Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/blst-security/cherrybomb
Stop half-done APIs! Cherrybomb is a CLI tool that helps you avoid undefined user behaviour by auditing your API specifications, validating them and running API security tests.
https://github.com/blst-security/cherrybomb
api api-security best-practices blst business-logic cli cyber cybersecurity firecracker http open-source openapi openapi3 security security-tools web-sec-scanner web-security websecurity
Last synced: 22 days ago
JSON representation
Stop half-done APIs! Cherrybomb is a CLI tool that helps you avoid undefined user behaviour by auditing your API specifications, validating them and running API security tests.
- Host: GitHub
- URL: https://github.com/blst-security/cherrybomb
- Owner: blst-security
- License: apache-2.0
- Created: 2021-11-17T07:02:22.000Z (almost 3 years ago)
- Default Branch: main
- Last Pushed: 2024-01-15T11:20:13.000Z (10 months ago)
- Last Synced: 2024-10-01T00:02:55.554Z (about 1 month ago)
- Topics: api, api-security, best-practices, blst, business-logic, cli, cyber, cybersecurity, firecracker, http, open-source, openapi, openapi3, security, security-tools, web-sec-scanner, web-security, websecurity
- Language: Rust
- Homepage: https://www.blstsecurity.com/cherrybomb
- Size: 2.62 MB
- Stars: 1,119
- Watchers: 12
- Forks: 78
- Open Issues: 34
-
Metadata Files:
- Readme: README.md
- License: LICENSE
- Code of conduct: CODE_OF_CONDUCT.md
- Security: SECURITY.md
Awesome Lists containing this project
- awesome-rust - Cherrybomb - Stop half-done API specifications with a CLI tool that helps you avoid undefined user behaviour by validating your API specifications. (Applications / Security tools)
- awesome-rainmana - blst-security/cherrybomb - Stop half-done APIs! Cherrybomb is a CLI tool that helps you avoid undefined user behaviour by auditing your API specifications, validating them and running API security tests. (Rust)
- awesome-python-testing - cherrybomb - CLI tool that helps you avoid undefined user behaviour by auditing your API specifications, validating them and running API security tests. (Rest API Testing)
- awesome-api-security - Cherrybomb - done API specifications with a CLI tool that helps you avoid undefined user behaviour by validating your API specifications. | (Tools)
- awesome-rust - Cherrybomb - Stop half-done API specifications with a CLI tool that helps you avoid undefined user behaviour by validating your API specifications. (Applications / Security tools)
- fucking-awesome-rust - Cherrybomb - Stop half-done API specifications with a CLI tool that helps you avoid undefined user behaviour by validating your API specifications. (Applications / Security tools)
- fucking-awesome-rust - Cherrybomb - Stop half-done API specifications with a CLI tool that helps you avoid undefined user behaviour by validating your API specifications. (Applications / Security tools)
- awesome-rust-cn - Cherrybomb - 用一个CLI工具停止半成品的API规范,该工具通过验证你的API规范来帮助你避免未定义的用户行为。 (应用程序 Applications / 安全工具 Security tools)
README
.png)
Stop half-done API specifications
[](https://www.blstsecurity.com/?promo=blst&domain=github_maintained_shield)
[](https://www.blstsecurity.com/cherrybomb?promo=blst&domain=github_docs_shield)
[](https://discord.gg/WdHhv4DqwU)
# 💣 What is Cherrybomb?
Cherrybomb is an CLI tool written in Rust that helps prevent incorrect code implementation early in development. It works by validating and testing your API using an OpenAPI file. Its main goal is to reduce security errors and ensure your API functions as intended.
# 🔨 How does it work?
Cherrybomb makes sure your API is working correctly. It checks your API's spec file (OpenAPI Specification) for good practices and makes sure it follows the OAS rules. Then, it tests your API for common issues and vulnerabilities. If any problems are found, Cherrybomb gives you a detailed report with the exact location of the problem so you can fix it easily.
# 🐾 Get Started
## Installation
##### Linux/MacOS:
```
curl https://cherrybomb.blstsecurity.com/install | /bin/bash
```
The script requires sudo permissions to move the cherrybomb bin into /usr/local/bin/.
(If you want to view the shell script(or even help to improving it - [/scripts/install.sh](/scripts/install.sh))
##### Containerized version
You can get Cherrybomb through its containerized version which is hosted on AWS ECR, and requires an API key that you can get on that addess(the loading is a bit slow) - [https://cicd.blstsecurity.com/](https://cicd.blstsecurity.com/)
```
docker run --mount type=bind,source=[PATH TO OAS],destination=/home public.ecr.aws/blst-security/cherrybomb:latest cherrybomb -f /home/[OAS NAME] --api-key=[API-KEY]
```
#### Get it from crates.io
```bash
cargo install cherrybomb
```
If you don't have cargo installed, you can install it from [here](https://doc.rust-lang.org/cargo/getting-started/installation.html)
#### Building from Sources
You can also build Cherrybomb from sources by cloning this repo, and building it using cargo.
```
git clone https://github.com/blst-security/cherrybomb && cd cherrybomb
```
The main branch's Cargo.toml file uses `cherrybomb-engine` and `cherrybomb-oas` from crates.io.
if you want build those from source too, you can change the following files:
(remove the version number and replace with the path to the local repo)
```
cherrybomb/Cargo.toml:
cherrybomb-engine = version => { path = "cherrybomb-engine" }
```
```
cherrybomb/cherrybomb-engine/Cargo.toml:
cherrybomb-oas = version => { path = "../cherrybomb-oas" }
```
```
cargo build --release
sudo mv ./target/release/cherrybomb /usr/local/bin # or any other directory in your PATH
```
### Profile
Profiles allow you to choose the type of check you want to use.
```
- info: only generates param and endpoint tables
- normal: both active and passive
- intrusive: active and intrusive [in development]
- passive: only passive tests
- full: all the options
```
### Config
With a configuration file, you can easily edit, view, Cherrybomb's options.
The config file allows you to set the running profile, location of the oas file, the verbosity and ignore the TLS error.
Config also allows you to override the server's URL with an array of servers, and add security to the request [in development].
Notice that CLI arguments parameter will override config options if both are set.
You can also add or remove checks from a profile using `passive/active-include/exclude`. [in development]
```
cherrybomb --config
```
Structure of config file:
```
{
"file" : "open-api.json",
"verbosity" : "normal,
"profile" : " "Normal",
"passive_include" : ["check1, checks2"],
"active_include": ["check3, check4"],
"servers_override" , ["http://server/"],
"security": [{
"auth_type": "Basic",
"auth_value" : token_value,
"auth_scope" : scope_name
}],
"ignore_tls_errors" : true,
"no_color" : false,
}
```
# Usage
After installing, verify it's working by running
```
cherrybomb --version
```
### OpenAPI specification
``` cherrybomb --file --profile passive ```
Passive Output example:
### Generate Info Table
```
cherrybomb --file --profile info
```
Parameter table output:
Endpoint table output:
# 🍻 Integration
You can embed it into your CI pipeline, and If you plan on doing that I would recommend that you go to our [website](https://www.blstsecurity.com/?promo=blst&domain=github_integration_link), sign up, go through the [CI pipeline integration wizard](https://www.blstsecurity.com/Loading?redirect=/CICD&promo=blst&domain=github_wiz_integration), and copy the groovy/GitHub actions snippet built for you.
Example:
# 💪 Support
### Get help
If you have any questions, please send us a message to [[email protected]](mailto:[email protected]) or ask us on our [discord server](https://discord.gg/WdHhv4DqwU).
You are also welcome to open an Issue here on GitHub.