Beginner Guide for Cherrybomb

Let's start with the understanding of terminology and the introduction of a tool.

What is BLST?

BLST (Business Logic Security Testing) helps us to find broken logic in our API and maps it to its UI. It provides a platform to visualize your API logic flaws and provide solutions to solve them.

What is Cherrybomb?

Cherrybomb is an open-source tool that provides a CLI tool to validate your API specifications. It enables support from OpenAPI and Rust communities. It takes input as OAS (OpenAPI Specification) file and outputs details in a table format with alerts. It gives the exact location of a problem and guides in solving those problems quickly. It also works with logs to find business logic flaws.

There are 3 key features of it:

  1. API Endpoint Mapper: It provides a graphical view of your APIs. It shows how your APIs are interconnected with each other.
  2. Params Table: It provides visualization of your APIs from JSON files. It helps us to document our APIs.
  3. OAS Misconfiguration Checks: It provides detailed information about misconfigured code or parameters. It helps us to avoid unexpected behaviour of API in the development stage.

How to install Cherrybomb CLI in Ubuntu (Linux)?

  1. Open your terminal
  2. Execute this command to install Cherrybomb CLI
    curl https://cherrybomb.blstsecurity.com/install | /bin/bash
    
    1.png
  3. Execute this command to verify installation or check the version of it
    cherrybomb --version
    
    2.png

How to generate parameter table using Cherrybomb CLI?

  1. Download the example YAML file from Swagger Editor (I used OAS 3.0.1 JSON file)
  2. Go to your Open API JSON file in the terminal using cd command
  3. Execute this command to show the parameter table in table format
    cherrybomb param-table --file openapi.json
    
    3.png

How to generate endpoint table using Cherrybomb CLI?

  1. Execute this command to show the endpoint table in table format
    cherrybomb ep-table --file openapi.json
    
    4.png

How to use the platform of BLST Security?

  1. Go to BLST Security 5.png
  2. Click on Sign Up for Free button. You will see a sign-up dialog. Fill it with your details 6.png
  3. Click on Sign up button. You will see a login page. 7.png
  4. Fill in your credentials. Click on Login button. You will see a warning for an email verification for the first time 8.png
  5. Verify your email by clicking the verification link in the email sent by BLST Security.
  6. Click on I've verified my email address, log me out button. You will see the login page again. Fill in your credentials. You will see the home page of BLST Security. 9.png
  7. Click on Dashboard button. You will see the home page 10.png
  8. Click on Endpoints tab. You will see the endpoints page. 11.png
  9. Click on + Upload Swagger button. You will see the upload OAS dialog 12.png
  10. Click on Upload a file button to upload your OAS JSON file. You will see success after uploading your file. Fill dialog as given below: 13.png
  11. Click on Upload button. It will take some time to upload it. You will see the home page and can see its status in Running Actions section 14.png
  12. It will disappear from that section after completing the upload. Click on Endpoints tab. You will see the endpoints page with details of a recently uploaded file 15.png
  13. Click on Params tab. You will see the params page with details 16.png
  14. Click on OAS dropdown and select Summary option. You will see a summary of OAS checks on that page 17.png
  15. You can click on various checks to see more details about individual checks

Congratulations! We install and hands-on experience with Cherrybomb CLI on Ubuntu and learn about its dashboard.