Exposed Source Code

Introduction

Source code intended to be kept server-side can sometimes end up being disclosed to users. Such code may contain sensitive information such as database passwords and secret keys, which may help malicious users formulate attacks against the application.

Where to find

-

How to exploit

1. Exposed Git folder

   https://site.com/.git
   

   

Tools to dump .git * https://github.com/arthaud/git-dumper

1. Exposed Subversion folder

   https://site.com/.svn
   

   

Tools to dump .svn * https://github.com/anantshri/svn-extractor

1. Exposed Mercurial folder

   https://site.com/.hg
   

   

Tools to dump .hg * https://github.com/arthaud/hg-dumper

1. Exposed Bazaar folder

   http://target.com/.bzr
   

   

Tools to dump .bzr * https://github.com/shpik-kr/bzr_dumper

1. Exposed Darcs folder

   http://target.com/_darcs
   

Tools to dump _darcs (Not found)

1. Exposed Bitkeeper folder

   http://target.com/Bitkeeper
   

Tools to dump BitKeeper (Not found)

Reference

• NakanoSec (my own post)