💣 What is Cherrybomb?

Cherrybomb is a CLI tool that helps you avoid undefined user behavior by validating your API specifications and running API security tests.

🔨 How does it work?

Cherrybomb reads your API spec file (Open API Specification) and validates it for best practices and the OAS specification, then it tests to verify that the API follows the OAS file and tests for common vulnerabilities.
The output is a detailed table with any issues found, guiding you to the exact problem and location to help you solve it quickly.

🐾 Get Started

Installation

Using cURL

Linux/MacOS:

curl https://cherrybomb.blstsecurity.com/install | /bin/bash The script requires sudo permissions to move the cherrybomb bin into /usr/local/bin/.
(If you want to view the shell script(or even help to improving it - /scripts/install.sh)

Docker container

You can use our docker container that we host on our public repo in aws, though we require an API key for it, you can get it at our CI pipeline integration builder(after you sign up) docker run --mount type=bind,source=PATH_TO_OAS_DIR,destination=/home public.ecr.aws/t1d5k0l0/cherrybomb:latest cherrybomb oas -f home/OAS_NAME --api-key=API-KEY

Clone

You can also install Cherrybomb by cloning this repo, and building it using cargo(*only works with the nightly toolchain): git clone https://github.com/blst-security/cherrybomb && cd cherrybomb cargo build --release sudo mv ./target/release/cherrybomb /usr/local/bin

Usage

After installing the CLI, verify it's working by running cherrybomb --version

OpenAPI specification scan

cherrybomb oas --file <PATH> --format <cli/txt/json>

Output example:

Generate Parameter Table

cherrybomb param-table --file <PATH> --name <SINGLE PARAM NAME(OPTIONAL)>

Table output example:

Generate Endpoint Table

cherrybomb ep-table --file <PATH> --name <SINGLE PARAM NAME(OPTIONAL)>

Table output example:

🚧 Roadmap

• [x] OAS 3 support
• [x] Passive checks
• [x] Parameter table
• [x] Improve installation script
• [x] Endpoints table
• [x] YAML support (currently only JSON is supported)
• [x] Custom scans - optional checks + optional output
• [x] Active scans
• [ ] Ignore alerts + don't fail on info
• [ ] More passive checks
• [ ] Swagger 2 support (currently only version 3 is supported)
• [ ] Homebrew/apt/crates.io support
• [ ] GraphQL schema support

🍻 Integration

You can embed it into your CI pipeline, and If you plan on doing that I would recommend that you go to our website, sign up, go through the CI pipeline integration builder, and copy the groovy/GitHub actions snippet built for you.
Example:

💪 Support

Get help

If you have any questions, please send us a message to support@blstsecurity.com or ask us on our discord server.
You are also welcome to open an Issue here on GitHub.

🤝 Contributing

You can find contribution options from our open issues, you should look for the "More passive checks" issue(it's a great issue to start from). You can also find info about contributing new checks to Cherrybomb here.
If you have any question or need any help talk to us over at our discord server to see where and how can you contribute to our project.