Prepare to be shocked!

Is the .git folder of your website secure? Research suggests that might not be the case!

Eirini-Eleni Papadopoulou
© Shutterstock / studiostoks  

I have another interesting, *very* interesting research for you! How certain are you that the .git folder within the file versions repository of your website is secure? After you read the results of this research, you won’t be so sure anymore!

The devoted JAXenter readers must have noticed by now that I love statistics and good research! For those of you who just got here, yes, I *love* them!

So I am very excited to present to you another interesting research that caught my eye recently.

I don’t have any fancy 20-pages-long report to show you this time but, trust me, the results are ridiculously interesting and rich, not to mention important.

Let’s start with a small introduction to what we’re dealing with this time.

Research is love. Research is life

A couple of months ago, network engineer, developer, security researcher, and Lynt Services founder, Vladimír Smitka, came up with the idea to start researching websites to find out how many allow access to the .git folder with the file versions repository.

The idea started small by researching first Czech and then Slovakian websites.

The concept is simple. The first step would be to open the <web-site>/.git/HEAD. If it has been properly configured this shouldn’t be working.

SEE ALSO: Security vulnerabilities in open source and GDPR implications

But don’t be too quick to declare the disaster prevented. The HTTP 403 error you get makes it look like access is denied. However, this is only but a false sense of security. In reality, those files are still accessible. You can check out the original post by Vladimír Smitka if you want to have a closer look at his research process.

Since the first runs of the smaller scale research were declared a success and having automated most of the process along the way, Smitka was finally ready to go big! It was time for a global scan!

After listing more than 230 million domains, he began scanning for .git vulnerabilities.

The whole scan ran for almost 4 weeks and the results are shocking!

390,000 web pages were found with open .git directory! 

But Smitka didn’t stop there.

The next step was to determine the technologies the affected sites used.

Starting with programming languages, when looking at the raw numbers PHP was found in the 96% of the sites with open .git. However, since PHP is the most used language for the web, it was expected to see such a percentage.

The interesting turn, though, comes after Smitka normalized the numbers according to the language market share.

So in a hypothetical scenario where all the languages are used to the same extent, Python developers would be the ones more in trouble!

Interesting fact: While running the scans, Vladimír Smitka encountered various honeypots (fake servers that set up as decoys to attract and occupy scanners) that put him on different blacklists and sent abuse reports – complaints to the VPS providers that he had to deal with.

Fun fact: “After sending the emails, I exchanged about 300 additional messages with affected parties to clarify the issue. I have received almost 2,000 thank-you emails, 30 false positives, 2 scammer/spammer accusations, and 1 threat to call the Canadian police.”

All in all, I have to say that I very much enjoyed reading this research and found the results extremely enlightening. Also, kudos to Mr. Vladimír Smitka for his idea and execution as well as his patience!

I recommend reading his post if you are interested in more detailed insight into his research processes. And as he mentioned at the end of his article, it is always good to “remember that things are changing – server configurations and team members, and what doesn’t seem like a problem today may be a problem tomorrow.”

Eirini-Eleni Papadopoulou
Eirini-Eleni Papadopoulou was the editor for Coming from an academic background in East Asian Studies, she decided that it was time to go back to her high-school hobby that was computer science and she dived into the development world. Other hobbies include esports and League of Legends, although she never managed to escape elo hell (yet), and she is a guest writer/analyst for competitive LoL at TGH.

Inline Feedbacks
View all comments