Forem: Guy Levinger

Cherrybomb v0.6

Guy Levinger — Wed, 27 Apr 2022 11:29:30 +0000

We just released Cherrybomb v0.6!🎉🎉🎉
Go to our GitHub repo and try it out: https://github.com/blst-security/cherrybomb

Release notes:

What's Changed

CLI

Added the command ep-table
Separated param-table into it's own command
Added configuration options
Rebuilt the CLI main using structopt in clap
Added the option to present only 1 parameter or 1 endpoint in their respective tables
Added the option for a JSON output - cherrybomb oas --file --format json

OAS

Created the EpTable module - it's meant to build the same kind of table as the param-table but with a different key(endpoint/path) and with some different related fields.

General

Deprecated the Decider module.
Some minor bug fixes
Now taking yaml OAS files as input as well🎉

New Contributors

@dret made their first contribution in https://github.com/blst-security/cherrybomb/pull/18

Full Changelog: https://github.com/blst-security/cherrybomb/compare/v0.5.2...v0.6.0

Cherrybomb v0.5.0

Guy Levinger — Thu, 17 Mar 2022 17:26:51 +0000

What's Changed

In this version we added a new feature and started building the infrastructure for new active OAS scans.

Parameter table feature

You can run the swagger scan command with the --param-table flag and get a table with all of the APIs parameters.

The table contains The parameters':

Types.
Min/Max.
Status codes at which they are present.
Endpoints at which they are present.
Parent parameters.
Child parameters.

Try it out and let us know what you think!
github:https://github.com/blst-security/cherrybomb

Looking for new features ideas for Cherrybomb

Guy Levinger — Sat, 26 Feb 2022 11:46:01 +0000

Hi everyone,

Cherrybomb is an API specification validator and a user behavior anomaly detection tool. We're looking for some feedback and some feature ideas to further improve and allow a bigger user base for it.

We'd love to hear your opinions and suggestions!
If you need anything specific in order for you to be able to use it let us know and we'll implement it as quickly as possible!

GitHub: https://github.com/blst-security/cherrybomb

Cherrybomb v0.4.3 - Added support for OAS-3.1

Guy Levinger — Sun, 20 Feb 2022 09:06:44 +0000

Hi everyone!
We just released Cherrybomb v0.4.3, Cherrybomb is a CLI tool helps you avoid undefined user behaviour by validating your API specifications.

In this version we:

Added support for OAS 3.1
Fixed minor bugs from previous versions
Added a new check for successful responses

Let us know what you think!
https://github.com/blst-security/cherrybomb
https://www.blstsecurity.com/

Thank you dev.to community

Guy Levinger — Wed, 02 Feb 2022 16:00:11 +0000

Hi community,
Just wanted to say Thank you(!!!) to everyone that viewed my previous post, especially for the ones that starred our GitHub repo, because of you we reached Rust's GitHub trending repos, and I would just like to say Thank you everyone!

GitHub repo: https://github.com/blst-security/cherrybomb

From enterprise product, through open-core to OpenAPI validator: Our journey

Guy Levinger — Mon, 31 Jan 2022 13:39:35 +0000

Hi everyone!

Cherrybomb is a new CLI app(written in Rust) that can help you detect half-done API specifications, map your APIs, and scan them for business logic vulnerabilities.
🤔 We've seen the problem of incomplete API flow and parameter specifications, which then translates to a lack of input control formerly in our own APIs and in the APIs of many of our developer friends and acquaintances.

We decided to do something about it

let me tell you a bit about our journey:

First, we thought this kind of thing will only interest enterprises, and we couldn't be more wrong, apparently, even an indie developer with one API out there loses sleep over its security... So, we chose to go with the bottom-up approach.
The second stop in our journey came in the form of user accessibility. How can we make our solution accessible for as many users as possible? We thought that going with a SAAS only product was the answer, but developing it for both users and enterprises while raising capital took quite a lot of us as developers.
The third stop is our first CLI release. We released our first open sourced product as a CLI named Firecracker (and yes, I know there is a repo already named Firecracker that is maintained by AWS...) and due to some name overlaps, lack of tenacity in publicizing it, and a lot of user friction to get the first value (you had to put in HTTP logs for the first map), it got stuck on 100 stars (until today hopefully).

That brings us to today, after this quite long journey we have made some changes, to use Cherrybomb(we changed the name) we only require the swagger file(OAS specification) of the API, and we run a series of quick passive test to alert regarding some specification issues, non best practices and so on...

What's next?

We are planning to implement even more and more interesting passive tests, start to run some active tests, create logs with the swagger, connect it to our currently existing mapper module, and more.
For that, we need your help. Dear community, if you know Rust, swaggers, APIs, security testing, or just want to have some fun contributing to a cool open source product, join our discord server. Please let us know your thought about our journey and about our CLI, comment here or on our github page:
https://github.com/blst-security/cherrybomb