Giters

blst-security / cherrybomb

Stop half-done APIs! Cherrybomb is a CLI tool that helps you avoid undefined user behaviour by auditing your API specifications, validating them and running API security tests.

Home Page:https://www.blstsecurity.com/cherrybomb

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Bug in the parser

DeliciousBounty opened this issue · comments

commented

@RazMag
During writing an active scan, I encountered strange behavior.
Description
The code do not parse every path on the OAS file.

To Reproduce
Steps to reproduce the behavior:

  1. Set the OAS file with this file.
    petstore.txt

  2. rename it with .json

  3. go to /swagger/sca/src/active/additional_checks.rs

  4. add this function:
    `pub async fn check_idors(&self, auth: &Authorization) -> CheckRetVal {
    //// reformat get with path parameter
    let mut ret_val = CheckRetVal::default();
    for oas_map in self.payloads.iter() {
    for (json_path, schema) in &oas_map.payload.map {
    println!("PATH: {}",oas_map.path.path );
    let url;
    if let Some(servers) = &self.oas.servers() {
    if let Some(s) = servers.first() {
    url = s.url.clone();
    } else {
    continue;
    };
    } else {
    continue;
    };
    }

    }

    ret_val
    }
    }
    `

  5. Check the ouput. It miss some path: ""/pet/{petId}": from example
    Expected behavior
    This code should print all the existing OAS's path. But it miss some path: ""/pet/{petId}": from example

Desktop (please complete the following information):

  • OS: Ubuntu