cherrybomb v0.7 releases: map your API flows and to find risky ones
Cherrybomb is a CLI tool that helps you avoid undefined user behavior by validating your API specifications.
Our CLI tool is open source, enabling support from both the OpenAPI and Rust communities.
How does it work?
It takes in an OAS file, runs a series of checks on it to make sure everything is on par with the OAS, and outputs a detailed table with any alerts found, guiding you to the exact problem and location to help you solve it quickly.
It can also take in your logs and check them for business logic flaws.
After installing the CLI, verify it’s working by running
cherrybomb swagger –file <PATH> –output <PATH> –verbosity <0/1/2>
First, we have a mapping module that relies on HTTP logs and builds a map of the API.
Start mapping your logs by running
cherrybomb map –file <LOGS_FILE_PATH> –output <OUTPUT_FILE_NAME>
If you don’t have an HTTP log file, but you have Burp suite logs, you are in luck, go to the scripts folder, there is a convertor script over there. If there are any other formats you need conversion scripts to, message us on the discord server.
For further insights, you can view your map visually in our web-based visualizer: https://www.blstsecurity.com/cherrybomb/Visualizer.
Then, you can run passive or active scans of your logs/APIs for anomalies:
Passive (1 step):
Run the decider only to passively check for anomalies in your logs, run
cherrybomb decide –file <LOGS_FILE_PATH> –map <MAPPED_FILE_PATH>
Active (2 steps): After mapping, prepare the attacker by running the command below.
This will print the populations (API groups) so you can choose which one you want to run the attacker on.
cherrybomb prepare –url <URL_TO_ATTACK> –map <MAPPED_FILE_PATH>
Now you can use the attacker to actively attack the API by running
cherrybomb attack –map <MAPPED_FILE_PATH> (the same one you used in the prepare step) –output <OUTPUT_FILE_NAME> –population <POPULATION_NUMBER> (the one you got from the prepare step) –generations <MAX_GENERATIONS_NUMBER> –verbosity <VERBOSITY_LEVEL>
In the future, if you want to load new logs to an existing map file, run
cherrybomb load –file <LOGS_FILE_PATH> –map <MAPPED_FILE_PATH>
The Active Module
The active module takes our API testing to a new level. By providing not only static testing and auditing of your OAS file (with the passive module), but a test that tests the API itself by sending requests and analyzing the responses.
The Active module tests APIs by:
- Verifying that the API follows the specifications dictated in the OAS file
- Testing the API for common security vulnerabilities
CI/CD integration support
We’ve implemented Improvements to the CLI interface to better support CI pipelines.
Cherrybomb now supports emitting exit codes on completion to reflect different results:
- 0 for a no warnings
- 101 for warnings present
- -1 for an error in the test
More granular exit code support will be added in the future.
Other changes include:
- New table format, now using comfy_table
- Update tokio requirement from 1.13.0 to 1.13.1
- 3 new passive checks
Copyright (C) 2022 BLST Security Ltd