Samueladewole / cherrybomb

Stop half-done APIs! Cherrybomb is a CLI tool that helps you avoid undefined user behaviour by auditing your API specifications, validating them and running API security tests.

Home Page:https://www.blstsecurity.com/cherrybomb

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

cherry_bomb_v5_1

Stop half-done API specifications

Maintained by blst security docs Discord Shield

πŸ’£ What is Cherrybomb?

Cherrybomb is a CLI tool that helps you avoid undefined user behavior by validating your API specifications and running API security tests.

πŸ”¨ How does it work?

Cherrybomb reads your API spec file (Open API Specification) and validates it for best practices and the OAS specification, then it tests to verify that the API follows the OAS file and tests for common vulnerabilities.
The output is a detailed table with any issues found, guiding you to the exact problem and location to help you solve it quickly.

🐾 Get Started

Installation

Using cURL

Linux/MacOS:
curl https://cherrybomb.blstsecurity.com/install	| /bin/bash

The script requires sudo permissions to move the cherrybomb bin into /usr/local/bin/.
(If you want to view the shell script(or even help to improving it - /scripts/install.sh)

Get it from crates.io

cargo install cherrybomb

If you don't have cargo installed, you can install it from here

Docker container

You can use our docker container that we host on our public repo in aws, though we require an API key for it, you can get it at our CI pipeline integration wizard(after you sign up)

docker run --mount type=bind,source=PATH_TO_OAS_DIR,destination=/home public.ecr.aws/t1d5k0l0/cherrybomb:latest cherrybomb oas -f home/OAS_NAME --api-key=API-KEY

Clone

You can also install Cherrybomb by cloning this repo, and building it using cargo(*only works with the nightly toolchain):

git clone https://github.com/blst-security/cherrybomb && cd cherrybomb
cargo build --release
sudo mv ./target/release/cherrybomb /usr/local/bin

Usage

After installing the CLI, verify it's working by running

cherrybomb --version

OpenAPI specification scan

cherrybomb oas --file <PATH> --format <cli/txt/json> 

Output example:

passive output active output

Generate Parameter Table

cherrybomb param-table --file <PATH> --name <SINGLE PARAM NAME(OPTIONAL)>

Table output example:

param_table

Generate Endpoint Table

cherrybomb ep-table --file <PATH> --name <SINGLE PARAM NAME(OPTIONAL)>

Table output example:

ep_table

🚧 Roadmap

  • OAS 3 support
  • Passive checks
  • Parameter table
  • Improve installation script
  • Endpoints table
  • YAML support (currently only JSON is supported)
  • Custom scans - optional checks + optional output
  • Active scans
  • Ignore alerts + don't fail on info
  • More passive checks
  • Swagger 2 support (currently only version 3 is supported)
  • Homebrew/apt/crates.io support
  • GraphQL schema support

🍻 Integration

You can embed it into your CI pipeline, and If you plan on doing that I would recommend that you go to our website, sign up, go through the CI pipeline integration wizard, and copy the groovy/GitHub actions snippet built for you.
Example: CI pipeline builder output

πŸ’ͺ Support

Get help

If you have any questions, please send us a message to support@blstsecurity.com or ask us on our discord server.
You are also welcome to open an Issue here on GitHub.

🀝 Contributing

You can find contribution options from our open issues, you should look for the "More passive checks" issue(it's a great issue to start from). You can also find info about contributing new checks to Cherrybomb here.
If you have any question or need any help talk to us over at our discord server to see where and how can you contribute to our project.

About

Stop half-done APIs! Cherrybomb is a CLI tool that helps you avoid undefined user behaviour by auditing your API specifications, validating them and running API security tests.

https://www.blstsecurity.com/cherrybomb

License:Apache License 2.0


Languages

Language:Rust 98.6%Language:Python 0.9%Language:Shell 0.6%