Stay calm, your APIs are secure with CherryBomb !

Stay calm, your APIs are secure with CherryBomb !

“Security is a process, not a product. Products provide some protection, but the only way to effectively do business in an insecure world is to put processes in place that recognize the inherent insecurity in the products."

In a world where cybersecurity is of the utmost concern, API security is rapidly evolving and must be focused upon, since APIs expose application logic and sensitive data. Earlier API attacks were more generalized, and threats such as SQL Injections or Cross-site scripting were an attackers favorite tool to take advantage of your weakly defended APIs. Of course there were solutions such as Web Application Firewalls (or WAFs) which help protect web applications by filtering and monitoring HTTP traffic between a web application and the Internet, or API Gateways which act as a reverse proxy to accept all application programming interface (API) calls.

WAF.png

But alas, solutions such as WAF come with their own issues, such as -

  • Cost (bills can easily reach upto $10000 per year, yikes!)
  • Slow performance
  • No context about the attack in general
  • Lots of false positives

false positive.png

(Quite the surprise for Jonathan, 46, Male father of 2)

APIs are now becoming an even hotter target for hackers, considering the amount of sensitive data that is passed around, and with APIs dynamically changing to suit different business needs, there's a desperate need for better solutions which can cater to your needs.

That's where CherryBomb by BLST comes in !

Cherrybomb is a CLI tool that helps you avoid undefined user behavior by validating your API specifications through the various stages of API design.

From BLST's own website,

BLST focuses on business logic attacks to provide more information, higher impact, and perfect working comfort. In contrast to common attacks, such as SQLI and XSS, each logic attack is usually unique, since it has to exploit a function or a feature that is specific to each application.

Let's take an example of a business logic flaw to get an idea of problems you might face -

Suppose a business decides to open a new online store and their CEO comes up with a brilliant idea :

comic1.jpg

comic2.jpg

comic3.jpg

comic4.jpg

comic5.jpg

Sigh, if only the intern had used BLST tools.

That was just one small example of how a business logic flaw could be exploited. This comprehensive article by Portswigger lists many more.

With CherryBomb, you can prevent these flaws and ensure that your APIs are fully secure.

Installing CherryBomb

Installation on Linux/MacOS is super simple, all you have to do is execute -

curl https://cherrybomb.blstsecurity.com/install    | /bin/bash

However for Windows users, I found that using WSL (Windows Subsystem for Linux) was the easiest method (thanks to kranurag7 for the suggestion). If you need help in setting it up, this 14 minute tutorial has everything you need.

install1.png

And if you need to check the current version of CherryBomb on your system,

cherrybomb --version

version1.png

Using CherryBomb

Now that we have everything setup, let's check out some cool things CherryBomb can do -

  • Validates OpenAPI Specifications - The OpenAPI Specification (OAS) defines a standard, language-agnostic interface to RESTful APIs which allows both humans and computers to discover and understand the capabilities of the service without access to source code, documentation, or through network traffic inspection.

Basically a bunch of rules REST APIs should follow to make communication easier. The full list of specifications can be found at this link.

To check if your API conforms to the OAS and to follow best practices, simply execute

cherrybomb oas --file <PATH> --config <PATH> --verbosity <0/1/2> --format <cli/txt/json> --output <PATH>

When you download CherryBomb, they're kind enough to provide you with a JSON file called example-oas.

If we check out the file....

json.png

Good god, that's awful to look at. It would be extremely difficult to manually look over all that code and figure out if you're following the OAS and best practices.

But with CherryBomb, if we use to code snippet from above and type in the proper command,

cherrybomb oas --file example-oas.json --verbosity 1

We get this -

oas.png

wow.jpg

Everything has now been nicely arranged for us in a brilliant table, which categorizes various 'checks' based on the result of the test, the severity of the issue, how many alerts were caught and a description of the check being performed.

Here's a description of what each parameter in the 'oas' command does - help oas.png

Super cool ! Now if you ever need to check if your REST API follows the OAS, you can use CherryBomb to get a comprehensive and well structured answer.

  • Generating Parameter Tables - To generate a parameter table for an OAS file, the command is -
cherrybomb param-table --file <PATH> --name <SINGLE PARAM NAME(OPTIONAL)>

Using this command on our 'example-oas.json' file-

cherrybomb param-table --file example-oas.json

param.png (Please excuse the poor alignment)

The parameter table has the following columns -

  • Name: The parameter name
  • Type: The structure of the parameter
  • Status Code
  • Delivery Methods : Indicate where the parameter is sent/received
  • Endpoint
  • Parent and Children Column : Describe the hierarchy of the objects

This feature is really helpful as well as it breaks down everything in an easy-to-read format.

  • Securing Business Logic -

From BLST's own website, here's how they secure your business logic from attacks - BLST detects API problems in the integration environment in the software development lifecycle process. The automatic security testing solution makes it easy for DevOps and AppSec teams to find business logic anomalies in the API, create API flowmaps and find rogue endpoints. This improves system security and lets teams shift left early in the CI/CD process.

If you thought all that was cool...

Check out the dashboard ! (Signup here)

dashoard.png

While executing commands through the terminal is fun, sometimes a simple drag and drop is even better.

BLST's dashboard provides the same features as the CLI with even better visuals and more features !

  • Uploading an OAS file:

uploadOAS.png

Simply upload the file you want to check, give it a name you want, and hit 'upload'. The status can be seen on the homepage of your dashboard and once the file has been successfully read, you'll get a notification

running.png

And once that's done, if you head over to the OAS and Params sections...

oasdash.png

paramdash.png

The same result we got from the terminal, but even better looking !

So even if you're not comfortable with running a terminal, you can simply drag the OAS files you want to check into the dashboard, and you'll get the results within seconds.

Another cool feature is the Mapper which helps you better understand how your application's business logic works.

Some of the upcoming features on the BLST dashboard include -

  • Attacker: The Attacker simulates business logic attack flows on your API early in the integration phase using AI/ML. It helps you find business logic attack flows that could lead to the exposure of sensitive data, fraud, and privilege escalation.

  • Decider: The BLST Decider understands the core business logic of the API and is capable of detecting a wide range of threats. The Decider can differentiate between normal and abnormal behavior in the system automatically and provides the ability to observe each abnormal case that has happened, allowing you to be able to remediate easily and quickly.

  • Runtime Validation: BLST uses runtime HTTP logs and compares them to the OpenAPI specification to detect any differences between the specification and what's running in production. This creates a clear image for every use case, suggesting an easy path to quick remediation.

These sound really exciting and I'd love to try them out when they launch.

divider.gif

Overall, I think BLST are doing a great job at helping create secure APIs. Their tools are super easy to use, even a newbie like me could use them. There are some UI issues on the dashboard though which I hope get fixed soon. If you do like using CherryBomb like I did, head over to their Github page and star the repo. It's open source, what could be better than that !

A huge thanks to CommunityClassroom for their weekly-blogging contests which inspired me to write this article, and of course to Kunal Kushwaha whose video on the topic was helpful.

Thanks for reading !