reconstruction. Simply downloading files one by one is tedious because Git stores file content in a hashed, compressed format within the objects/ directory.

Using Git-Dumper for Full Reconstruction

Tools like git-dumper automate the process of crawling the exposed directory and rebuilding the original source code locally. It fetches the index, identifies all the objects, downloads them, and runs a git checkout to restore the files.

Example Command:

# Install git-dumper
pip install git-dumper

# Run the dumper against a target
git-dumper https://example.com/.git/ ./recovered_repo

After this command finishes, the attacker has a local copy of your entire website's source code, including previous versions and deleted files.

Extracting Sensitive Information

With the source code in hand, the attacker will search for secrets. This is often done using grep or specialized tools like trufflehog.

# Searching for API keys or passwords in the recovered code
grep -riE "password|api_key|secret|aws_access" ./recovered_repo

Commonly found items include:

  • Database credentials (host, username, password).
  • Third-party API keys (Stripe, AWS, SendGrid).
  • Hardcoded SSH keys.
  • Internal documentation or comments revealing other vulnerabilities.

Real-World Impact of Git Exposure

The impact of an exposed .git folder is almost always "Critical."

  1. Intellectual Property Theft: Competitors or malicious actors can steal your proprietary algorithms, business logic, and unique features.
  2. Full System Compromise: If an attacker finds database credentials in the config files or settings.py, they can access your production database, steal user data, or drop tables.
  3. Lateral Movement: Source code often reveals how internal APIs work or points to other internal hostnames that aren't publicly known, allowing attackers to move deeper into your network.
  4. Supply Chain Attacks: If the attacker gains access to your Git history, they might find tokens that allow them to push malicious code back to your main repository if those tokens have write access.

How to Prevent Git Directory Exposure

Preventing this vulnerability requires a combination of better deployment habits and strict server configurations. Using Jsmon can help you verify that these protections are working across your entire infrastructure.

1. Configure Your Web Server

You should explicitly deny access to any directory starting with a dot. This provides a safety net even if a developer accidentally uploads a .git folder.

For Nginx:
Add this block to your server configuration:

location ~ /\.git {
    deny all;
    access_log off;
    log_not_found off;
}

For Apache:
Add this to your .htaccess file or main configuration:

RedirectMatch 404 /\.git

Alternatively, use the Require all denied directive:

<DirectoryMatch "^/.*/\.git/">
    Order deny,allow
    Deny from all
</DirectoryMatch>

2. Improve Deployment Workflows

Stop using git clone or cp directly into the web root. Instead, use a build process that exports only the necessary files.

  • CI/CD Pipelines: Use tools like GitHub Actions, GitLab CI, or Jenkins to build your application and deploy only the artifacts (e.g., the dist/ or build/ folder) to the production server.

Use git archive: This command creates a zip or tarball of the repository without the .git directory.

git archive --format=tar.gz HEAD > deploy.tar.gz

3. Use .gitignore Wisely

While .gitignore does not prevent the .git folder itself from being exposed, it prevents sensitive files (like .env) from being committed to the repository in the first place. If your .git folder is ever exposed, having a clean history without secrets significantly reduces the impact.

Example .env exclusion:

# .gitignore
.env
*.log
config/settings.local.php

4. Regular Auditing

Large organizations often have hundreds of subdomains and legacy servers. A developer might spin up a temporary staging site and forget to secure it. Regular automated scanning of your attack surface is essential.

Conclusion

Git directory exposure is a "low-hanging fruit" for attackers but a devastating blow for organizations. It bridges the gap between a simple misconfiguration and a total data breach. By understanding how Git stores data and how tools like git-dumper work, security professionals can better defend their infrastructure. Always ensure your web server is configured to deny access to hidden directories and adopt modern CI/CD practices that keep version control metadata where it belongs: in development, not in production.

To proactively monitor your organization's external attack surface and catch exposures before attackers do, try Jsmon.

Read more