Author: Aditya Bhatt

WriteUp Type: Bug Bounty Simulation

Vulnerability: Information Disclosure via Git History

Difficulty: 🟠 Practitioner

Platform: PortSwigger Web Security Academy

Status: 🟢 Lab Solved

Welcome back to Exposure Protocol, where we rip the masks off info leaks — one layer at a time.

In Part 1, we tricked verbose error messages into exposing Apache Struts internals.
In Part 2, a debug page casually dropped the app’s SECRET_KEY.
Part 3 showed how a forgotten .bak file could compromise entire databases.

Now in Part 4, we dig into version control archaeology — cracking open a .git directory left live on a production server. Inside? The admin’s password, tucked away in a commit from the past.

📂 We’ll clone the repo, crack the commit history open, hijack an admin account, and yeet a user straight off the platform — all while sipping on the sweet nectar of Git leakage.

🎯 Core themes:

• Git as a vulnerability vector
• Weaponizing commit history
• Real-world attacker flow: from .git → creds → auth bypass

🧰 PoC for this write-up: GitHub — Version Control History Leak
📚 Full Series Playlist: Exposure Protocol — Info Disclosure in the Wild

Stay sharp — the past has teeth 🦷🧠

Version control is a blessing for developers — but when misconfigured or left exposed in production environments, it can become a ticking time bomb for sensitive data. In this write-up, we’ll walk through an Information Disclosure vulnerability caused by exposing the .git directory on a live web server. This allows us to leak the administrator password from Git commit history, hijack the admin session, and ultimately delete a user to complete the lab scenario.

• Bug Type: Information Disclosure
• Impact: Unauthorized admin access and account deletion
• Root Cause: Accessible .git directory on the production server
• Attack Vector: Git commit history reveals previously hardcoded credentials

Here’s a step-by-step Proof of Concept (PoC) mapped out clearly with corresponding tool usage. All steps are performed in present tense as requested:

1. Go to Lab (https://portswigger.net/web-security/information-disclosure/exploiting/lab-infoleak-in-version-control-history).

2. Try /.git — the directory is exposed and browsable, indicating a serious misconfiguration.

3. Run wget -r https://YOUR-LAB-ID.web-security-academy.net/.git/ to recursively download the entire Git repository from the live server.

4. Open git-cola. If you don’t have it already, run: sudo apt-get install git-cola In case of any errors, run: sudo apt-get install git-cola --fix-missing

5. Right-click admin.conf and hit "View History". Voila — we uncover a commit with the message: "Remove admin password from config" The Git diff clearly exposes the previous hardcoded password, even though it was later replaced by an environment variable.

6. Login using administrator:<PASSWORD> obtained from the Git diff.

7. Navigate to the admin panel and delete Carlos, the user specified in the lab.

8. Congrats! The Lab has been solved and the vulnerability exploited successfully.

The issue stems from exposing the .git/ directory to the public. Git repositories contain a complete history of changes, which includes sensitive information even if it’s later removed. Attackers can reconstruct past states of the codebase and recover deleted secrets, such as credentials, tokens, or private keys.

• Never deploy .git directories to production. Use a .gitignore in your deployment pipeline to exclude version control metadata.
• Scrub secrets from history using tools like git filter-branch or BFG Repo-Cleaner.
• Regularly audit publicly accessible directories and endpoint exposures using tools like:
  - git-dumper
- truffleHog
• Monitor commit messages for unintentional disclosures or descriptive messages that hint at security-sensitive changes.

This lab is a textbook example of how development artifacts can become attack surfaces. As security researchers and ethical hackers, we must constantly scan for these oversights. For bug bounty hunters, exposed .git directories are goldmines of opportunity. Always check for historical leaks—you never know what secrets the past is still holding onto.

• 🔎 BurpSuite
• 🐧 wget
• 🧠 git-cola
• 🖥️ Linux Terminal

• PortSwigger Lab — Information disclosure in version control history
• GitTools: GitDumper
• BFG Repo-Cleaner

Another article, another footprint in the wild.
Remember: Git remembers everything — even the things you wish it didn’t.

Stay cautious with your commits, and never let .git/ be your downfall.

See you in Part 5, where we trace information disclosure to authentication bypass and push this series into red-zone territory 🦇

— Aditya Bhatt
Cybersecurity Researcher | Bug Bounty Hunter