Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Verbosity #122

Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

Verbosity #122

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
930092c
Just commit
DeliciousBounty Feb 5, 2023
9293e3c
table verbosity
DeliciousBounty Feb 15, 2023
8bc43c4
Created func req.rs
DeliciousBounty Feb 15, 2023
bc07095
verbose and tls
DeliciousBounty Feb 19, 2023
79a2f19
toml
DeliciousBounty Feb 20, 2023
8793a12
toml
DeliciousBounty Feb 20, 2023
58aeb4b
new version
DeliciousBounty Feb 20, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1,666 changes: 1,666 additions & 0 deletions Cargo.lock
View file
Open in desktop

Large diffs are not rendered by default.

5 changes: 3 additions & 2 deletions Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,11 +24,12 @@ clap = { version = "4.0.29", features = ["derive"] }
const_format = "0.2.30"
serde = { version = "^1.0", features = ["derive"] }
serde_json = "^1.0"
cherrybomb-engine = "^0.1"
cherrybomb-engine = "0.1.1"
serde_yaml = "^0.9.0"
uuid = {version = "1.2.2", features = ["v4"] }
dirs = "4.0.0"
reqwest = "0.11.13"
comfy-table = "6.1.4"
serde_derive = "1.0.152"



4 changes: 2 additions & 2 deletions cherrybomb-engine/Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
[package]
name = "cherrybomb-engine"
version = "0.1.0"
version = "0.1.1"
authors = ["BLST Security"]
description = """
Cherrybomb enging crate
Expand All @@ -13,7 +13,7 @@ edition = "2021"
# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html

[dependencies]
cherrybomb-oas = "^0.1"
cherrybomb-oas = "0.1"
anyhow = "1.0.66"
thiserror = "1.0.37"
serde_json = "^1.0"
Expand Down
6 changes: 3 additions & 3 deletions cherrybomb-engine/src/config.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
use clap::{Args, ValueEnum};
use serde::Deserialize;
use serde::{Deserialize, Serialize};

#[derive(Default, ValueEnum, Deserialize, Clone, Debug)]
#[derive(Default, ValueEnum, Deserialize, Clone, Debug, Serialize)]
pub enum Profile {
Info,
#[default]
Expand All @@ -27,7 +27,7 @@ pub struct Config {
pub no_color: bool,
}

#[derive(ValueEnum, Deserialize, Clone, Debug, Default, PartialOrd, PartialEq)]
#[derive(ValueEnum, Deserialize, Clone, Debug, Default, PartialOrd, PartialEq, Serialize, Copy)]
pub enum Verbosity {
Quiet,
#[default]
Expand Down
31 changes: 21 additions & 10 deletions cherrybomb-engine/src/lib.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,10 +22,12 @@ fn verbose_print(config: &Config, required: Option<Verbosity>, message: &str) {
}

pub async fn run(config: &Config) -> anyhow::Result<Value> {
verbose_print(config, None, "Starting Cherrybomb...");
// receive_parameters(config);

verbose_print(config, Some(config.verbosity), "Starting Cherrybomb...");

// Reading OAS file to string
verbose_print(config, None, "Opening OAS file...");
verbose_print(config, Some(config.verbosity), "Opening OAS file...");
let oas_file = match std::fs::read_to_string(&config.file) {
Ok(file) => file,
Err(e) => {
Expand All @@ -34,7 +36,7 @@ pub async fn run(config: &Config) -> anyhow::Result<Value> {
};

// Parsing OAS file to JSON
verbose_print(config, None, "Parsing OAS file...");
verbose_print(config, Some(config.verbosity), "Parsing OAS file...");
let oas_json: Value = match serde_json::from_str(&oas_file) {
Ok(json) => json,
Err(e) => {
Expand All @@ -43,7 +45,7 @@ pub async fn run(config: &Config) -> anyhow::Result<Value> {
};

// Parsing JSON to OAS struct
verbose_print(config, Some(Verbosity::Debug), "Creating OAS struct...");
verbose_print(config, Some(config.verbosity), "Creating OAS struct...");
let oas: OAS3_1 = match serde_json::from_value(oas_json.clone()) {
Ok(oas) => oas,
Err(e) => {
Expand Down Expand Up @@ -71,7 +73,7 @@ fn run_profile_info(config: &Config, oas: &OAS3_1, oas_json: &Value) -> anyhow::
.collect();

//Creating endpoint
verbose_print(config, None, "Create endpoint list");
verbose_print(config, Some(config.verbosity), "Create endpoint list");
let ep_table = EpTable::new::<OAS3_1>(oas_json);
let endpoint_result: HashMap<&str, Value> = ep_table
.eps
Expand All @@ -96,18 +98,23 @@ async fn run_active_profile(
// Creating active scan struct
verbose_print(
config,
Some(Verbosity::Debug),
Some(config.verbosity),
"Creating active scan struct...",
);
let mut active_scan = match active_scanner::ActiveScan::new(oas.clone(), oas_json.clone()) {
let mut active_scan = match active_scanner::ActiveScan::new(
oas.clone(),
oas_json.clone(),
config.verbosity,
config.ignore_tls_errors,
) {
Ok(scan) => scan,
Err(e) => {
return Err(anyhow::anyhow!("Error creating active scan struct: {}", e));
}
};

// Running active scan
verbose_print(config, None, "Running active scan...");
verbose_print(config, Some(config.verbosity), "Running active scan...");
let temp_auth = Authorization::None;
active_scan
.run(active_scanner::ActiveScanType::Full, &temp_auth)
Expand All @@ -125,7 +132,7 @@ fn run_passive_profile(config: &Config, oas: &OAS3_1, oas_json: &Value) -> anyho
// Creating passive scan struct
verbose_print(
config,
Some(Verbosity::Debug),
Some(config.verbosity),
"Creating passive scan struct...",
);
let mut passive_scan = passive_scanner::PassiveSwaggerScan {
Expand Down Expand Up @@ -174,7 +181,11 @@ async fn run_normal_profile(
Ok(report)
}

async fn run_full_profile(config: &Config, oas: &OAS3_1, oas_json: &Value) -> anyhow::Result<Value> {
async fn run_full_profile(
config: &Config,
oas: &OAS3_1,
oas_json: &Value,
) -> anyhow::Result<Value> {
let mut report = json!({});
let mut results = HashMap::from([
("active", run_active_profile(config, oas, oas_json).await),
Expand Down
15 changes: 11 additions & 4 deletions cherrybomb-engine/src/scan/active/active_scanner.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
use super::http_client::logs::AttackLog;
use super::http_client::*;
use crate::config::Verbosity;
use crate::scan::active::http_client::auth::Authorization;
use crate::scan::active::utils::send_req;
use crate::scan::checks::*;
Expand Down Expand Up @@ -60,26 +61,33 @@ where
{
pub oas: T,
pub oas_value: Value,
pub verbosity: u8,
pub verbosity: Verbosity,
pub checks: Vec<ActiveChecks>,
pub payloads: Vec<OASMap>,
pub logs: AttackLog,
pub path_params: HashMap<String, String>,
pub ignore_tls_error: bool,
}

impl<T: OAS + Serialize + for<'de> Deserialize<'de>> ActiveScan<T> {
pub fn new(oas: T, oas_value: Value) -> Result<Self, &'static str> {
pub fn new(
oas: T,
oas_value: Value,
verbosity: Verbosity,
ignore_tls_error: bool,
) -> Result<Self, &'static str> {
let path_params: HashMap<String, String> = HashMap::new();
// let path_params = Self::create_hash(&auth_p);
let payloads = Self::payloads_generator(&oas, &oas_value);
Ok(ActiveScan {
oas,
oas_value,
checks: vec![],
verbosity: 0,
verbosity: verbosity,
payloads,
logs: AttackLog::default(),
path_params,
ignore_tls_error: ignore_tls_error,
})
}

