michelin / chopchop Goto Github PK

Regarding this:

I might be mistaken as I don't know what would be a "Azure installation by default", but usually "catalina" refers to Tomcat so there's maybe a confusion here :)

Hello everyone, thanks for sharing ChopChop.

According to the documentation, there is no way to detect the lack of a HTTP header.

It can be a nice feature to detect the absence of some security headers like "Strict-Transport-Security" or "Content-Security-Policy".

hi,
thx a lot to the clermont ferrand dream team for this tool, i just used it on one of our website, and i am surprised with the response.
i get logs for files that are not present on the server:

| https://xxxxx.xxxxxxx.fr/ | /images/imgpaper.png | High | Possible Trickbot Trojan Payload hosting imgpaper.png | Make sure your system is'nt compromised |
| https:/xxxxxx-xxxxxxxxxx.fr/ | /images/cursor.png | High | Possible Trickbot Trojan Payload hosting cursor.png | Make sure your system is'nt compromised |
| https://xxxxxxxxxx.xxxxxxxxx/ | /images/redcar.png | High | Possible Trickbot Trojan Payload hosting redcar.png | Make sure your system is'nt compromised |
| https://xxxxxxxxx.xxxxxxxxx/ | /ico/VidT6cErs | High | Possible Trickbot Trojan Payload hosting VidT6cErs | Make sure your system is'nt compromised |

any idea what it means?
thxx for your time

Tried this rule:

plugins:
  - checks:
      - name: Database file
        match:
          - "\x1F\x8B\x08"
        remediation: Delete this file
        description: Verifies a database dump is accessible.
        severity: "High"
    uri: /db.sqlite3.tar.gz

On my test server, it correctly hits the file:

[verbose] Testing URL: http://0.0.0.0:8000/db.sqlite3.tar.gz

And I see it as 200 in the logs:

127.0.0.1 - - [24/Oct/2020 16:54:38] "GET /db.sqlite3.tar.gz HTTP/1.1" 200 -

Returning the expected bytes:

$ curl 0:8000/db.sqlite3.tar.gz | hexdump -C | head -n 1
00000000  1f 8b 08 00 00 00 00 00  00 03 ec 9d 79 6c 1c d7  |............yl..|

But the match may fail, as ChopChop does not report it:

$ ./gochopchop scan --url http://0.0.0.0:8000 
No vulnerabilities found.

So either I'm tired, either ChopChop don't want to match arbitrary bytes sequences?

Thanks for opening ChopChop!

Looked at chopchop.yml and though « I'll gladly add some... », but wanted to do it like so:

- uri: ["/db.sql", "/db.sql.gz", "/db.sqlite", "/db.sqlite.gz", "/db.sqlite3", "/db.sqlite3.gz", "/data.sql", "/data.sql.gz", "/users.sql", "/users.sql.gz", "/dump.sql", "/dump.sql.gz", "/mysqldump.sql", "/mysqldump.sql.gz", "/backup.sql", "/backup.sql.gz", "/db.backup", "/db.backup.gz", "/database.sql", "/database.sql.gz", "/db-data.sql", "/db-data.sql.gz", "/db_test.sql", "/db_test.sql.gz", "/db-test.sql", "/db-test.sql.gz"]
  checks:
    - name: Database file
      status_code: 200
      remediation: Delete this file
      description: Verifies a database dump is accessible.
      severity: "High"

(and I bet we could continue for hours adding to this list)

As you imagine, I don't want to copy/paste the name, status_code, remediation, description, and severity 26 times.

Doodling around the idea, it would be great to be able to express those as a « genex », or something similar, something like:

/(db|database|backup|mysqldump|dump|data).(sql|sqlite|sqlite3)(\.gz)?

Currently, there is no automated Docker build nor a published image on Docker Hub (hub.docker.com).

It could be great to set up an automated Docker build to build & push the last Docker image to the Docker Hub.

The usage with Docker would then be straightforward:

docker run michelin/chopchop scan --url https://foobar.com

This simple process is well explained here: https://docs.docker.com/docker-hub/builds/.
I can't set up this build myself as I am not owner of this repository.

