Cherrybomb is a CLI tool that helps you avoid undefined user behavior by validating your API specifications.
Our CLI too is open source, enabling support from both the OpenAPI and Rust communities.
It takes in a swagger file, runs a series of checks on it to make sure everything is on par with the OAS, and outputs a detailed table with any alerts found, guiding you to the exact problem and location to help you solve it quickly.
It can also take in your logs and check them for business logic flaws.
curl https://cherrybomb.blstsecurity.com/install | /bin/bash
You can also download the binary file directly from our website. This is a binary file and you DO NOT have to install Rust.
After installing the CLI, verify it's working by running
cherrybomb --version
cherrybomb swagger --file <PATH> --output <PATH> --verbosity <0/1/2>
First, we have a mapping module that relies on HTTP logs and builds a map of the API. Start mapping your logs by running
cherrybomb map --file <LOGS_FILE_PATH> --output <OUTPUT_FILE_NAME>
If you don't have an HTTP log file, but you have Burp suite logs, you are in luck, go to the scripts folder, there is a convertor script over there. If there are any other formats you need conversion scripts to, message us on the discord server. For futher insights, you can view your map visually in our web based visualizer: https://www.blstsecurity.com/cherrybomb/Visualizer.
Then, you can run passive or active scans of your logs/APIs for anomalies:
Passive (1 step): Run the decider only to passively check for anomalies in your logs, run
cherrybomb decide --file <LOGS_FILE_PATH> --map <MAPPED_FILE_PATH>
Active (2 steps): After mapping, prepare the attacker by running the command below. This will print the populations (API groups) so you can choose which one you want to run the attacker on.
cherrybomb prepare --url <URL_TO_ATTACK> --map <MAPPED_FILE_PATH>
Now you can use the attacker to actively attack the API by running
cherrybomb attack --map <MAPPED_FILE_PATH> (the same one you used in the prepare step) --output <OUTPUT_FILE_NAME> --population <POPULATION_NUMBER> (the one you got from the prepare step) --generations <MAX_GENERATIONS_NUMBER> --verbosity <VERBOSITY_LEVEL>
In the future, if you want to load new logs to an existing map file, run
cherrybomb load --file <LOGS_FILE_PATH> --map <MAPPED_FILE_PATH>
- OAS 3 support
- Passive checks
- Improve installation script
- Homebrew/APT support
- Custom scans - optional checks + optional output + ignores(from alerts)
- Swagger 2 support (currently only version 3 is supported)
- Active scans
- More passive scans
- Swagger and logs validator (compares your logs with the swagger to verify correctness)
Please read our documentation to understand the format of sessions our mapper needs to function correctly.
If you have any questions, please send us a message to support@blstsecurity.com. You are also welcome to open an Issue here on GitHub.
You can find info about how to contribute to Cherrybomb here. You can also talk to us in our developers' discord server.