# Git Exposure: How a Simple Oversight Led to a Critical Security Flaw

In my recent exploration of web applications, I came across a significant security issue that I believe deserves attention. This discovery involved a popular application responsible for managing various user services. While I can't divulge the application's name or specific details, I want to share the insights gained from this experience and detail the steps taken to detect and report this vulnerability.

#### The Initial Discovery

The journey began when I discovered that the application's `.git` directory was exposed.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1723391598299/0557adf7-b296-4023-9f8e-d9c9f4c0690a.png align="center")

The `.git` directory is a crucial part of any Git version-controlled project, containing key information about the repository's history, branches, and possibly sensitive configuration files.

Using a well-known open-source tool called [Git Dumper](https://github.com/arthaud/git-dumper), I confirmed the exposure and downloaded the application's complete source code to my local environment.

#### What I Uncovered

After inspecting the downloaded files, I discovered a concerning amount of sensitive information. Notably, I found hardcoded credentials in the `docker-compose.yml` file, including passwords for various services used by the application. Storing credentials in this way presents a significant security risk.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1723391834600/2c64e0cd-7294-4841-afe1-a690a40dfa7a.png align="center")

Furthermore, a **deployment file** `deployment_production_k8.yml` contained sensitive data, including employee usernames and passwords for **Shiprocket** and **SIMPL Payment Gateway**.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1723391894201/4bcbd916-73b7-4b7f-a5bc-f13547765af0.png align="center")

With these credentials, access to Shiprocket's API was possible, granting control over various aspects of the application. Specifically, I used the Shiprocket credentials to generate an authentication token via their API.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1723479612748/eba01fb4-54a3-43a8-add9-f59fae923d80.png align="center")

With the gained access, I could:

* **Expose Customer PII, Cancel or Modify Customer Orders**
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1723479631255/5146f094-c01d-4b23-8224-aa855b33bd06.png align="center")
    
* **Access Financial Information**
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1723479693474/ee6b5ae6-ff1e-468c-a86b-025e4a87414c.png align="center")
    

#### Mitigation and Recommendations

After identifying the vulnerability, I quickly reported it to the company and suggested actions like restricting access to the `.git` directory and securely managing credentials using AWS Secrets Manager or GitHub Secrets.

#### **Conclusion**

This experience is a strong reminder of how important it is to secure application source code and data. Even small mistakes like an exposed `.git` directory can cause serious security issues if not fixed.

As a token of appreciation for uncovering and reporting this critical issue, I was rewarded **$200** by the company, which shows how important it is to report problems responsibly and work together to improve cybersecurity.