You can see here a sample on the forked repository:

I downloaded the tar.gz release for Linux. When I run it I get the following error:

$ ./ChopChop_linux_amd64 plugins
Error: Path of signatures file is not valid
{"level":"warning","msg":"Path of signatures file is not valid","time":"2022-11-15T10:43:19+02:00"}

Where do i get the signatures file as it is not in the tar.gz?

Hi,

It would be great to being able to perform scanning by specifying signatures based on their rating {Informational, Low, Medium, High}.

For example if a user wants to scan URLs with only "High" signatures, it would be :

$ ./chopchop scan -u http://foobar.com --severity High

It'd be useful to be able to control the request method, up to and including being able to specify some POST data.

It'd also mean where you're only interested in headers, you could place a HEAD instead of a GET (particularly useful if the asset you're requesting against is sizeable)

Hi,

I think it would be great to work on a better documentation, by using MkDocs for example.
Other options should be checked too, such as the project's wiki, ...

Link: https://www.mkdocs.org/

Hi,

It would be interesting to have those new rules integrated in ChopChop, see : https://github.com/nnposter/nndefaccts/blob/master/http-default-accounts-fingerprints-nndefaccts.lua

Hi,

It would be great that we handle colors within ChopChop results within the ChopChop results table.
For example, something like :

• High : red
• Medium : orange
• Low : yellow or something quite neutral
• Informational : blue

It'd be useful to be able to specify a querystring as part of a check rather than having to include it in the URI.

I've been playing around with ChopChop by creating unit tests for some WAF rules, one set of which is QS arg type enforcement, so I end up with something like

• uri: "/?id=FOO-chopchoptest"
  checks:

  • name: ID type enforcement
    match:
    • "Homepage"
      remediation: "Check the WAF dynamic rules are active"
      description: "Verifies the WAF is enforcing type for QS arg 'id'"
      status_code: 200
      severity: "Medium"

• uri: "/?catid=FOO-chopchoptest"
  checks:

  • name: catid type enforcement
    match:
    • "Homepage"
      remediation: "Check the WAF dynamic rules are active"
      description: "Verifies the WAF is enforcing type for QS arg 'catid'"
      status_code: 200
      severity: "Medium"

Which is fine, but it's be awesome to be able to do something like

• uri: "/"
  checks:

  • name: ID type enforcement
    qs: "id=FOO-chopchoptest"
    match:

    • "Homepage"
      remediation: "Check the WAF dynamic rules are active"
      description: "Verifies the WAF is enforcing type for QS arg 'id'"
      status_code: 200
      severity: "Medium"

  • name: catid type enforcement
    qs: "catid=FOO-chopchoptest"
    match:

    • "Homepage"
      remediation: "Check the WAF dynamic rules are active"
      description: "Verifies the WAF is enforcing type for QS arg 'catid'"
      status_code: 200
      severity: "Medium"

So that if the path needs to be updated for some reason, it only needs doing in one place

Hi and gg for le bon travail.

I was playing with it after seeing your video on YouTube (OSSIR), and the following command :

docker run ghcr.io/michelin/gochopchop scan --url-file file.txt --json-file "resultats.json"

gives me the following error :
Error: filepath of url file is not valid filepath of url file is not valid

I tried with -f, --url-file, "./file.txt", ./file.txt, file.txt, "file.txt", [absolute_path] and "[asbolute_path] with the same result.

Any idea why ?

Regards,

Hi,

It would be great to being able to perform scanning by specifying signatures based on their names.

For example if a user wants to scan URLs with only signatures containing "git" keyword, it would be :

$ ./chopchop scan -u http://foobar.com --signature "git*"

If you do not specify the url and/or a url-file, the binary exists and displays "No vulnerabilities found." which is wrong.

See:

/tmp # ./gochopchop  scan
No vulnerabilities found.
/tmp # 

It would be better to fail saying that no url and/or url-file has been specified.

Hello! I want to know if is possible to add a option to pass a socks5 or proxy address. I'm trying to make a forwarding but that's not working cause I can't find a option to pass the proxy address.

Best regards,
oppsec.