/cherrybomb

Stop half-done API specifications! Cherrybomb is a CLI tool that helps you avoid undefined user behaviour by validating your API specifications.

Primary LanguageRustApache License 2.0Apache-2.0

cherry_bomb_v4_3_1 (1)

Stop half-done API specifications

Maintained by blstsecurity docs Discord Shield

๐Ÿงจ What is Cherrybomb?

Cherrybomb is a CLI tool that helps you avoid undefined user behavior by validating your API specifications.

Our CLI tool is open source, enabling support from both the OpenAPI and Rust communities.

๐Ÿ”จ How does it work?

It takes in an OAS file, runs a series of checks on it to make sure everything is on par with the OAS, and outputs a detailed table with any alerts found, guiding you to the exact problem and location to help you solve it quickly.

It can also take in your logs and check them for business logic flaws.

๐Ÿพ Get Started

Installation

Using cURL

Linux/MacOS:
curl https://cherrybomb.blstsecurity.com/install	| /bin/bash

Direct download

You can also download the binary file directly from our website.
This is a binary file and you DO NOT have to install Rust.

Usage

After installing the CLI, verify it's working by running

cherrybomb --version

Swagger scan

cherrybomb swagger --file <PATH> --output <PATH> --verbosity <0/1/2>

More features

First, we have a mapping module that relies on HTTP logs and builds a map of the API.
Start mapping your logs by running

cherrybomb map --file <LOGS_FILE_PATH> --output <OUTPUT_FILE_NAME>

If you don't have an HTTP log file, but you have Burp suite logs, you are in luck, go to the scripts folder, there is a convertor script over there.
If there are any other formats you need conversion scripts to, message us on the discord server.
For futher insights, you can view your map visually in our web based visualizer: https://www.blstsecurity.com/cherrybomb/Visualizer.

Then, you can run passive or active scans of your logs/APIs for anomalies:

Passive (1 step):
Run the decider only to passively check for anomalies in your logs, run

cherrybomb decide --file <LOGS_FILE_PATH> --map <MAPPED_FILE_PATH>

Active (2 steps): After mapping, prepare the attacker by running the command below.
This will print the populations (API groups) so you can choose which one you want to run the attacker on.

cherrybomb prepare --url <URL_TO_ATTACK> --map <MAPPED_FILE_PATH>

Now you can use the attacker to actively attack the API by running

cherrybomb attack --map <MAPPED_FILE_PATH> (the same one you used in the prepare step) --output <OUTPUT_FILE_NAME> --population <POPULATION_NUMBER> (the one you got from the prepare step) --generations <MAX_GENERATIONS_NUMBER> --verbosity <VERBOSITY_LEVEL>

In the future, if you want to load new logs to an existing map file, run

cherrybomb load --file <LOGS_FILE_PATH> --map <MAPPED_FILE_PATH>

๐Ÿšง Roadmap

  • OAS 3 support
  • Passive checks
  • Improve installation script
  • Homebrew/APT support
  • Custom scans - optional checks + optional output + ignores(from alerts)
  • GraphQL schema support
  • Swagger 2 support (currently only version 3 is supported)
  • Active scans
  • More passive scans
  • Swagger and logs validator (compares your logs with the swagger to verify correctness)

๐Ÿ’ช Support

Documentation

Please read our documentation to understand the format of sessions our mapper needs to function correctly.

Get help

If you have any questions, please send us a message to support@blstsecurity.com.
You are also welcome to open an Issue here on GitHub.

๐Ÿค Contributing

Please talk to us over at our discord server to see where and how can you contribute to our project.
You can also find info about how to contribute to Cherrybomb here.