+1 (512) 588 6950
A “Google Dork” is a search query that uses advanced operators to find specific information on the internet. One type of information that can be found using Google Dorks is exposed source code on websites. This can happen when a website’s “.git” folder, which is used to store version control information for the website’s source code, is not properly secured.
If the “.git” folder is publicly accessible, it can be indexed by search engines like Google. An attacker can then use Google Dorks to find the exposed “.git” folder, and then use that information to access the website’s source code.
An example of a Google Dork that could be used to find an exposed “.git” folder is:
This search query will return all pages on the “example.com” domain that contain the string “.git” in the URL. If any of those pages are the website’s “.git” folder, the attacker will be able to access the website’s source code.
It’s crucial for web developers to make sure that the “.git” folder is not publicly accessible in order to keep website’s source code safe.
I was able to find more than 30+ Websites of Source Code Disclosure via the Exposed .git Folder just by using Google Dorks as shown below
“index of” inurl:.git
A website’s source code can be exposed if a “.git” folder, which is used to store version control information for the website’s code, is not properly protected. This can happen if a developer forgets to remove the “.git” folder when uploading the website’s files to a live server.
I have found an exposed .git with some sensitive source code on one of the Indian government websites and reported the same to NCIIPC India. (National Critical Information Infrastructure Protection Centre (NCIIPC) is an organization of the Government of India created under Sec 70A of the Information Technology Act, 2000 (amended 2008), through a gazette notification on 16th Jan 2014 Based in New Delhi, India.
It is designated as the National Nodal Agency in respect of Critical Information Infrastructure Protection.) and received an Acknowledgement from them as shown below.
Impact: Any Malicious User can download the exposed .git data into their local system using the git dumper tools and retrieve all the recent commits that happened in their git folder.
Website source code disclosure via exposed .git folder can be prevented by taking the following steps:
It is important to note that preventing website source code disclosure via exposed .git folder should be considered as a part of a larger security strategy, and should be coupled with other security measures such as firewalls, intrusion detection systems, and regular security audits.