cherrybomb v0.6.1 releases: map your API flows and to find risky ones
Cherrybomb is a CLI tool that helps you avoid undefined user behavior by validating your API specifications.
Our CLI tool is open source, enabling support from both the OpenAPI and Rust communities.
How does it work?
It takes in an OAS file, runs a series of checks on it to make sure everything is on par with the OAS, and outputs a detailed table with any alerts found, guiding you to the exact problem and location to help you solve it quickly.
It can also take in your logs and check them for business logic flaws.
After installing the CLI, verify it’s working by running
cherrybomb swagger –file <PATH> –output <PATH> –verbosity <0/1/2>
First, we have a mapping module that relies on HTTP logs and builds a map of the API.
Start mapping your logs by running
cherrybomb map –file <LOGS_FILE_PATH> –output <OUTPUT_FILE_NAME>
If you don’t have an HTTP log file, but you have Burp suite logs, you are in luck, go to the scripts folder, there is a convertor script over there. If there are any other formats you need conversion scripts to, message us on the discord server.
For further insights, you can view your map visually in our web-based visualizer: https://www.blstsecurity.com/cherrybomb/Visualizer.
Then, you can run passive or active scans of your logs/APIs for anomalies:
Passive (1 step):
Run the decider only to passively check for anomalies in your logs, run
cherrybomb decide –file <LOGS_FILE_PATH> –map <MAPPED_FILE_PATH>
Active (2 steps): After mapping, prepare the attacker by running the command below.
This will print the populations (API groups) so you can choose which one you want to run the attacker on.
cherrybomb prepare –url <URL_TO_ATTACK> –map <MAPPED_FILE_PATH>
Now you can use the attacker to actively attack the API by running
cherrybomb attack –map <MAPPED_FILE_PATH> (the same one you used in the prepare step) –output <OUTPUT_FILE_NAME> –population <POPULATION_NUMBER> (the one you got from the prepare step) –generations <MAX_GENERATIONS_NUMBER> –verbosity <VERBOSITY_LEVEL>
In the future, if you want to load new logs to an existing map file, run
cherrybomb load –file <LOGS_FILE_PATH> –map <MAPPED_FILE_PATH>
- * added check and stuff
- * Working on adding a new active test and diving into schemes.
- * slow progress on active tests
- * refactor structure for crates.io deployment. added `auth.rs` – unused
- * removed misconfigured tests from active tests
- * fixed version numbers
- * fixed version numbers 2
- * Update main.rs
- * Update Cargo.toml
- * Update Cargo.toml
- * Update checks.rs
Copyright (C) 2022 BLST Security Ltd