{"id":13645767,"url":"https://github.com/michelin/ChopChop","last_synced_at":"2025-04-21T17:31:25.726Z","repository":{"id":41382668,"uuid":"272626593","full_name":"michelin/ChopChop","owner":"michelin","description":"ChopChop is a CLI to help developers scanning endpoints and identifying exposition of sensitive services/files/folders. ","archived":false,"fork":false,"pushed_at":"2023-10-09T12:18:01.000Z","size":2161,"stargazers_count":663,"open_issues_count":10,"forks_count":78,"subscribers_count":21,"default_branch":"master","last_synced_at":"2024-08-02T01:25:38.817Z","etag":null,"topics":["devsecops","scanning","security"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/michelin.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2020-06-16T06:22:55.000Z","updated_at":"2024-07-15T20:05:31.000Z","dependencies_parsed_at":"2023-02-12T03:30:27.227Z","dependency_job_id":"ff69bf73-a0ac-4ee3-b968-01f1b13152d8","html_url":"https://github.com/michelin/ChopChop","commit_stats":null,"previous_names":[],"tags_count":4,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/michelin%2FChopChop","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/michelin%2FChopChop/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/michelin%2FChopChop/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/michelin%2FChopChop/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/michelin","download_url":"https://codeload.github.com/michelin/ChopChop/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":223873151,"owners_count":17217883,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["devsecops","scanning","security"],"created_at":"2024-08-02T01:02:41.388Z","updated_at":"2024-11-09T19:30:23.198Z","avatar_url":"https://github.com/michelin.png","language":"Go","funding_links":[],"categories":["Go","Go (531)","web shell、shellcode","security"],"sub_categories":["网络服务_其他"],"readme":"\u003cp align=\"center\"\u003e\u003cimg src=\"/docs/img/chopchop_logo.png\" width=\"180\" height=\"150\"/\u003e\u003c/p\u003e\r\n\r\n[![Build Status](https://github.com/michelin/ChopChop/workflows/Build%20ChopChop/badge.svg)](https://github.com/michelin/ChopChop/actions)\r\n[![License](https://img.shields.io/badge/license-Apache-green.svg)](https://opensource.org/licenses/Apache-2.0)\r\n[![Go Report Card](https://goreportcard.com/badge/github.com/michelin/ChopChop)](https://goreportcard.com/report/github.com/michelin/ChopChop)\r\n\r\n# ChopChop\r\n\r\n**ChopChop** is a command-line tool for dynamic application security testing on web applications, initially written by the Michelin CERT.\r\n\r\nIts goal is to scan several endpoints and identify exposition of services/files/folders through the webroot.\r\nChecks/Signatures are declared in a config file (by default: `chopchop.yml`), fully configurable, and especially by developers.\r\n\r\n\u003cp align=\"center\"\u003e\u003cimg src=\"/docs/img/demo.gif?raw=true\"/\u003e\u003c/p\u003e\r\n\r\n\u003e \"Chop chop\" is a phrase rooted in Cantonese. \"Chop chop\" means \"hurry\" and suggests that something should be done now and **without delay**.\r\n\r\n---\r\n\r\n## Table of Contents\r\n\r\n* [Building](#building)\r\n* [Usage](#usage)\r\n  * [Available flags](#available-flags)\r\n  * [Advanced usage](#advanced-usage)\r\n* [Creating a new check/signature](#creating-a-new-check)\r\n* [External Libraries](#external-libraries)\r\n* [Talks](#talks)\r\n* [Licence](#licence)\r\n* [Authors](#authors)\r\n\r\n## Building\r\n\r\nWe tried to make the build process painless and hopefully, it should be as easy as: \r\n\r\n\r\n```bash\r\n$ go mod download\r\n$ go build .\r\n```\r\n\r\nThere should be a resulting `gochopchop` binary in the folder.