Cherrybomb is a CLI tool that helps you avoid undefined user behavior by validating your API specifications.

Our CLI tool is open source, enabling support from both the OpenAPI and Rust communities.

It takes in an OAS file, runs a series of checks on it to make sure everything is on par with the OAS, and outputs a detailed table with any alerts found, guiding you to the exact problem and location to help you solve it quickly.

It can also take in your logs and check them for business logic flaws.

curl https://cherrybomb.blstsecurity.com/install	| /bin/bash

The script requires sudo permissions to move the cherrybomb bin into /usr/local/bin/.
(If you want to view the shell script(or even help to improving it - /scripts/install.sh)

You can also download the binary file directly from our website.
This is a binary file and you DO NOT have to install Rust. If you use this method you should run this command:

mkdir ~/.cherrybomb

To create a .cherrybomb dir in the home directory.

After installing the CLI, verify it's working by running

cherrybomb --version

cherrybomb swagger --file <PATH> --output <PATH> --verbosity <0/1/2>

Or

cherrybomb oas --file <PATH> --output <PATH> --verbosity <0/1/2>

cherrybomb swagger --file <PATH> --param-table

Or

cherrybomb oas --file <PATH> --param-table

First, we have a mapping module that relies on HTTP logs and builds a map of the API.
Start mapping your logs by running

cherrybomb map --file <LOGS_FILE_PATH> --output <OUTPUT_FILE_NAME> --hint <OAS FILE NAME>

If you don't have an HTTP log file, but you have Burp suite logs, you are in luck, go to the scripts folder, there is a convertor script over there.
If there are any other formats you need conversion scripts to, message us on the discord server.
For futher insights, you can view your map visually in our web based visualizer: https://www.blstsecurity.com/cherrybomb/Visualizer.

In the future, if you want to load new logs to an existing map file, run

cherrybomb load --file <LOGS_FILE_PATH> --map <MAPPED_FILE_PATH>

The Attacker and Decider modules will be deprecated(!) in our the next release(version 0.6). We are doing it since we have barely seen any usage of the modules thus far. Please let us know if you are indeed using those features and don't want them to be deprecated.

• OAS 3 support
• Passive checks
• Parameter table
• Improve installation script
• Endpoints table
• YAML support (currently only JSON is supported)
• Swagger 2 support (currently only version 3 is supported)
• Homebrew/APT support
• Custom scans - optional checks + optional output + ignores(from alerts)
• GraphQL schema support
• Active scans
• More passive scans
• Swagger and logs validator (compares your logs with the swagger to verify correctness)

For all methods of integrating with BLST, please go to the integrations folder.

Please read our documentation to understand the format of sessions our mapper needs to function correctly.

If you have any questions, please send us a message to [email protected].
You are also welcome to open an Issue here on GitHub.

Please talk to us over at our discord server to see where and how can you contribute to our project.
You can also find info about how to contribute to Cherrybomb here.