Abstract
This session will focus on how to exploit a scenario where Version control related data is publicly exposed.
what kind of juicy data can be extracted from the files as well as how you can leverage this for exploitation.
This session will focus on how to exploit a scenario where Version control related data is publicly exposed.
what kind of juicy data can be extracted from the files as well as how you can leverage this for exploitation.
AI Generated Content Disclaimer
Note: This summary is AI-generated and may contain inaccuracies, errors, or omissions. If you spot any issues, please contact the site owner for corrections. Errors or omissions are unintended.
This presentation covers the exploitation of publicly exposed version control system (VCS) directories on web servers, demonstrating how developers who deploy code via Git, SVN, or Mercurial can inadvertently expose their entire source code repository. Anant Shrivastava walks through VCS directory structures, predictable file paths for detection, available extraction tools, and live demos of extracting source code both with and without directory listing enabled.
What is VCS Exploitation: Version control systems (Git, SVN, Mercurial) are the standard developer workflow for code deployment, often with auto-deployment on commit. When VCS metadata directories are left accessible on production web servers, attackers can reconstruct the entire source code repository, making it a high-value target — described as “a golden ticket” especially when auto-deployment is available.
VCS Directory Signatures: Each version control system creates a characteristic hidden directory — Git uses .git, SVN uses .svn, and Mercurial uses .hg. The .bzr directory (Bazaar) is also mentioned. These directories contain the complete repository history and metadata.
Predictable Detection Files: Specific files can be probed to confirm VCS exposure — .git/HEAD for Git repositories, .hg/requires for Mercurial, and .bzr/README for Bazaar. The .gitignore file is described as the “robots.txt of VCS” since it reveals file and directory names the developer wanted to exclude.
SVN-Specific Detection: A shell script demonstrates bulk checking of targets by probing for .svn/entries and .svn/wc.db over both HTTP and HTTPS, enabling rapid identification of exposed SVN repositories across multiple domains.
Extraction Tools:
Demo Scenarios: Live demonstrations covering two common configurations — exploitation when directory listing is enabled on the web server (straightforward directory browsing and download), and exploitation when directory listing is disabled (requiring knowledge of predictable file paths and tool-based reconstruction).
.git, .svn, .hg) to production web servers — add explicit deny rules in your web server configuration to block access to these directories..git/HEAD, .svn/entries, .svn/wc.db, and .hg/requires on target web servers..gitignore files when discovered, as they reveal the names of files and directories the developer considered sensitive enough to exclude from version control.