michelin / chopchop Goto Github PK
View Code? Open in Web Editor NEWChopChop is a CLI to help developers scanning endpoints and identifying exposition of sensitive services/files/folders.
License: Other
ChopChop is a CLI to help developers scanning endpoints and identifying exposition of sensitive services/files/folders.
License: Other
Regarding this:
Lines 45 to 50 in 8feacb5
I might be mistaken as I don't know what would be a "Azure installation by default", but usually "catalina" refers to Tomcat so there's maybe a confusion here :)
Hello everyone, thanks for sharing ChopChop.
According to the documentation, there is no way to detect the lack of a HTTP header.
It can be a nice feature to detect the absence of some security headers like "Strict-Transport-Security" or "Content-Security-Policy".
hi,
thx a lot to the clermont ferrand dream team for this tool, i just used it on one of our website, and i am surprised with the response.
i get logs for files that are not present on the server:
| https://xxxxx.xxxxxxx.fr/ | /images/imgpaper.png | High | Possible Trickbot Trojan Payload hosting imgpaper.png | Make sure your system is'nt compromised |
| https:/xxxxxx-xxxxxxxxxx.fr/ | /images/cursor.png | High | Possible Trickbot Trojan Payload hosting cursor.png | Make sure your system is'nt compromised |
| https://xxxxxxxxxx.xxxxxxxxx/ | /images/redcar.png | High | Possible Trickbot Trojan Payload hosting redcar.png | Make sure your system is'nt compromised |
| https://xxxxxxxxx.xxxxxxxxx/ | /ico/VidT6cErs | High | Possible Trickbot Trojan Payload hosting VidT6cErs | Make sure your system is'nt compromised |
any idea what it means?
thxx for your time
Tried this rule:
plugins:
- checks:
- name: Database file
match:
- "\x1F\x8B\x08"
remediation: Delete this file
description: Verifies a database dump is accessible.
severity: "High"
uri: /db.sqlite3.tar.gz
On my test server, it correctly hits the file:
[verbose] Testing URL: http://0.0.0.0:8000/db.sqlite3.tar.gz
And I see it as 200 in the logs:
127.0.0.1 - - [24/Oct/2020 16:54:38] "GET /db.sqlite3.tar.gz HTTP/1.1" 200 -
Returning the expected bytes:
$ curl 0:8000/db.sqlite3.tar.gz | hexdump -C | head -n 1
00000000 1f 8b 08 00 00 00 00 00 00 03 ec 9d 79 6c 1c d7 |............yl..|
But the match may fail, as ChopChop does not report it:
$ ./gochopchop scan --url http://0.0.0.0:8000
No vulnerabilities found.
So either I'm tired, either ChopChop don't want to match arbitrary bytes sequences?
Thanks for opening ChopChop!
Looked at chopchop.yml
and though « I'll gladly add some... », but wanted to do it like so:
- uri: ["/db.sql", "/db.sql.gz", "/db.sqlite", "/db.sqlite.gz", "/db.sqlite3", "/db.sqlite3.gz", "/data.sql", "/data.sql.gz", "/users.sql", "/users.sql.gz", "/dump.sql", "/dump.sql.gz", "/mysqldump.sql", "/mysqldump.sql.gz", "/backup.sql", "/backup.sql.gz", "/db.backup", "/db.backup.gz", "/database.sql", "/database.sql.gz", "/db-data.sql", "/db-data.sql.gz", "/db_test.sql", "/db_test.sql.gz", "/db-test.sql", "/db-test.sql.gz"]
checks:
- name: Database file
status_code: 200
remediation: Delete this file
description: Verifies a database dump is accessible.
severity: "High"
(and I bet we could continue for hours adding to this list)
As you imagine, I don't want to copy/paste the name, status_code, remediation, description, and severity 26 times.
Doodling around the idea, it would be great to be able to express those as a « genex », or something similar, something like:
/(db|database|backup|mysqldump|dump|data).(sql|sqlite|sqlite3)(\.gz)?
Currently, there is no automated Docker build nor a published image on Docker Hub (hub.docker.com).
It could be great to set up an automated Docker build to build & push the last Docker image to the Docker Hub.
The usage with Docker would then be straightforward:
docker run michelin/chopchop scan --url https://foobar.com
This simple process is well explained here: https://docs.docker.com/docker-hub/builds/.
I can't set up this build myself as I am not owner of this repository.
I downloaded the tar.gz release for Linux. When I run it I get the following error:
$ ./ChopChop_linux_amd64 plugins
Error: Path of signatures file is not valid
{"level":"warning","msg":"Path of signatures file is not valid","time":"2022-11-15T10:43:19+02:00"}
Where do i get the signatures file as it is not in the tar.gz?
Hi,
It would be great to being able to perform scanning by specifying signatures based on their rating {Informational, Low, Medium, High}.
For example if a user wants to scan URLs with only "High" signatures, it would be :
$ ./chopchop scan -u http://foobar.com --severity High
It'd be useful to be able to control the request method, up to and including being able to specify some POST data.
It'd also mean where you're only interested in headers, you could place a HEAD
instead of a GET
(particularly useful if the asset you're requesting against is sizeable)
Hi,
I think it would be great to work on a better documentation, by using MkDocs for example.
Other options should be checked too, such as the project's wiki, ...
Link: https://www.mkdocs.org/
Hi,
It would be interesting to have those new rules integrated in ChopChop, see : https://github.com/nnposter/nndefaccts/blob/master/http-default-accounts-fingerprints-nndefaccts.lua
Hi,
It would be great that we handle colors within ChopChop results within the ChopChop results table.
For example, something like :
It'd be useful to be able to specify a querystring as part of a check rather than having to include it in the URI.
I've been playing around with ChopChop by creating unit tests for some WAF rules, one set of which is QS arg type enforcement, so I end up with something like
uri: "/?id=FOO-chopchoptest"
checks:
uri: "/?catid=FOO-chopchoptest"
checks:
Which is fine, but it's be awesome to be able to do something like
name: ID type enforcement
qs: "id=FOO-chopchoptest"
match:
name: catid type enforcement
qs: "catid=FOO-chopchoptest"
match:
So that if the path needs to be updated for some reason, it only needs doing in one place
Hi and gg for le bon travail.
I was playing with it after seeing your video on YouTube (OSSIR), and the following command :
docker run ghcr.io/michelin/gochopchop scan --url-file file.txt --json-file "resultats.json"
gives me the following error :
Error: filepath of url file is not valid filepath of url file is not valid
I tried with -f, --url-file, "./file.txt", ./file.txt, file.txt, "file.txt", [absolute_path] and "[asbolute_path] with the same result.
Any idea why ?
Regards,
Hi,
It would be great to being able to perform scanning by specifying signatures based on their names.
For example if a user wants to scan URLs with only signatures containing "git" keyword, it would be :
$ ./chopchop scan -u http://foobar.com --signature "git*"
If you do not specify the url and/or a url-file, the binary exists and displays "No vulnerabilities found." which is wrong.
See:
/tmp # ./gochopchop scan
No vulnerabilities found.
/tmp #
It would be better to fail saying that no url and/or url-file has been specified.
Hello! I want to know if is possible to add a option to pass a socks5 or proxy address. I'm trying to make a forwarding but that's not working cause I can't find a option to pass the proxy address.
Best regards,
oppsec.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.