ChopChop

ChopChop is a command-line tool for dynamic application security testing on web applications, initially written by the Michelin CERT.

Its goal is to scan several endpoints and identify the exposition of services/files/folders through the webroot. Checks/Signatures are declared in a config file (by default: chopchop.yml), fully configurable, and especially by developers.

Install

git clone https://github.com/michelin/ChopChop
cd ChopChop
go mod install
go build .

Use

$ ./gochopchop scan --url https://foobar.com

You can find the available flags here :

Advanced usage

Here is a list of advanced usage that you might be interested in. Note: Redirectors like > for post-processing can be used.

• Ability to scan and disable SSL verification

• Ability to scan with a custom configuration file (including custom plugins)

• Ability to list all the plugins or by severity: plugins or plugins –severity High

• Ability to block the CI pipeline by severity level (equal or over specified severity) : –block Medium

• Ability to list all the plugins

• List High severity plugins

• Set a list or URLs located in a file

• Export GoChopChop results in CSV and JSON format

Tutorial

Copyright [2020] [Manufacture Française des Pneumatiques Michelin]