From cbd9d3be8d4b600dca8c222ac98282e14b3e57e1 Mon Sep 17 00:00:00 2001
From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com>
Date: Mon, 31 Jul 2023 13:53:31 +0530
Subject: [PATCH] Update git-config.yaml

---
 http/exposures/configs/git-config.yaml | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/http/exposures/configs/git-config.yaml b/http/exposures/configs/git-config.yaml
index 31816403ff..db33129ce0 100644
--- a/http/exposures/configs/git-config.yaml
+++ b/http/exposures/configs/git-config.yaml
@@ -2,16 +2,16 @@ id: git-config
 
 info:
   name: Git Configuration - Detect
-  author: pdteam,pikpikcu,Mah3Sec_
+  author: pdteam,pikpikcu,Mah3Sec_,m4lwhere
   severity: medium
   description: Git configuration was detected via the pattern /.git/config and log file on passed URLs.
   classification:
     cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
     cvss-score: 5.3
     cwe-id: CWE-200
-  tags: config,git,exposure
   metadata:
     max-request: 1
+  tags: config,git,exposure
 
 http:
   - method: GET
@@ -21,8 +21,11 @@ http:
     matchers-condition: and
     matchers:
       - type: word
+        part: body
         words:
+          - "[credentials]"
           - "[core]"
+        condition: or
 
       - type: dsl
         dsl:
@@ -33,3 +36,12 @@ http:
       - type: status
         status:
           - 200
+
+    extractors:
+      - type: regex
+        part: body
+        group: 1
+        regex:
+          - "url ?= ?https?://(.*:.*)@"
+          - "AUTHORIZATION: basic (.*)"
+          - "pass = (.*)"