Discovery Usually we find this when directory bruteforce returns positive results from the following urls: http://site.com/.git/ http://site.com/.git/config http://site.com/.git/HEAD http://site.com/.git/index Many times the .git/ may be 403 (due to directory listing being disabled) but the files within it are downloadable. A lot of the git files are at known paths and the rest can be worked out from the known files so it is still exploitable as long as the files are downloadable.