Cherrybomb is a CLI tool that helps you avoid undefined user behavior by validating your API specifications.

Our CLI tool is open source, enabling support from both the OpenAPI and Rust communities.

It takes in an OAS file, runs a series of checks on it to make sure everything is on par with the OAS, and outputs a detailed table with any alerts found, guiding you to the exact problem and location to help you solve it quickly.

It can also take in your logs and check them for business logic flaws.

curl https://cherrybomb.blstsecurity.com/install	| /bin/bash

The script requires sudo permissions to move the cherrybomb bin into /usr/local/bin/.
(If you want to view the shell script(or even help to improving it - /scripts/install.sh)

You can also download the binary file directly from our website.
This is a binary file and you DO NOT have to install Rust. If you use this method you should run this command:

mkdir ~/.cherrybomb

To create a .cherrybomb dir in the home directory.

After installing the CLI, verify it's working by running

cherrybomb --version

cherrybomb oas --file <PATH> --config <PATH> --verbosity <0/1/2> --format <cli/txt/json> --output <PATH>

cherrybomb param-table --file <PATH> --name <SINGLE PARAM NAME(OPTIONAL)>

cherrybomb ep-table --file <PATH> --name <SINGLE PARAM NAME(OPTIONAL)>

You can configure the OAS scan using the config.json file in your .cherrybomb director that we create by default in your home path(after one scan at least or downloading using the install script).

Full scan:

{
  "scan_type":"Full",
	...
}

Only run the server url and the default response checks:

{
  "scan_type":["SERRVER URL","DEFAULT RESPONSE"],
	...
}

{
  "fail_on_info":true,
	...
}

First, we have a mapping module that relies on HTTP logs and builds a map of the API.
Start mapping your logs by running

cherrybomb map --file <LOGS_FILE_PATH> --output <OUTPUT_FILE_NAME> --hint <OAS FILE NAME>

If you don't have an HTTP log file, but you have Burp suite logs, you are in luck, go to the scripts folder, there is a convertor script over there.
If there are any other formats you need conversion scripts to, message us on the discord server.
For futher insights, you can view your map visually in our web based visualizer: https://www.blstsecurity.com/cherrybomb/Visualizer.

In the future, if you want to load new logs to an existing map file, run

cherrybomb load --file <LOGS_FILE_PATH> --map <MAPPED_FILE_PATH>

The Attacker and Decider modules will be deprecated(!) in our the next release(version 0.6). We are doing it since we have barely seen any usage of the modules thus far. Please let us know if you are indeed using those features and don't want them to be deprecated.

• OAS 3 support
• Passive checks
• Parameter table
• Improve installation script
• Endpoints table
• YAML support (currently only JSON is supported)
• Custom scans - optional checks + optional output
• Ignore alerts + don't fail on info
• More passive checks
• Swagger 2 support (currently only version 3 is supported)
• Homebrew/APT support
• GraphQL schema support
• Active scans
• Swagger and logs validator (compares your logs with the swagger to verify correctness)

For all methods of integrating with BLST, please go to the integrations folder.

Please read our documentation to understand the format of sessions our mapper needs to function correctly.

If you have any questions, please send us a message to [email protected] or ask us on our discord server.
You are also welcome to open an Issue here on GitHub.

You can find contribution options from our open issues, you should look for the "More passive checks" issue(it's a great issue to start from). You can also find info about contributing new checks to Cherrybomb here.
If you have any question or need any help talk to us over at our discord server to see where and how can you contribute to our project.