Insecure Source Code Management
Probe and recover exposed VCS metadata and backup leaks during authorized recon on web targets.
Overview
Insecure Source Code Management is an agent skill for the Ship phase that detects and guides recovery of exposed VCS metadata, backups, and related misconfigurations during authorized testing.
Install
npx skills add https://github.com/yaklang/hack-skills --skill insecure-source-code-managementWhat is this skill?
- Priority probe list for .git, .svn, .hg, .bzr, .DS_Store, and .env paths
- Git exposure detection via HEAD, config, index, and objects reconstruction guidance
- Interprets 403 vs 404 on hidden directories to refine attack surface
- Cross-load pointers to recon-for-sec and recon-and-methodology for fuller methodology
- Scope-only handling: treat recovered credentials and URLs as sensitive
- 8 high-value paths listed in quick-start probe set
- Covers Git, SVN, Mercurial, Bazaar, .DS_Store, and .env entry points
Adoption & trust: 1.1k installs on skills.sh; 980 GitHub stars; 2/3 security scanners passed (skills.sh audits).
What problem does it solve?
You found suspicious paths or 403s on hidden dirs during recon but need a safe, ordered checklist instead of random URL fuzzing.
Who is it for?
Solo builders or consultants running authorized web app assessments who need structured VCS and backup exposure checks.
Skip if: Unauthorized scanning, production monitoring, or teams that only need static SAST without live path probing.
When should I use this skill?
Recon finds VCS paths, 403 on hidden dirs, or backup/config leaks during authorized testing.
What do I get? / Deliverables
You get prioritized HTTP probes, interpretation of Git/SVN/Hg signals, and clear scope rules before deeper methodology skills take over.
- Ordered probe results for standard VCS and backup paths
- Notes on exposure signals and safe next steps within scope
Recommended Skills
Journey fit
Canonical shelf is Ship → Security because the skill documents offensive discovery of misconfigured source-control and config exposure as part of authorized appsec testing. Security subphase fits secret/path leakage checks that precede or accompany broader pentest workflows, not day-two production monitoring.
How it compares
Procedural authorized recon skill, not a passive dependency scanner or generic CVE lookup.
Common Questions / FAQ
Who is insecure-source-code-management for?
Security-minded solo builders and testers doing authorized recon when version-control or backup paths may be exposed on a target.
When should I use insecure-source-code-management?
Use it in Ship (security) when recon surfaces VCS URLs, 403 on hidden directories, or suspected .env and backup leaks—after scope is confirmed and before deeper exploitation.
Is insecure-source-code-management safe to install?
Review the Security Audits panel on this Prism page and only invoke it inside explicitly authorized engagements with data-handling rules your client approves.
SKILL.md
READMESKILL.md - Insecure Source Code Management
# SKILL: Insecure Source Code Management > **AI LOAD INSTRUCTION**: This skill covers detection and recovery of exposed version-control metadata, common backup artifacts, and related misconfigurations. Use only in **authorized** assessments. Treat recovered credentials and URLs as sensitive; do not exfiltrate real data beyond scope. For broad discovery workflow, cross-load [recon-for-sec](../recon-for-sec/SKILL.md) and [recon-and-methodology](../recon-and-methodology/SKILL.md) when those skills exist in the workspace. ## 0. QUICK START High-value paths to probe first (GET or HEAD, respect rate limits): ```http /.git/HEAD /.git/config /.svn/entries /.svn/wc.db /.hg/requires /.bzr/README /.DS_Store /.env ``` **Routing note**: quickly probe these paths first; for full recon workflow, load methodology from `recon-for-sec` and `recon-and-methodology` before deeper testing. --- ## 1. GIT EXPOSURE ### Detection - **`/.git/HEAD`** — valid repo often returns plain text like: ```text ref: refs/heads/main ``` - **`/.git/config`** — may expose `remote.origin.url`, user identity, or embedded credentials. - **`/.git/index`**, **`/.git/objects/`** — partial object store access enables reconstruction with the right tools. ### 403 vs 404 - **`404`** — path likely absent or fully blocked at the edge. - **`403` on `/.git/`** — directory may **exist** but listing is denied; still try direct file URLs: ```http /.git/HEAD /.git/config /.git/logs/HEAD /.git/refs/heads/main ``` A **403 on the directory** plus **200 on `HEAD`** strongly indicates exposure. ### Recovery tools (open source) - **`arthaud/git-dumper`** — dumps reachable `.git` tree when individual files are fetchable. - **`internetwache/GitTools`** — Dumper, Extractor, Finder modules for partial/corrupt dumps. - **`WangYihang/GitHacker`** — alternative recovery when standard dumpers miss edge cases. ### Key files to prioritize | Path | Why it matters | |------|----------------| | `.git/config` | Remotes, credentials, hooks paths | | `.git/logs/HEAD` | Commit history, reflog-style leakage | | `.git/refs/heads/*` | Branch tips, commit SHAs | | `.git/packed-refs` | Packed branch/tag refs | | `.git/objects/**` | Object blobs for reconstruction | --- ## 2. SVN EXPOSURE ### Detection - **SVN before 1.7**: **`/.svn/entries`** — XML or text metadata listing paths and revisions. - **SVN ≥ 1.7**: **`/.svn/wc.db`** — SQLite working copy database (`PRAGMA table_info` after download). Example probe: ```http GET /.svn/entries HTTP/1.1 GET /.svn/wc.db HTTP/1.1 ``` ### Recovery - **`anantshri/svn-extractor`** — automated extraction from exposed `.svn`. - **Manual**: download `wc.db`, query with `sqlite3` for file paths and checksums, then request **`/.svn/pristine/`** blobs if exposed. --- ## 3. MERCURIAL EXPOSURE ### Detection - **`/.hg/requires`** — small text file listing repository features; confirms Mercurial metadata. ```http GET /.hg/requires HTTP/1.1 GET /.hg/store/ HTTP/1.1 ``` ### Recovery - **`sahildhar/mercurial_source_code_dumper`** — dumps repository when store paths are reachable. --- ## 4. OTHER LEAKS ### Bazaar (Bzr) - Probe **`/.bzr/README`** and **`/.bzr/branch-format`** for Bazaar metadata. ### macOS `.DS_Store` - **`/.DS_Store`** can encode directory and filename listings. - Tools: **`gehaxelt/ds-store`**, **`lijiejie/ds_store_exp`** — parse `.DS_Store` offline. ### Backup and config artifacts Probe (adjust for app root and naming conventions): ```text /.env /backup.zip /backup.tar.gz /wwwroot.rar /backup.sql /config.php.bak /.config.php.swp ``` ### Web server misconfiguration signal (example: NGINX) - **`location /.git { deny all; }`** — may return **403** for `/.git/` while still allowing or denying spec