EXOCET - AV-evading, Undetectable, Payload Delivery Tool

EXOCET is superior to Metasploit's "Evasive Payloads" modules as EXOCET uses AES-256 in GCM Mode (Galois/Counter Mode). Metasploit's Evasion Payloads uses a easy to detect RC4 encryption. While RC4 can decrypt faster, AES-256 is much more difficult to ascertain the intent of the malware.

However, it is possible to use Metasploit to build a Evasive Payload, and then chain that with EXOCET. So EXOCET will decrypt via AES-256, and then the Metasploit Evasive Payload then decrypts itself from RC4.

Much like my previous project, DarkLordObama, this toolkit is designed to be a delivery/launch vehicle, much like Veil-Evasion does.

Dark Lord Obama Project

However, EXOCET is not limited to a single codebase or platforms that are running Python. EXOCET works on ALL supported platforms and architectures that Go supports.

Exocet Overview

EXOCET, is effectively a crypter-type malware dropper that can recycle easily detectable payloads like WannaCry, encrypt them using AES-GCM (Galois/Counter Mode), which is more secure than AES-CBC, and then create a dropper file for a majority of architectures and platforms out there.

Basically...

1. It ingests dangerous malware that are now detectable by antivirus engines
2. It then encrypts them and produces it's own Go file
3. Then that Go file can be cross-compiled to 99% of known architectures
4. Upon execution, the encrypted payload is written to the disk and immediately executed on the command line
5. Alternatively, instead of a file-drop, it will execute the reconstitute shellcode in memory using amenzhinsky's go-memexec module github.com/amenzhinsky/go-memexec
6. A custom shellcode executor is in the works, it takes ordinary C shellcode and after num-transform, it will run it by creating a new process after allocating the correct virtual address space and granting it RWX permissions on Windows

That means 32-bit, and 64-bit architectures, and it works on Linux, Windows, Macs, Unix, Android, iPhone, etc. You take, anything, and I mean ANYTHING, like the 1988 Morris Worm that nearly brought down the internet (which exploited a flaw in the fingerd listener daemon on UNIX), and make it a viable cyberweapon again.

EXOCET is designed to be used with the DSX Program, or the "Cyber Metal Gear" as I envisioned it. Being able to launch and proliferate dangerous malware without a traceable launch trail.

EXOCET is written entirely in Go.

How to use

EXOCET, regardless of which binary you use to run it, requires Golang to work. By default, it generates a crypter .go file.

1. Windows users: Install Go Here
2. Linux users: run sudo apt-get update && sudo apt-get install -y golang
3. You must install the EXOCET source files in golang go get github.com/tanc7/EXOCET-AV-Evasion
4. Sub-requirements will also be downloaded and installed
5. For Windows and Mac x64 Users, pre-compiled binaries are in the /bin folder

To run it

go run EXOCET.go detectablemalware.exe outputmalware.go

A key is automatically generated for you. The key is 64-characters long and is entirely composed of bash and cmd.exe shell pipe redirectors to confuse and disrupt brute-forcing attempts against the key by causing unpredictable, destructive behavior on the forensic analyst's device.

For 64-bit Windows Targets...

env GOOS=windows GOARCH=amd64 go build -ldflags "-s -w" -o outputMalware.exe outputmalware.go

And out comes a outputmalware.exe file

For 64-bit MacOS Targets

env GOOS=darwin GOARCH=amd64 go build -ldflags "-s -w" -o outputMalware.macho outputmalware.go

For 64-bit Linux Targets

env GOOS=linux GOARCH=amd64 go build -ldflags "-s -w" -o outputMalware.elf outputmalware.go

See this reference on github for your parameters for other operating systems like Android Reference for Go Cross Compilation

Note that the key can still be found with the strings command, please use the upx-ucl command to pack binary to conceal the key.

Furthermore, there are prebuilt binaries that I have made, meaning you just have to run ./EXOCET or EXOCET-Windows.exe

Legal Information

I, Chang Tan, and the creators of the main module and submodules of Exocet and the packages it incorporates are NOT responsible for the misuse of this tool. This is merely a penetration testing tool. You are strictly prohibited from deploying Exocet output binaries against unauthorized protected systems or unauthorized protected government systems.

I am aware that threat actors of APT41 and the NSO Group have used and/or adopted code from this tool, particularly the go-memexec method. If I were to be approached by Federal Investigators regarding the misuse of this tool, I am not claiming responsibility.

This is the same stuff that happened to the developers of Mimikatz and PowerShell Empire (who deprecated their own development upon realization of its use among threat actors). The successors have picked up development of Empire, and there are free alternatives such as Covenant C2.

EXOCET live demo
<iframe width="560" height="315" src="https://github.com/tanc7/EXOCET-AV-Evasion/blob/master/media/exocetdemo.mp4" frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>
Reason for the name

On May 4th, 1982, during the Falklands War, a squadron of Argentinan Super Eterdards launched a French made Exocet missile at the HMS Sheffield. Despite the Royal Navy's attempts to stop the missile, one struck, sinking the Sheffield. That incident literally put Argentina on the map as a show of force against a global colonial power.

News Article of the sinking of the HMS Sheffield

Very much like how Onel de Guzman's actions with the ILOVEYOU virus put the Philippines on the map as a cyber threat.

ILOVEYOU Virus on Wikipedia

Incoming update, notes and ambitions

 

So this month, and the next month is going to be a busy month for me, and there will be delays in implementing these methods. But I am excited to get started on implementing new AV evasion techniques such as...

1. Inline hooking
2. Obfuscation by emulating BlackRota and the gobfuscate module
3. Process hollowing
4. Reflective DLL injection
5. Remote process injection
6. ThreadLocalStorage Callbacks
7. Registration of Top-Level Exception Handlers
8. Custom UPX packing

I am a very busy man, I have the following priorities and I would like to request some help, some pull requests to aid in the project. Since I have the following things to do

1. A court appearance in late October
2. National Cyber League
3. Accounting and Finance Classes, Computer Science was NEVER my college major and in the following weeks I will have exams back-to-back
4. Federal Supervised Release Conditions and the FBI trying to implicate me in new unproven crimes. I have dash camera videos I uploaded to the cloud to prove it that I am sending to my lawyers. I have documented multiple attacks against me, vandalism of my car, my house, filed police reports and counter reports and will be building my case to file a Federal lawsuit. One of the perpetrators, who ripped out my front bumper of my car, has been arrested.
5. A private project involving interaction with the CoinGeckoAPI
6. Running the cryptoscopeinitiative.org, a to-be-filed 501c3 Non-Profit Organization
7. Teaching three online classes on Exploit Development

Upcoming update! Direct encrypted shellcode execution! (Implemented in test versions, not released yet)

I need a bit of help, because I successfully implemented CGO to execute encrypted shellcode but it is throwing memory access violations exit status 0xc0000005. It shouldn't be anything related to DEP (Data Execution Prevention) because the file CGOTest/working-template-shellcode-executor.go did run.

Problem Discovered

As it turns out, VirtualAlloc must be called from kernel32.dll and ntdll.dll to properly make the memory page where the shellcode lands, readable, writable, and executable, in other word, set the PAGE_EXECUTE_READWRITE to ON. Read the Note on Memory Access Violation Problem below.

Once I figure this out, CGO was a pain in the ass to implement, we can now create crypters that execute INLINE-ASSEMBLY. Which was considered a impossibility until now.

Note this requires Golang and the MinGW toolchain to be installed on Windows with you running and generating the shellcode on Windows. The reason why, is because CGO cannot be cross-compiled like our other EXOCET modules. To install the toolchain you need to go to https://www.msys2.org/ and follow the guide. Then you must add gcc to your environment variables in Windows

Step 1: Generate shellcode, this could be from msfvenom Meterpreter payloads, Cobalt Strike Beacons, or your own custom shellcode in C compatible format

Step 2: Copy only the bytes of the shellcode, excluding the quotes into a text file like sc.txt

Step 3: Your shellcode file should look like this. Raw shellcode

Step 4: Now run the command go run exocet-shellcode-exec.go sc.txt shellcodetest.go KEY

Step 5: You can attempt to run it but you'll run into memory access violation errors for some reason, which I am still working on

Note on Memory Access Violation Problem

Apparently, aside from the major limitations of CGO that prohibit or dramatically frustrates cross-compilation, the issue is that the shellcode we want to execute is landing in a section of memory (analyzed in WinDBG x64) that is not RWX. In other words, unless we write C code that explicitly allows execution in memory of the shellcode, it will always throw access violation errors.

The other method, that I observed other developers of rudimentary Go modules https://gist.github.com/mgeeky/bb0fd5652b234fbd1c7630d7e5c8542d, is that they use Go's Windows API to interact with ntdll.dll and kernel32.dll to call VirtualAlloc and specify areas of RWX memory pages. This method works better, but it seems that the shellcode must be in num-transformed format only for it to work.

I am still working on this you guys. I may combine multiple programming languages together to write a proper shellcode execution module

Note on Apple M1 Chips for precompiled binaries

Unfortunately I am running into errors for making a pre-compiled binary for MacBooks running the new M1 CPUs. It may be a issue with my Golang installation

┌──(root💀kali)-[/opt/EXOCET-AV-Evasion]
└─# GOOS=darwin GOARCH=arm64 go build exocet.go 
# command-line-arguments
/usr/lib/go-1.15/pkg/tool/linux_amd64/link: running gcc failed: exit status 1
/tmp/go-link-477718799/go.o: file not recognized: file format not recognized
collect2: error: ld returned 1 exit status

Either way, you still require Golang to compile or cross-compile the malware to the platform you are targeting.

Download EXOCET-AV-Evasion

Read More

How SSPM Simplifies Your SOC2 SaaS Security Posture Audit

 

An accountant and a security expert walk into a bar… SOC2 is no joke.

Whether you're a publicly held or private company, you are probably considering going through a Service Organization Controls (SOC) audit. For publicly held companies, these reports are required by the Securities and Exchange Commission (SEC) and executed by a Certified Public Accountant (CPA). However, customers often ask for SOC2 reports as part of their vendor due diligence process.

Out of the three types of SOC reports, SOC2 is the standard to successfully pass regulatory requirements and signals high security and resilience within the organization — and is based on the American Institute of Certified Public Accountants (AICPA) attestation requirements. The purpose of this report is to evaluate an organization's information systems relevant to security, availability, processing integrity, confidentiality, and privacy — over a period of time (roughly six to twelve months).

As part of a SOC2 audit, it is necessary to conduct security checks across the company's SaaS stack that will look for misconfigured settings such as detection and monitoring to ensure continued effectiveness of information security controls and prevent unauthorized/ inappropriate access to physical and digital assets and locations.

If you're beginning or on a SOC2 audit journey, then an SSPM (SaaS Security Posture Management) solution can streamline the process and shorten the time it takes to pass a SOC2 audit successfully, fully covering your SaaS Security posture.

Learn how to streamline your organization's SOC2 compliance

What are the AICPA Trust Services Criteria (TSC)?

When external auditors engage in a SOC 2 audit, they need to compare what you're doing to a long list of established requirements from AICPA TSC. The "Common Controls" fall into five groups:

• Security - Includes sub controls of the Logical and Physical Access (CC6)
• Availability - Includes sub controls of the System Operations (CC7)
• Processing integrity: Includes sub controls of the System Operations (CC7)
• Confidentiality: Includes sub controls of the Logical and Physical Access (CC6)
• Privacy - Includes sub controls of the Monitoring Activities (CC4)

Within each common control are a set of sub controls that turn the overarching standard into actionable tasks.

Passing a SOC 2 audit takes a lot of time, effort, and documentation. During a SOC2 audit, you not only need to show that your controls work during the audit period, but you also need to show that you have the ability to continuously monitor your security.

Going through the entire TSC framework is too long for a blog post. However, a quick look into a couple of controls of Logical and Physical Access (CC6) and System Operations (CC7) gives you an idea of what some of the controls look like and how you can utilize an SSPM to ease the SOC2 audit.

Get a 15-minute demo of how an SSPM can help your SOC 2 TSC audit

Logical and Physical Access Controls

This section sets out the types of controls needed to prevent unauthorized or inappropriate access to physical and digital assets and locations. Managing user access permissions, authentication, and authorization across the SaaS estate poses many challenges. In fact, as you look to secure your cloud apps, the distributed nature of users and managing the different access policies becomes increasingly challenging.

Under CC6.1 control, entities need to:

• Identify, classify, and manage information assets
• Restrict & manage user access
• Consider network segmentation
• Register, authorize, and document new infrastructure
• Supplement security by encrypting data-at-rest
• Protect encryption keys

Example

The department that utilizes a SaaS app is often the one that purchases and implements it. Marketing might implement a SaaS solution for monitoring leads while sales implements the CRM. Meanwhile, each application has its own set of access capabilities and configurations. However, these SaaS owners may not be trained in security or able to continuously monitor the app's security settings so the security team loses visibility. At the same time, the security team may not know the inner workings of the SaaS like the owner so they may not understand more complex cases which could lead to a security breach.

An SSPM solution, maps out all the user permissions, encryption, certificates and all security configurations available for each SaaS app. In addition to the visibility, the SSPM solution helps correct any misconfiguration in these areas, taking into consideration each SaaS app's unique features and usability.

In CC.6.2 control, entities need to:

• Create asset access credentiations based on authorization from the system's asset owner or authorized custodian
• Establish processes for removing credential access when the user no longer requires access
• Periodically review access for unnecessary and inappropriate individuals with credentials

Example

Permission drifts occur when a user has certain permissions as part of a group membership, but then gets assigned a specific permission that is more privileged than what the group has. Over time many users get extra permissions. This undermines the idea of provisioning using groups.

Classic deprovisioning issues, an SSPM solution can spot inactive users and help organizations to quickly remediate, or at the very least, alert the security team to the issue.

Under CC.6.3 control, entities need to:

• Establish processes for creating, modifying or removing access to protected information and assets
• Use role-based access controls (RBAC)
• Periodically review access roles and access rules

Example

You might be managing 50,000 users across five SaaS applications, meaning the security team needs to manage a total of 250,000 identities. Meanwhile, each SaaS has a different way to define identities, view them, and secure identities. Adding to the risk, SaaS applications don't always integrate with each other which means users can find themselves with different privileges across different systems. This then leads to unnecessary privileges that can create a potential security risk.

An SSPM solution allows visibility into user privileges and sensitive permission across all connected SaaS apps, highlighting the deviation from permission groups and profiles.

System Operations

This section focuses on detection and monitoring to ensure continued effectiveness of information security controls across systems and networks, including SaaS apps. The diversity of SaaS apps and potential for misconfigurations makes meeting these requirements challenging.

In CC7.1 control, entities need to:

• Define configuration standards
• Monitor infrastructure and software for noncompliance with standards
• Establish change-detection mechanisms to aler personnel to unauthorized modification for critical system, configuration, or content files
• Establish procedures for detecting the introduction of known or unknown components
• Conduct periodic vulnerability scans to detect potential vulnerabilities or misconfigurations

It is unrealistic to expect from the security team to define a "configuration standard" that complies with SOC2 without comparing against a built-in knowledge base of all relevant SaaS misconfigurations and to continuously comply with SOC2 without using an SSPM solution.

Get a 15-minute demo to see how an SSPM solution automates your SaaS security posture for SOC2 and other standards.

Read More

New Variant of UpdateAgent Malware Infects Mac Computers with Adware

 Microsoft on Wednesday shed light on a previously undocumented Mac trojan that it said has undergone several iterations since its first appearance in September 2020, effectively granting it an "increasing progression of sophisticated capabilities."

The company's Microsoft 365 Defender Threat Intelligence Team dubbed the new malware family "UpdateAgent," charting its evolution from a barebones information stealer to a second-stage payload distributor as part of multiple attack waves observed in 2021.

"The latest campaign saw the malware installing the evasive and persistent Adload adware, but UpdateAgent's ability to gain access to a device can theoretically be further leveraged to fetch other, potentially more dangerous payloads," the researchers said.

The actively in-development malware is said to be propagated via drive-by downloads or advertisement pop-ups that masquerade as legitimate software like video applications and support agents, even as the authors have made steady improvements that have transformed UpdateAgent into a progressively persistent piece of malware.

Chief among the advancements include the capability to abuse existing user permissions to surreptitiously perform malicious activities and circumvent macOS Gatekeeper controls, a security feature that ensures only trusted applications from identified developers can be installed on a system.

In addition, UpdateAgent has been found to take advantage of public cloud infrastructure, namely Amazon S3 and CloudFront services, to host its second-stage payloads, including adware, in the form of .DMG or .ZIP files.

Once installed, the Adload malware makes use of ad injection software and man-in-the-middle (MitM) techniques to intercept and reroute users' internet traffic through the attacker's servers to insert rogue ads into web pages and search engine results to increase the chances of multiple infections on the devices.

"UpdateAgent is uniquely characterized by its gradual upgrading of persistence techniques, a key feature that indicates this trojan will likely continue to use more sophisticated techniques in future campaigns," the researchers cautioned.

Read More

New Wave of Cyber Attacks Target Palestine with Political Bait and Malware

 

Cybersecurity researchers have turned the spotlight on a new wave of offensive cyberattacks targeting Palestinian activists and entities starting around October 2021 using politically-themed phishing emails and decoy documents.

The intrusions are part of what Cisco Talos calls a longstanding espionage and information theft campaign undertaken by the Arid Viper hacking group using a Delphi-based implant called Micropsia dating all the way back to June 2017.

The threat actor's activities, also tracked under the monikers Desert Falcon and the APT-C-23, were first documented in February 2015 by Kasperksy and subsequently in 2017, when Qihoo 360 disclosed details of cross-platform backdoors developed by the group to strike Palestinian institutions.

The Russian cybersecurity company-branded Arid Viper the "first exclusively Arabic APT group."

Then in April 2021, Meta (formerly Facebook), which pointed out the group's affiliations to the cyber arm of Hamas, said it took steps to boot the adversary off its platform for distributing mobile malware against individuals associated with pro-Fatah groups, the Palestinian government organizations, military and security personnel, and student groups within Palestine.

                                    Decoy document containing text on Palestinian reunification

The raft of new activity relies on the same tactics and document lures used by the group in 2017 and 2019, suggesting a "certain level of success" despite a lack of change in their tooling. More recent decoy files reference themes of Palestinian reunification and sustainable development in the territory that, when opened, lead to the installation of Micropsia on compromised machines.

The backdoor is designed to give the operators an unusual range of control over the infected devices, including the ability to harvest sensitive information and execute commands transmitted from a remote server, such as capturing screenshots, recording the current activity log, and downloading additional payloads.

"Arid Viper is a prime example of groups that aren't very advanced technologically, however, with specific motivations, are becoming more dangerous as they evolve over time and test their tools and procedures on their targets," researchers Asheer Malhotra and Vitor Ventura said.

"These [remote access trojans] can be used to establish long-term access into victim environments and additionally deploy more malware purposed for espionage and stealing information and credentials."

Read More

eWPT - Web Application Penetration

 The eWPT - Web Application Penetration Testing Professional course from the popular eLearnSecurity Institute and INE is an advanced web penetration testing course. Prerequisites for this course Completion of the eJPT courseIs. The eWPT course is one of the most popular courses in the field of web penetration testing or web hacking. This course is usually compared to the AWAE course from Offensive-Security and the SEC542 course from SANS. This course starts from a complete beginner in the field of web penetration testing and its topics continue to an advanced level. In this course you will gain an in-depth understanding of OWASP, Burpsuite software, complete web application analysis, data collection, common bugs such as XSS and SQL Injection, Session-based vulnerabilities, as well as LFI / RFI, attacks On HTML, content management systems (CMS) penetration testing such as WordPress, penetration testing of SQL and non-SQL databases. 

Course pre requisites

Completion of the eJPT course

Course specifications

Course level: Intermediate

Time: 16 hours and 18 minutes

Includes: ‌ 30 videos | 18 labs | ‌ 15 slides

Professor: Dimitrios Bougioukas

EWPT Course Content - Web Application Penetration Testing Professional

Web Application Penetration Testing

Penetration Testing Process

Introduction

Information Gathering

Cross Site Scripting

SQL Injections

Authentication and Authorization

Session Security

Flash

HTML5

File and Resources Attacks

Other Attacks

Web Services

XPath

Penetration Testing Content Management Systems

Penetration Testing NoSQL Databases

Link OFF Return Coming SOON

Read More

ChopChop - ChopChop Is A CLI To Help Developers Scanning Endpoints And Identifying Exposition Of Sensitive Services/Files/Folders

ChopChop is a command-line tool for dynamic application security testing on web applications, initially written by the Michelin CERT.

Its goal is to scan several endpoints and identify exposition of services/files/folders through the webroot. Checks/Signatures are declared in a config file (by default: chopchop.yml), fully configurable, and especially by developers.

"Chop chop" is a phrase rooted in Cantonese. "Chop chop" means "hurry" and suggests that something should be done now and without delay.

Building

We tried to make the build process painless and hopefully, it should be as easy as:

$ go mod download
$ go build .

There should be a resulting gochopchop binary in the folder.

Using Docker

Thanks to Github Container Registry, we are able to provide you some freshly-build Docker images!

docker run ghcr.io/michelin/gochopchop scan https://foobar.com -v debug

But if you prefer, you can also build it locally, see below:

Build locally

docker build -t gochopchop .

Usage

We are continuously trying to make goChopChop as easy as possible. Scanning a host with this utility is as simple as :

$ ./gochopchop scan https://foobar.com

Using Docker

docker run gochopchop scan https://foobar.com

Custom configuration file

docker run -v ./:/app chopchop scan -c /app/chopchop.yml https://foobar.com

What's next

The Golang rewrite took place a couple of months ago but there's so much to do, still. Here are some features we are planning to integrate : [x] Threading for better performance [x] Ability to specify the number of concurrent threads [x] Colors and better formatting [x] Ability to filter checks/signatures to search for [x] Mock and unit tests [x] Github CI And much more!

Testing

To quickly end-to-end test chopchop, we provided a web-server in tests/server.go. To try it, please run go run tests/server.go then run chopchop with the following command ./gochopchop scan http://localhost:8000 --verbosity Debug. ChopChop should print "no vulnerabilities found".

There are also unit test that you can launch with go test -v ./.... These tests are integrated in the github CI workflow.

Available flags

You can find the available flags available for the scan command :

Flag	Full flag	Description
-h	--help	Help wizard
-v	--verbosity	Verbose level of logging
-c	--signature	Path of custom signature file
-k	--insecure	Disable SSL Verification
-u	--url-file	Path to a specified file containing urls to test
-b	--max-severity	Block the CI pipeline if severity is over or equal specified flag
-e	--export	Export type of the output (csv and/or json)
	--export-filename	Specify the filename for the export file(s)
-t	--timeout	Timeout for the HTTP requests
	--severity-filter	Filter Plugins by severity
	--plugin-filter	Filter Plugins by name of plugin
	--threads	Number of concurrent threads

Advanced usage

Here is a list of advanced usage that you might be interested in. Note: Redirectors like > for post processing can be used.

• Ability to scan and disable SSL verification

$ ./gochopchop scan https://foobar.com --insecure

• Ability to scan with a custom configuration file (including custom plugins)

$ ./gochopchop scan https://foobar.com --insecure --signature test_config.yml

• Ability to list all the plugins or by severity : plugins or plugins --severity High

$ ./gochopchop plugins --severity High

• Ability to specify number of concurrent threads : --threads 4 for 4 workers

$ ./gochopchop plugins --threads 4

• Ability to block the CI pipeline by severity level (equal or over specified severity) : --max-severity Medium

$ ./gochopchop scan https://foobar.com --max-severity Medium

• Ability to specify specific signatures to be checked

./gochopchop scan https://foobar.com --timeout 1 --verbosity --export=csv,json --export-filename boo --plugin-filters=Git,Zimbra,Jenkins

• Ability to list all the plugins

$ ./gochopchop plugins

• List High severity plugins

$ ./gochopchop plugins --severity High

• Set a list or URLs located in a file

$ ./gochopchop scan --url-file url_file.txt

• Export GoChopChop results in CSV and JSON format

$ ./gochopchop scan https://foobar.com  --export=csv,json --export-filename results

Creating a new check

Writing a new check is as simple as :

  - endpoint: "/.git/config"
    checks:
      - name: Git exposed
        match:
          - "[branch"
        remediation: Do not deploy .git folder on production servers
        description: Verifies that the GIT repository is accessible from the site
        severity: "High"

An endpoint (eg. /.git/config) is mapped to multiple checks which avoids sending X requests for X checks. Multiple checks can be done through a single HTTP request. Each check needs those fields:

Attribute	Type	Description	Optional ?	Example
name	string	Name of the check	No	Git exposed
description	string	A small description for the check	No	Ensure .git repository is not accessible from the webroot
remediation	string	Give a remediation for this specific "issue"	No	Do not deploy .git folder on production servers
severity	Enum("High", "Medium", "Low", "Informational")	Rate the criticity if it triggers in your environment	No	High
status_code	integer	The HTTP status code that should be returned	Yes	200
headers	List of string	List of headers there should be in the HTTP response	Yes	N/A
no_headers	List of string	List of headers there should NOT be in the HTTP response	Yes	N/A
match	List of string	List the strings there should be in the HTTP response	Yes	"[branch"
no_match	List of string	List the strings there should NOT be in the HTTP response	Yes	N/A
query_string	GET parameters that have to be passed to the endpoint	String	Yes	query_string: "id=FOO-chopchoptest"

External Libraries

Library Name	Link	License
Viper	https://github.com/spf13/viper	MIT License
Go-pretty	https://github.com/jedib0t/go-pretty	MIT License
Cobra	https://github.com/spf13/cobra	Apache License 2.0
strfmt	https://github.com/go-openapi/strfmt	Apache License 2.0
Go-homedir	https://github.com/mitchellh/go-homedir	MIT License
pkg-errors	https://github.com/pkg/errors	BSD 2 (Simplified License)
Go-runewidth	https://github.com/mattn/go-runewidth	MIT License

Please, refer to the third-party.txt file for further information.

Talks

• PyCon FR 2019 (The tool was initially developed in Python) - https://docs.google.com/presentation/d/1uVXGUpt7tC7zQ1HWegoBbEg2LHamABIqfDfiD9MWsD8/edit
• DEFCON AppSec Village 2020 "Turning offsec mindset to developer's toolset" - https://drive.google.com/file/d/15P8eSarIohwCVW-tR3FN78KJPGbpAtR1/view

License

ChopChop has been released under Apache License 2.0. Please, refer to the LICENSE file for further information.

Authors

• Paul A.
• David R. (For the Python version)
• Stanislas M. (For the Golang version)

Download ChopChop

Read More