\r\n\r\n### Using Docker\r\n\r\nThanks to [Github Container Registry](https://github.blog/2020-09-01-introducing-github-container-registry/), we are able to provide you some freshly-build Docker images!\r\n\r\n```\r\ndocker run ghcr.io/michelin/gochopchop scan https://foobar.com -v debug\r\n```\r\n\r\nBut if you prefer, you can also build it locally, see below: \r\n\r\n#### Build locally\r\n\r\n```bash\r\ndocker build -t gochopchop .\r\n```\r\n\r\n## Usage\r\n\r\nWe are continuously trying to make `goChopChop` as easy as possible. Scanning a host with this utility is as simple as : \r\n\r\n```bash\r\n$ ./gochopchop scan https://foobar.com\r\n```\r\n\r\n### Using Docker\r\n\r\n```bash\r\ndocker run gochopchop scan https://foobar.com\r\n```\r\n\r\n#### Custom configuration file\r\n\r\n```bash\r\ndocker run -v ./:/app chopchop scan -c /app/chopchop.yml https://foobar.com\r\n```\r\n\r\n## What's next\r\n\r\nThe Golang rewrite took place a couple of months ago but there's so much to do, still. Here are some features we are planning to integrate :\r\n[x] Threading for better performance\r\n[x] Ability to specify the number of concurrent threads\r\n[x] Colors and better formatting\r\n[x] Ability to filter checks/signatures to search for\r\n[x] Mock and unit tests\r\n[x] Github CI\r\nAnd much more!\r\n\r\n## Testing\r\n\r\nTo quickly end-to-end test chopchop, we provided a web-server in `tests/server.go`.\r\nTo try it, please run `go run tests/server.go` then run chopchop with the following command `./gochopchop scan http://localhost:8000 --verbosity Debug`.\r\nChopChop should print \"no vulnerabilities found\".\r\n\r\nThere are also unit test that you can launch with `go test -v ./...`.\r\nThese tests are integrated in the github CI workflow.\r\n\r\n## Available flags\r\n\r\nYou can find the available flags available for the `scan` command :\r\n\r\n| Flag | Full flag | Description |\r\n|---|---|---|\r\n| `-h` | `--help` | Help wizard |\r\n| `-v` | `--verbosity` | Verbose level of logging |\r\n| `-c` | `--signature` | Path of custom signature file |\r\n| `-k` | `--insecure` | Disable SSL Verification |\r\n| `-u` | `--url-file` | Path to a specified file containing urls to test |\r\n| `-b` | `--max-severity` | Block the CI pipeline if severity is over or equal specified flag |\r\n| `-e` | `--export` | Export type of the output (csv and/or json) |\r\n|| `--export-filename` | Specify the filename for the export file(s) |\r\n| `-t` | `--timeout` | Timeout for the HTTP requests |\r\n|| `--severity-filter` | Filter Plugins by severity |\r\n|| `--plugin-filter` | Filter Plugins by name of plugin |\r\n|| `--threads` | Number of concurrent threads | \r\n\r\n## Advanced usage\r\n\r\nHere is a list of advanced usage that you might be interested in.\r\nNote: Redirectors like `\u003e` for post processing can be used.\r\n\r\n- Ability to scan and disable SSL verification\r\n\r\n```bash\r\n$ ./gochopchop scan https://foobar.com --insecure\r\n```\r\n\r\n- Ability to scan with a custom configuration file (including custom plugins)\r\n\r\n```bash\r\n$ ./gochopchop scan https://foobar.com --insecure --signature test_config.yml\r\n```\r\n\r\n- Ability to list all the plugins or by severity : `plugins` or  ` plugins --severity High`\r\n\r\n```bash\r\n$ ./gochopchop plugins --severity High\r\n```\r\n\r\n- Ability to specify number of concurrent threads : `--threads 4` for 4 workers\r\n\r\n```bash\r\n$ ./gochopchop plugins --threads 4\r\n```\r\n\r\n- Ability to block the CI pipeline by severity level (equal or over specified severity) : `--max-severity Medium`\r\n\r\n```bash\r\n$ ./gochopchop scan https://foobar.com --max-severity Medium\r\n```\r\n\r\n- Ability to specify specific signatures to be checked \r\n\r\n```bash\r\n./gochopchop scan https://foobar.com --timeout 1 --verbosity --export=csv,json --export-filename boo --plugin-filters=Git,Zimbra,Jenkins\r\n```\r\n\r\n- Ability to list all the plugins\r\n\r\n```bash\r\n$ ./gochopchop plugins\r\n```\r\n\r\n- List High severity plugins\r\n\r\n```bash\r\n$ ./gochopchop plugins --severity High\r\n```\r\n\r\n- Set a list or URLs located in a file\r\n\r\n```bash\r\n$ ./gochopchop scan --url-file url_file.txt\r\n```\r\n\r\n- Export GoChopChop results in CSV and JSON format\r\n\r\n```bash\r\n$ ./gochopchop scan https://foobar.com  --export=csv,json --export-filename results\r\n```\r\n\r\n## Creating a new check\r\n\r\nWriting a new check is as simple as : \r\n\r\n```yaml\r\n  - endpoint: \"/.git/config\"\r\n    checks:\r\n      - name: Git exposed\r\n        match:\r\n          - \"[branch\"\r\n        remediation: Do not deploy .git folder on production servers\r\n        description: Verifies that the GIT repository is accessible from the site\r\n        severity: \"High\"\r\n```\r\n\r\nAn endpoint (eg. ```/.git/config```) is mapped to multiple checks which avoids sending X requests for X checks. Multiple checks can be done through a single HTTP request.\r\nEach check needs those fields:\r\n\r\n| Attribute | Type | Description | Optional ? | Example | \r\n|---|---|---|---|---|\r\n| name | string | Name of the check | No | Git exposed |\r\n| description | string | A small description for the check| No |  Ensure .git repository is not accessible from the webroot |\r\n| remediation | string | Give a remediation for this specific \"issue\" | No | Do not deploy .git folder on production servers |\r\n| severity | Enum(\"High\", \"Medium\", \"Low\", \"Informational\") | Rate the criticity if it triggers in your environment| No | High |\r\n| status_code | integer | The HTTP status code that should be returned | Yes | 200 |\r\n| headers | List of string | List of headers there should be in the HTTP response | Yes | N/A |\r\n| no_headers | List of string | List of headers there should NOT be in the HTTP response | Yes | N/A |\r\n| match | List of string| List the strings there should be in the HTTP response  | Yes |  \"[branch\" |\r\n| no_match | List of string | List the strings there should NOT be in the HTTP response | Yes | N/A |\r\n| query_string | GET parameters that have to be passed to the endpoint | String | Yes | `query_string: \"id=FOO-chopchoptest\"` |\r\n\r\n## External Libraries\r\n\r\n| Library Name | Link | License | \r\n|---|---|---|\r\n| Viper | https://github.com/spf13/viper | MIT License |\r\n| Go-pretty |  https://github.com/jedib0t/go-pretty| MIT License |\r\n| Cobra | https://github.com/spf13/cobra| Apache License 2.0 |\r\n| strfmt |https://github.com/go-openapi/strfmt | Apache License 2.0 |\r\n| Go-homedir | https://github.com/mitchellh/go-homedir| MIT License |\r\n| pkg-errors | https://github.com/pkg/errors| BSD 2 (Simplified License)|\r\n| Go-runewidth | https://github.com/mattn/go-runewidth | MIT License |\r\n\r\nPlease, refer to the `third-party.txt` file for further information.\r\n\r\n## Talks\r\n\r\n- PyCon FR 2019 (The tool was initially developed in Python) - https://docs.google.com/presentation/d/1uVXGUpt7tC7zQ1HWegoBbEg2LHamABIqfDfiD9MWsD8/edit\r\n- DEFCON AppSec Village 2020 \"Turning offsec mindset to developer's toolset\" - https://drive.google.com/file/d/15P8eSarIohwCVW-tR3FN78KJPGbpAtR1/view\r\n\r\n## License\r\n\r\nChopChop has been released under Apache License 2.0. \r\nPlease, refer to the `LICENSE` file for further information.\r\n\r\n## Authors\r\n\r\n- Paul A. \r\n- David R. (For the Python version)\r\n- Stanislas M. (For the Golang version)\r\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmichelin%2FChopChop","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmichelin%2FChopChop","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmichelin%2FChopChop/lists"}