SKILL: Insecure Source Code Management

AI LOAD INSTRUCTION: This skill covers detection and recovery of exposed version-control metadata, common backup artifacts, and related misconfigurations. Use only in authorized assessments. Treat recovered credentials and URLs as sensitive; do not exfiltrate real data beyond scope. For broad discovery workflow, cross-load recon-for-sec and recon-and-methodology when those skills exist in the workspace.

0. QUICK START

/.git/HEAD
/.git/config
/.svn/entries
/.svn/wc.db
/.hg/requires
/.bzr/README
/.DS_Store
/.env

recon-for-sec

recon-and-methodology

1. GIT EXPOSURE

Detection

• /.git/HEAD

  — valid repo often returns plain text like:

ref: refs/heads/main

• /.git/config

  — may expose

  remote.origin.url

  , user identity, or embedded credentials.

• /.git/index

  ,

  /.git/objects/

  — partial object store access enables reconstruction with the right tools.

403 vs 404

• 404

  — path likely absent or fully blocked at the edge.

• 403

  on

  /.git/

  — directory may exist but listing is denied; still try direct file URLs:

/.git/HEAD
/.git/config
/.git/logs/HEAD
/.git/refs/heads/main

HEAD

Recovery tools (open source)

• arthaud/git-dumper

  — dumps reachable

  .git

  tree when individual files are fetchable.

• internetwache/GitTools

  — Dumper, Extractor, Finder modules for partial/corrupt dumps.

• WangYihang/GitHacker

  — alternative recovery when standard dumpers miss edge cases.

Key files to prioritize

.git/config

.git/logs/HEAD

.git/refs/heads/*

.git/packed-refs

.git/objects/**

2. SVN EXPOSURE

Detection

• SVN before 1.7:

  /.svn/entries

  — XML or text metadata listing paths and revisions.
• SVN ≥ 1.7:

  /.svn/wc.db

  — SQLite working copy database (

  PRAGMA table_info

  after download).

GET /.svn/entries HTTP/1.1
GET /.svn/wc.db HTTP/1.1

Recovery

• anantshri/svn-extractor

  — automated extraction from exposed

  .svn

  .
• Manual: download

  wc.db

  , query with

  sqlite3

  for file paths and checksums, then request

  /.svn/pristine/

  blobs if exposed.

3. MERCURIAL EXPOSURE

Detection

• /.hg/requires

  — small text file listing repository features; confirms Mercurial metadata.

GET /.hg/requires HTTP/1.1
GET /.hg/store/ HTTP/1.1

Recovery

• sahildhar/mercurial_source_code_dumper

  — dumps repository when store paths are reachable.

4. OTHER LEAKS

Bazaar (Bzr)

• Probe

  /.bzr/README

  and

  /.bzr/branch-format

  for Bazaar metadata.

macOS

.DS_Store

• /.DS_Store

  can encode directory and filename listings.
• Tools:

  gehaxelt/ds-store

  ,

  lijiejie/ds_store_exp

  — parse

  .DS_Store

  offline.

Backup and config artifacts

/.env
/backup.zip
/backup.tar.gz
/wwwroot.rar
/backup.sql
/config.php.bak
/.config.php.swp

Web server misconfiguration signal (example: NGINX)

• location /.git { deny all; }

  — may return 403 for

  /.git/

  while still allowing or denying specific subpaths depending on rules.
• 403 on a protected location can confirm the route exists; always distinguish from 404 on non-existent paths.

5. DECISION TREE

1. Probe

   /.git/HEAD

   →

   ref: refs/heads/

   pattern? → run git-dumper / GitTools / GitHacker; review

   config

   and

   logs/HEAD

   for secrets.
2. Else probe

   /.svn/wc.db

   or

   entries

   → success? → svn-extractor or manual

   wc.db

   + pristine recovery.
3. Else probe

   /.hg/requires

   → success? → mercurial dumper.
4. Else probe

   /.bzr/README

   → Bazaar tooling or manual path walk.
5. Parallel: fetch

   /.DS_Store

   ,

   /.env

   , common backup extensions on app root and parent paths.
6. Interpret status codes: 403 on directory + 200 on specific files → treat as high priority for file-by-file extraction.

6. RELATED ROUTING

• From recon-for-sec — scope-safe discovery, crawling, and fingerprinting before deep VCS tests.
• From recon-and-methodology — structured methodology and evidence handling.