| name | insecure-source-code-management |
| description | Source control and artifact exposure (.git, .svn, .hg, backups, .env). Use when recon finds VCS paths, 403 on hidden dirs, or backup/config leaks during authorized testing. |
SKILL: Insecure Source Code Management
AI LOAD INSTRUCTION: This skill covers detection and recovery of exposed version-control metadata, common backup artifacts, and related misconfigurations. Use only in authorized assessments. Treat recovered credentials and URLs as sensitive; do not exfiltrate real data beyond scope. For broad discovery workflow, cross-load recon-for-sec and recon-and-methodology when those skills exist in the workspace.
0. QUICK START
High-value paths to probe first (GET or HEAD, respect rate limits):
/.git/HEAD
/.git/config
/.svn/entries
/.svn/wc.db
/.hg/requires
/.bzr/README
/.DS_Store
/.env
Routing note: quickly probe these paths first; for full recon workflow, load methodology from recon-for-sec and recon-and-methodology before deeper testing.
1. GIT EXPOSURE
Detection
/.git/HEAD — valid repo often returns plain text like:
ref: refs/heads/main
/.git/config — may expose remote.origin.url, user identity, or embedded credentials.
/.git/index, /.git/objects/ — partial object store access enables reconstruction with the right tools.
403 vs 404
404 — path likely absent or fully blocked at the edge.
403 on /.git/ — directory may exist but listing is denied; still try direct file URLs:
/.git/HEAD
/.git/config
/.git/logs/HEAD
/.git/refs/heads/main
A 403 on the directory plus 200 on HEAD strongly indicates exposure.
Recovery tools (open source)
arthaud/git-dumper — dumps reachable .git tree when individual files are fetchable.
internetwache/GitTools — Dumper, Extractor, Finder modules for partial/corrupt dumps.
WangYihang/GitHacker — alternative recovery when standard dumpers miss edge cases.
Key files to prioritize
| Path | Why it matters |
|---|
.git/config | Remotes, credentials, hooks paths |
.git/logs/HEAD | Commit history, reflog-style leakage |
.git/refs/heads/* | Branch tips, commit SHAs |
.git/packed-refs | Packed branch/tag refs |
.git/objects/** | Object blobs for reconstruction |
2. SVN EXPOSURE
Detection
- SVN before 1.7:
/.svn/entries — XML or text metadata listing paths and revisions.
- SVN ≥ 1.7:
/.svn/wc.db — SQLite working copy database (PRAGMA table_info after download).
Example probe:
GET /.svn/entries HTTP/1.1
GET /.svn/wc.db HTTP/1.1
Recovery
anantshri/svn-extractor — automated extraction from exposed .svn.
- Manual: download
wc.db, query with sqlite3 for file paths and checksums, then request /.svn/pristine/ blobs if exposed.
3. MERCURIAL EXPOSURE
Detection
/.hg/requires — small text file listing repository features; confirms Mercurial metadata.
GET /.hg/requires HTTP/1.1
GET /.hg/store/ HTTP/1.1
Recovery
sahildhar/mercurial_source_code_dumper — dumps repository when store paths are reachable.
4. OTHER LEAKS
Bazaar (Bzr)
- Probe
/.bzr/README and /.bzr/branch-format for Bazaar metadata.
macOS .DS_Store
/.DS_Store can encode directory and filename listings.
- Tools:
gehaxelt/ds-store, lijiejie/ds_store_exp — parse .DS_Store offline.
Backup and config artifacts
Probe (adjust for app root and naming conventions):
/.env
/backup.zip
/backup.tar.gz
/wwwroot.rar
/backup.sql
/config.php.bak
/.config.php.swp
Web server misconfiguration signal (example: NGINX)
location /.git { deny all; } — may return 403 for /.git/ while still allowing or denying specific subpaths depending on rules.
- 403 on a protected location can confirm the route exists; always distinguish from 404 on non-existent paths.
5. DECISION TREE
- Probe
/.git/HEAD → ref: refs/heads/ pattern? → run git-dumper / GitTools / GitHacker; review config and logs/HEAD for secrets.
- Else probe
/.svn/wc.db or entries → success? → svn-extractor or manual wc.db + pristine recovery.
- Else probe
/.hg/requires → success? → mercurial dumper.
- Else probe
/.bzr/README → Bazaar tooling or manual path walk.
- Parallel: fetch
/.DS_Store, /.env, common backup extensions on app root and parent paths.
- Interpret status codes: 403 on directory + 200 on specific files → treat as high priority for file-by-file extraction.
6. RELATED ROUTING
Note: coordinate with recon skills—set scope and request rate first, then run targeted VCS/backup validation.