Get Git is a Chrome extension that I hammered out today, inspired by these slides. Get Git recursively traverses the websites you browse, hunting for misconfigured web accessible Git repos what are web accessible — and of course, once you have access to the .git/ directory, it’s open season on source code, API keys, hard coded passwords, and even internal network structure if they’ve liberally set up remote origins.
There’s actually a lot of sensitive info available in Git repos, and I was interested how many sites I browse are revealing things. Get Git also handles websites with directory listings turned off, so even half baked security won’t hide the repo.
It only traverses up your current directory tree on the site to limit requests, but I’ve already found two open repos from my daily browsing.
It’s in the Chrome Web Store, as well as GitHub. And… yet again… please be forkful and multiply.