July 7, 2026
Information Disclosure in Version Control History
Information Disclosure in Version Control History
By Zeyad Naguib
1 min read
The Vulnerability
When a .git directory is accidentally deployed alongside a web application and left publicly accessible, an attacker can download the entire repository — not just the current state of the code, but every commit ever made. This means:
- Deleted files can be recovered from earlier commits
- "Fixed" secrets can be found in the diffs that removed them
- Commit messages and authorship can reveal internal processes, naming conventions, or even personal information
- Branches and tags that were never merged into production may still contain sensitive changes
Step-by-Step Solution
1. Discover the exposed .git directory
Browsing to:
/.git/.gitconfirmed that the application's Git repository data was directly accessible over HTTP — a strong indicator that the .git folder had been deployed alongside the application's public-facing files instead of being excluded.
2. Download the entire repository
Having confirmed the directory was accessible, the next step was to pull down a full local copy for analysis. On Linux, this can be done with:
wget -r https://YOUR-LAB-ID.web-security-academy.net/.git/wget -r https://YOUR-LAB-ID.web-security-academy.net/.git/The -r flag recursively downloads the entire directory structure, reconstructing the repository's .git folder locally. Windows users would need an equivalent tool, or a Unix-like environment such as Cygwin, to run the same command.
3. Explore the commit history locally
With the .git directory downloaded, I opened the folder using a local Git installation and inspected the commit log. One commit stood out immediately due to its message:
"Remove admin password from config""Remove admin password from config"A commit message like this is effectively a neon sign pointing at exactly where the sensitive data used to live — and, more importantly, where it still lives in history.
4. Inspect the diff for the leaked credential
Looking closely at the diff for that commit, I found that it modified a file called admin.conf. The change replaced a hard-coded password with a reference to an environment variable, ADMIN_PASSWORD — a legitimate security improvement for the current state of the code.
However, a diff by nature shows both the old and new versions of the changed lines. The previous, hard-coded password was still clearly visible in the removed line of the diff, fully readable despite having been "deleted" in the newer commit.
5. Log in as the administrator
Using the recovered password, I returned to the lab and logged into the administrator account.
6. Delete carlos
With administrator access secured, I navigated to the admin interface and deleted the user carlos, solving the lab.
Written by Zeyad Naguib,
🔗 https://www.linkedin.com/in/zeyadnageeb ✍️ https://medium.com/@zeyadnaguib1