cherrybomb v1.0 releases: map your API flows and to find risky ones
cherrybomb
Cherrybomb is a CLI tool that helps you avoid undefined user behavior by validating your API specifications.
Our CLI tool is open source, enabling support from both the OpenAPI and Rust communities.
How does it work?
It takes in an OAS file, runs a series of checks on it to make sure everything is on par with the OAS, and outputs a detailed table with any alerts found, guiding you to the exact problem and location to help you solve it quickly.
It can also take in your logs and check them for business logic flaws.
Usage
After installing the CLI, verify it’s working by running
cherrybomb –version
Swagger scan
cherrybomb swagger –file <PATH> –output <PATH> –verbosity <0/1/2>
More features
First, we have a mapping module that relies on HTTP logs and builds a map of the API.
Start mapping your logs by running
cherrybomb map –file <LOGS_FILE_PATH> –output <OUTPUT_FILE_NAME>
If you don’t have an HTTP log file, but you have Burp suite logs, you are in luck, go to the scripts folder, there is a convertor script over there. If there are any other formats you need conversion scripts to, message us on the discord server.
For further insights, you can view your map visually in our web-based visualizer: https://www.blstsecurity.com/cherrybomb/Visualizer.
Then, you can run passive or active scans of your logs/APIs for anomalies:
Passive (1 step):
Run the decider only to passively check for anomalies in your logs, run
cherrybomb decide –file <LOGS_FILE_PATH> –map <MAPPED_FILE_PATH>
Active (2 steps): After mapping, prepare the attacker by running the command below.
This will print the populations (API groups) so you can choose which one you want to run the attacker on.
cherrybomb prepare –url <URL_TO_ATTACK> –map <MAPPED_FILE_PATH>
Now you can use the attacker to actively attack the API by running
cherrybomb attack –map <MAPPED_FILE_PATH> (the same one you used in the prepare step) –output <OUTPUT_FILE_NAME> –population <POPULATION_NUMBER> (the one you got from the prepare step) –generations <MAX_GENERATIONS_NUMBER> –verbosity <VERBOSITY_LEVEL>
In the future, if you want to load new logs to an existing map file, run
cherrybomb load –file <LOGS_FILE_PATH> –map <MAPPED_FILE_PATH>
Changelog v1.0
- added rust-toolchain.toml file. fixing #65 by @RazMag in #66
- Readme update for crates.io install by @RazMag in #67
- Dev by @RazMag in #68
- Fix auth by @GuyL99 in #75
- Dev by @DeliciousBounty in #76
- Fixing req and payload by @DeliciousBounty in #81
- fix spelling error in swagger/src/lib.rs by @aliencdh in #99
- Version 0.7.2 by @RazMag in #92
- Create payload new version by @DeliciousBounty in #95
- Add files via upload by @DeliciousBounty in #102
- Final branch dev by @DeliciousBounty in #101
- Fix examples folder broken link by @OmerWow in #105
- Add files via upload by @DeliciousBounty in #106
- Add files via upload by @DeliciousBounty in #107
- Reformat by @RazMag in #108
- Bump tokio from 1.22.0 to 1.23.1 by @dependabot in #110
- Bump tokio from 1.24.1 to 1.25.0 in /cherrybomb-engine by @dependabot in #112
Install
Copyright (C) 2022 BLST Security Ltd
