Beginner Guide for Cherrybomb
Let's start with the understanding of terminology and the introduction of a tool.
What is BLST?
BLST (Business Logic Security Testing) helps us to find broken logic in our API and maps it to its UI. It provides a platform to visualize your API logic flaws and provide solutions to solve them.
What is Cherrybomb?
Cherrybomb is an open-source tool that provides a CLI tool to validate your API specifications. It enables support from OpenAPI and Rust communities. It takes input as OAS (OpenAPI Specification) file and outputs details in a table format with alerts. It gives the exact location of a problem and guides in solving those problems quickly. It also works with logs to find business logic flaws.
There are 3 key features of it:
- API Endpoint Mapper: It provides a graphical view of your APIs. It shows how your APIs are interconnected with each other.
- Params Table: It provides visualization of your APIs from JSON files. It helps us to document our APIs.
- OAS Misconfiguration Checks: It provides detailed information about misconfigured code or parameters. It helps us to avoid unexpected behaviour of API in the development stage.
How to install Cherrybomb CLI in Ubuntu (Linux)?
- Open your terminal
- Execute this command to install Cherrybomb CLI
curl https://cherrybomb.blstsecurity.com/install | /bin/bash
- Execute this command to verify installation or check the version of it
cherrybomb --version
How to generate parameter table using Cherrybomb CLI?
- Download the example YAML file from Swagger Editor (I used OAS 3.0.1 JSON file)
- Go to your Open API JSON file in the terminal using
cd
command - Execute this command to show the parameter table in table format
cherrybomb param-table --file openapi.json
How to generate endpoint table using Cherrybomb CLI?
- Execute this command to show the endpoint table in table format
cherrybomb ep-table --file openapi.json
How to use the platform of BLST Security?
- Go to BLST Security
- Click on Sign Up for Free button. You will see a sign-up dialog. Fill it with your details
- Click on Sign up button. You will see a login page.
- Fill in your credentials. Click on Login button. You will see a warning for an email verification for the first time
- Verify your email by clicking the verification link in the email sent by BLST Security.
- Click on I've verified my email address, log me out button. You will see the login page again. Fill in your credentials. You will see the home page of BLST Security.
- Click on Dashboard button. You will see the home page
- Click on Endpoints tab. You will see the endpoints page.
- Click on + Upload Swagger button. You will see the upload OAS dialog
- Click on Upload a file button to upload your OAS JSON file. You will see success after uploading your file. Fill dialog as given below:
- Click on Upload button. It will take some time to upload it. You will see the home page and can see its status in
Running Actions
section - It will disappear from that section after completing the upload. Click on Endpoints tab. You will see the endpoints page with details of a recently uploaded file
- Click on Params tab. You will see the params page with details
- Click on OAS dropdown and select Summary option. You will see a summary of OAS checks on that page
- You can click on various checks to see more details about individual checks
Congratulations! We install and hands-on experience with Cherrybomb CLI on Ubuntu and learn about its dashboard.