The keys to the kingdom pretty much always come down to acquiring source code for the web application you’re attacking from a blackbox perspective. This is a quick review of how I was able to get access to a particular client’s application source code using an extremely simple vulnerability: Directory Indexing. Interestingly enough, they also had a .git repository accessible at https://www.[redacted].com/.git/ (although the ‘why’ still baffles me). If you have access to this you also have access to any commits and all logs that may exist in the repo.
more here...........http://blog.whitehatsec.com/how-i-stole-source-code-with-directory-indexing-and-git/
more here...........http://blog.whitehatsec.com/how-i-stole-source-code-with-directory-indexing-and-git/