GitPwn

About

Passive scanner for exposed .git repos, .env files, AWS credentials, SSH keys, and 20+ other secrets on the sites you load.

GitPwn is a security-research browser extension that passively scans every website you visit for accidentally exposed source-control directories, configuration files, credentials, and other sensitive artifacts that should never be public. Instead of running a dozen scripts manually, every site you load is automatically checked in the background — and the moment something leaks, you'll know.


WHAT IT DETECTS

Exposed version-control directories
 • .git repositories (with pack files, refs, config)
 • .svn working copies
 • .hg (Mercurial), .bzr (Bazaar), and CVS metadata

Leaked configuration & credentials
 • .env files
 • AWS credentials (~/.aws/credentials)
 • Firebase configuration
 • WordPress wp-config.php backups
 • .htpasswd and .htaccess
 • SSH private keys (id_rsa)
 • .npmrc files containing auth tokens

Dev artifacts that shouldn't be public
 • IDE folders: .idea, .vscode
 • macOS .DS_Store
 • Lock files: composer.lock, package-lock.json, yarn.lock
 • docker-compose.yml
 • Database dumps (dump.sql, db.sql)
 • Backup archives (backup.zip, backup.tar.gz)
 • phpinfo.php
 • Apache server-status, Spring Boot /actuator endpoints
 • GraphQL introspection

Secrets inside HTTP responses
 • AWS keys, GCP service accounts, Stripe / Slack / GitHub / Google API tokens, JWTs, private keys, and other high-confidence patterns extracted directly from network responses.


KEY FEATURES

 • Passive monitoring — every site you visit is scanned automatically, with a smart blacklist and per-domain rate-limit so it stays out of your way.
 • One-click manual scan — Ctrl+Shift+G (Cmd+Shift+G on macOS) triggers a deep scan of the current tab on demand.
 • Repository download — when an exposed .git is found, you can download the reconstructed repository tree as a ZIP for analysis.
 • Webhook integration — push findings (with a severity threshold) to Slack, Discord, your own SIEM, or any HTTP endpoint.
 • Native desktop notifications — instant alert the moment a critical finding lands.
 • Searchable dashboard — full-text search across every URL, finding type, and detected secret you've collected.
 • Side panel — keep your findings visible while you browse (Ctrl+Shift+S).
 • Light and dark themes with a polished UI.
 • Multi-language: English, Dutch, Turkish.


WHO IT'S FOR

 • Security researchers, penetration testers, and red teamers conducting authorized assessments.
 • Bug-bounty hunters looking for low-hanging public-facing leaks.
 • DevSecOps and platform engineers auditing their own infrastructure.
 • Web developers who want a continuous safety net during deployments.
 • CTF players and students learning about web-security misconfigurations.


PRIVACY

 • 100% local. No telemetry. No analytics. No remote servers.
 • All findings and history are stored only in your browser's local storage.


PERMISSIONS & WHY THEY'RE NEEDED

 • webRequest, host_permissions (http/https/ws/wss): to passively check each origin you visit for exposed paths.
 • storage: to remember scanned domains and findings locally so it doesn't repeatedly hit the same site.
 • notifications: to alert you when a critical finding is detected.
 • downloads: to save reconstructed repositories or evidence files when you choose to.
 • tabs, scripting, sidePanel, contextMenus, alarms: for the popup, side panel, manual-scan command, and the periodic background re-checks.


DISCLAIMER

GitPwn is intended for security research, authorized penetration testing, and self-auditing of systems you own or have explicit written permission to test. Scanning third-party systems without authorization may be illegal in your jurisdiction. Use at your own risk — the authors accept no responsibility for misuse.