PayloadsAllTheThings/Insecure Source Code Management/README.md

# Insecure Source Code Management

> Insecure Source Code Management (SCM) can lead to several critical vulnerabilities in web applications and services. Developers often rely on SCM systems like Git and Subversion (SVN) to manage their source code versions. However, poor security practices, such as leaving .git and .svn folders in production environments exposed to the internet, can pose significant risks. 


## Summary

* [Methodology](#methodology)
* [Bazaar](./Bazaar.md)
* [Git](./Git.md)
* [Mercurial](./Mercurial.md)
* [Subversion](./Subversion.md)
* [Labs](#labs)
* [References](#references)


## Methodology

Exposing the version control system folders on a web server can lead to severe security risks, including: 

- **Source Code Leaks** : Attackers can download the entire source code repository, gaining access to the application's logic.
- **Sensitive Information Exposure** : Embedded secrets, configuration files, and credentials might be present within the codebase.
- **Commit History Exposure** : Attackers can view past changes, revealing sensitive information that might have been previously exposed and later mitigated.
     

The first step is to gather information about the target application. This can be done using various web reconnaissance tools and techniques. 

* **Manual Inspection** : Check URLs manually by navigating to common SCM paths.
    * http://target.com/.git/
    * http://target.com/.svn/

* **Automated Tools** : Refer to the page related to the specific technology.

Once a potential SCM folder is identified, check the HTTP response codes and contents. You might need to bypass `.htaccess` or Reverse Proxy rules.

The NGINX rule below returns a `403 (Forbidden)` response instead of `404 (Not Found)` when hitting the `/.git` endpoint.

```ps1
location /.git {
  deny all;
}
```

For example in Git, the exploitation technique doesn't require to list the content of the `.git` folder (http://target.com/.git/), the data extraction can still be conducted when files can be read.

## Labs

* [Root Me - Insecure Code Management](https://www.root-me.org/fr/Challenges/Web-Serveur/Insecure-Code-Management)


## References

- [Hidden directories and files as a source of sensitive information about web application - Apr 30, 2017](https://github.com/bl4de/research/tree/master/hidden_directories_leaks)
Normalize Titles 2022-10-12 10:13:55 +00:00			`# Insecure Source Code Management`
Insecure source code - harvesting secrets 2018-11-18 13:12:05 +00:00
Normalize page header for GraphQL, Deserialization, SCM 2024-11-10 13:37:48 +00:00			`> Insecure Source Code Management (SCM) can lead to several critical vulnerabilities in web applications and services. Developers often rely on SCM systems like Git and Subversion (SVN) to manage their source code versions. However, poor security practices, such as leaving .git and .svn folders in production environments exposed to the internet, can pose significant risks.`
Clean up Insecure SCM page and add new tool yar 2021-01-12 11:39:37 +00:00
GIT & SVN insecure source code 2017-02-17 23:30:55 +00:00
References updated for IDOR, Radomness and SCM 2024-11-07 11:17:38 +00:00			`## Summary`
Insecure source code - harvesting secrets 2018-11-18 13:12:05 +00:00
Normalize page header for GraphQL, Deserialization, SCM 2024-11-10 13:37:48 +00:00			`* [Methodology](#methodology)`
References updated for IDOR, Radomness and SCM 2024-11-07 11:17:38 +00:00			`* [Bazaar](./Bazaar.md)`
			`* [Git](./Git.md)`
			`* [Mercurial](./Mercurial.md)`
			`* [Subversion](./Subversion.md)`
Normalize page header for GraphQL, Deserialization, SCM 2024-11-10 13:37:48 +00:00			`* [Labs](#labs)`
			`* [References](#references)`
Attacks details + Summary JWT + XXE adjustments 2018-11-25 23:25:06 +00:00

References updated for IDOR, Radomness and SCM 2024-11-07 11:17:38 +00:00			`## Methodology`
GIT & SVN insecure source code 2017-02-17 23:30:55 +00:00
References updated for IDOR, Radomness and SCM 2024-11-07 11:17:38 +00:00			`Exposing the version control system folders on a web server can lead to severe security risks, including:`
Clean up Insecure SCM page and add new tool yar 2021-01-12 11:39:37 +00:00
References updated for IDOR, Radomness and SCM 2024-11-07 11:17:38 +00:00			`- Source Code Leaks : Attackers can download the entire source code repository, gaining access to the application's logic.`
			`- Sensitive Information Exposure : Embedded secrets, configuration files, and credentials might be present within the codebase.`
			`- Commit History Exposure : Attackers can view past changes, revealing sensitive information that might have been previously exposed and later mitigated.`

Fix typos 2024-09-16 16:05:54 +00:00
References updated for IDOR, Radomness and SCM 2024-11-07 11:17:38 +00:00			`The first step is to gather information about the target application. This can be done using various web reconnaissance tools and techniques.`
Fix typos 2024-09-16 16:05:54 +00:00
References updated for IDOR, Radomness and SCM 2024-11-07 11:17:38 +00:00			`* Manual Inspection : Check URLs manually by navigating to common SCM paths.`
			`* http://target.com/.git/`
			`* http://target.com/.svn/`
Normalize page header for GraphQL, Deserialization, SCM 2024-11-10 13:37:48 +00:00
References updated for IDOR, Radomness and SCM 2024-11-07 11:17:38 +00:00			`* Automated Tools : Refer to the page related to the specific technology.`
Fix typos 2024-09-16 16:05:54 +00:00
References updated for IDOR, Radomness and SCM 2024-11-07 11:17:38 +00:00			Once a potential SCM folder is identified, check the HTTP response codes and contents. You might need to bypass `.htaccess` or Reverse Proxy rules.
Fix typos 2024-09-16 16:05:54 +00:00
References updated for IDOR, Radomness and SCM 2024-11-07 11:17:38 +00:00			The NGINX rule below returns a `403 (Forbidden)` response instead of `404 (Not Found)` when hitting the `/.git` endpoint.
Git - methodology 2017-03-19 22:51:56 +00:00
References updated for IDOR, Radomness and SCM 2024-11-07 11:17:38 +00:00			```ps1
			`location /.git {`
			`deny all;`
			`}`
GIT & SVN insecure source code 2017-02-17 23:30:55 +00:00			```

References updated for IDOR, Radomness and SCM 2024-11-07 11:17:38 +00:00			For example in Git, the exploitation technique doesn't require to list the content of the `.git` folder (http://target.com/.git/), the data extraction can still be conducted when files can be read.
Fix typos 2024-09-16 16:05:54 +00:00
Normalize page header for GraphQL, Deserialization, SCM 2024-11-10 13:37:48 +00:00			`## Labs`

			`* [Root Me - Insecure Code Management](https://www.root-me.org/fr/Challenges/Web-Serveur/Insecure-Code-Management)`

GIT & SVN insecure source code 2017-02-17 23:30:55 +00:00
Adding references sectio 2018-12-24 14:02:50 +00:00			`## References`
Markdown formatting update 2018-08-12 21:30:22 +00:00
References updated for IDOR, Radomness and SCM 2024-11-07 11:17:38 +00:00			`- [Hidden directories and files as a source of sensitive information about web application - Apr 30, 2017](https://github.com/bl4de/research/tree/master/hidden_directories_leaks)`