-
Notifications
You must be signed in to change notification settings - Fork 78
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Accept lists of URIs #2
Comments
Is this a good first issue? |
Status Code 200 will give you 90% false positives for database backups. - uri: "/backup.sql"
checks:
- name: SQL Backup
match:
- '{"status"'
headers:
- "Content-Type:application/sql"
remediation: Delete it.
description: Backupfile of your database. Sensitive informations like admin login could be readable.
severity: "High" |
Bonjour @JulienPalard, jamais entendu parler de "genex" auparavant 👴, c'est génial ! I agree with Julien, list of URIs is needed in a lot of use cases. @PaulSec could I help to implement this feature inside ChopChop? |
Definitely! Go for it and open a pull request. I will review it ASAP when I will be back from holidays! |
Same here ! I'll work on multi-threading and refactor of code in the mean time. |
The problem is known in the library we are using, see: go-yaml/yaml#100 Would you find acceptable that the - uri: "/phpinfo.php"
checks:
- name: PHPInfo
match:
- 'phpinfo()'
remediation: Disable phpinfo() in PHP.ini
description: Checks that the phpinfo() function is accessible
severity: "Low"
tested: true Would become: - uri: ["/phpinfo.php"]
checks:
- name: PHPInfo
match:
- 'phpinfo()'
remediation: Disable phpinfo() in PHP.ini
description: Checks that the phpinfo() function is accessible
severity: "Low"
tested: true In this case, we wouldn't have any issue in order to unmarshal the data and we could allow array of |
It would break already written yml, I don't know if there's any though. An alternative would be to allow for the - uri: "/phpinfo.php" and - uris: ["/phpinfo.php", "/phpinfo"] It raises the ambiguity of giving both, ambiguity is bad, but it's probably simple to resolve : hit both uri and uris, and warn. I bet if genex are implemented they'll have to be in separated field to, to avoid mis-interpreting paths with strange chars as genex. |
Definitely, you're right. I will write a pull-request and let you know when it's ready (I guess this week-end at least) |
`uri` and `uris` can't be specified at the same time. One example configuration file is as follow: ```yaml - uris: ["/db.sql", "/db.sql.gz", "/db.sqlite", "/db.sqlite.gz", "/db.sqlite3", "/db.sqlite3.gz", "/data.sql", "/data.sql.gz", "/users.sql", "/users.sql.gz", "/dump.sql", "/dump.sql.gz", "/mysqldump.sql", "/mysqldump.sql.gz", "/backup.sql", "/backup.sql.gz", "/db.backup", "/db.backup.gz", "/database.sql", "/database.sql.gz", "/db-data.sql", "/db-data.sql.gz", "/db_test.sql", "/db_test.sql.gz", "/db-test.sql", "/db-test.sql.gz"] checks: - name: Database file status_code: 200 remediation: Delete this file description: Verifies a database dump is accessible. severity: "High" ``` And we tried it using: ```bash ./gochopchop scan -u http://127.0.0.1:3000 --timeout 1 --csv --csv-file boo.csv -c policy.yml ``` Closes #2
Feel free to check out the pull request, it should help you out 🚀 |
`uri` and `uris` can't be specified at the same time. One example configuration file is as follow: ```yaml - uris: ["/db.sql", "/db.sql.gz", "/db.sqlite", "/db.sqlite.gz", "/db.sqlite3", "/db.sqlite3.gz", "/data.sql", "/data.sql.gz", "/users.sql", "/users.sql.gz", "/dump.sql", "/dump.sql.gz", "/mysqldump.sql", "/mysqldump.sql.gz", "/backup.sql", "/backup.sql.gz", "/db.backup", "/db.backup.gz", "/database.sql", "/database.sql.gz", "/db-data.sql", "/db-data.sql.gz", "/db_test.sql", "/db_test.sql.gz", "/db-test.sql", "/db-test.sql.gz"] checks: - name: Database file status_code: 200 remediation: Delete this file description: Verifies a database dump is accessible. severity: "High" ``` And we tried it using: ```bash ./gochopchop scan -u http://127.0.0.1:3000 --timeout 1 --csv --csv-file boo.csv -c policy.yml ``` Closes #2
Thanks for opening ChopChop!
Looked at
chopchop.yml
and though « I'll gladly add some... », but wanted to do it like so:(and I bet we could continue for hours adding to this list)
As you imagine, I don't want to copy/paste the name, status_code, remediation, description, and severity 26 times.
Doodling around the idea, it would be great to be able to express those as a « genex », or something similar, something like:
The text was updated successfully, but these errors were encountered: