search

michelin / ChopChop

ChopChop is a CLI to help developers scanning endpoints and identifying exposition of sensitive services/files/folders.
Other
673 stars 78 forks source link

Ability to disable following HTTP redirects for each plugin #22

Closed isontheline closed 4 years ago

isontheline commented 4 years ago

Bonjour Clermont-Ferrand 👍

In some cases (a lot?) we need to disable following HTTP redirects on some plugins.

Which case for example? If you need to check that there is no "/dashboard" url or to check that this url is secure, yet you do :

- uri: "/dashboard"
  checks:
  - name: "Too bad this entry point!"
    remediation: "Secure it or delete it"
    description: "Check a dashboard entry point"
    severity: "High"
    status_code: 200

But if you have a secure application the "/dashboard" will redirect to a "/login" url (for example), it's great but yet ChopChop will have a HTTP status code of 200 because the "/login" exists! So the check is "biased" 😢

So I have made a PR to add the ability to disable following HTTP redirects for each plugin :

- uri: "/dashboard"
  checks:
  - name: "Too bad this entry point!"
    remediation: "Secure it or delete it"
    description: "Check a dashboard entry point"
    severity: "High"
    status_code: 200
  follow_redirects: false

🌞 Have a nice day!

PaulSec commented 4 years ago

Thanks a lot for your contribution, that rocks! 🍺