Hi everyone!
Cherrybomb is a new CLI app(written in Rust) that can help you detect half-done API specifications, map your APIs, and scan them for business logic vulnerabilities.
🤔 We've seen the problem of incomplete API flow and parameter specifications, which then translates to a lack of input control formerly in our own APIs and in the APIs of many of our developer friends and acquaintances.
We decided to do something about it
let me tell you a bit about our journey:
- First, we thought this kind of thing will only interest enterprises, and we couldn't be more wrong, apparently, even an indie developer with one API out there loses sleep over its security... So, we chose to go with the bottom-up approach.
- The second stop in our journey came in the form of user accessibility. How can we make our solution accessible for as many users as possible? We thought that going with a SAAS only product was the answer, but developing it for both users and enterprises while raising capital took quite a lot of us as developers.
- The third stop is our first CLI release. We released our first open sourced product as a CLI named Firecracker (and yes, I know there is a repo already named Firecracker that is maintained by AWS...) and due to some name overlaps, lack of tenacity in publicizing it, and a lot of user friction to get the first value (you had to put in HTTP logs for the first map), it got stuck on 100 stars (until today hopefully).
That brings us to today, after this quite long journey we have made some changes, to use Cherrybomb(we changed the name) we only require the swagger file(OAS specification) of the API, and we run a series of quick passive test to alert regarding some specification issues, non best practices and so on...
What's next?
We are planning to implement even more and more interesting passive tests, start to run some active tests, create logs with the swagger, connect it to our currently existing mapper module, and more.
For that, we need your help. Dear community, if you know Rust, swaggers, APIs, security testing, or just want to have some fun contributing to a cool open source product, join our discord server. Please let us know your thought about our journey and about our CLI, comment here or on our github page:
https://github.com/blst-security/cherrybomb
Top comments (0)