Expand Down Expand Up @@ -109,7 +117,6 @@ impl<T: OAS + Serialize + for<'de> Deserialize<'de>> ActiveScan<T> {
};
}


fn payloads_generator(oas: &T, oas_value: &Value) -> Vec<OASMap> {
let mut payloads = vec![];
for (path, path_item) in oas.get_paths() {
Expand Down
79 changes: 46 additions & 33 deletions cherrybomb-engine/src/scan/active/additional_checks.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,12 +53,11 @@ impl<T: OAS + Serialize> ActiveScan<T> {
.headers(h.clone())
.build();

let response_vector =
req.send_request_all_servers(self.verbosity > 0).await;
let response_vector = req
.send_request_all_servers(self.verbosity, self.ignore_tls_error)
.await;
for response in response_vector {
ret_val
.1
.push(&req, &response, "Testing SQLIcarg".to_string());
ret_val.1.push(&req, &response, "Testing SQLI".to_string());
ret_val.0.push((
ResponseData {
location: path.to_string(),
Expand Down Expand Up @@ -223,7 +222,9 @@ impl<T: OAS + Serialize> ActiveScan<T> {
.method(method)
.headers(h.clone())
.build();
let response_vector = req.send_request_all_servers(self.verbosity > 0).await;
let response_vector = req
.send_request_all_servers(self.verbosity, self.ignore_tls_error)
.await;
for response in response_vector {
ret_val
.1
Expand Down Expand Up @@ -289,8 +290,9 @@ impl<T: OAS + Serialize> ActiveScan<T> {
.auth(auth.clone())
.headers(vec![h])
.build();
let response_vector =
req.send_request_all_servers(self.verbosity > 0).await;
let response_vector = req
.send_request_all_servers(self.verbosity, self.ignore_tls_error)
.await;
for response in response_vector {
ret_val.1.push(
&req,
Expand Down Expand Up @@ -360,8 +362,9 @@ impl<T: OAS + Serialize> ActiveScan<T> {
.headers(vec![])
.auth(auth.clone())
.build();
let response_vector =
req.send_request_all_servers(self.verbosity > 0).await;
let response_vector = req
.send_request_all_servers(self.verbosity, self.ignore_tls_error)
.await;
for response in response_vector {
ret_val.1.push(&req, &response, "Testing SSRF".to_string());
ret_val.0.push((
Expand Down Expand Up @@ -433,9 +436,9 @@ impl<T: OAS + Serialize> ActiveScan<T> {
)
.build();

print!("POST SSRF : ");
let response_vector =
req.send_request_all_servers(self.verbosity > 0).await;
let response_vector = req
.send_request_all_servers(self.verbosity, self.ignore_tls_error)
.await;
for response in response_vector {
ret_val.1.push(&req, &response, "Testing SSRF".to_string());
ret_val.0.push((
Expand Down Expand Up @@ -485,11 +488,9 @@ impl<T: OAS + Serialize> ActiveScan<T> {
.auth(auth.clone())
.payload(&oas_map.payload.payload.to_string())
.build();
let _response_vector =
req.send_request_all_servers(self.verbosity > 0).await;
print!("POST SSRF : ");
let response_vector =
req.send_request_all_servers(self.verbosity > 0).await;
let response_vector = req
.send_request_all_servers(self.verbosity, self.ignore_tls_error)
.await;
for response in response_vector {
ret_val.1.push(&req, &response, "Testing SSRF".to_string());
ret_val.0.push((
Expand Down Expand Up @@ -547,8 +548,9 @@ impl<T: OAS + Serialize> ActiveScan<T> {
.headers(vec![])
.auth(auth.clone())
.build();
let response_vector =
req.send_request_all_servers(self.verbosity > 0).await;
let response_vector = req
.send_request_all_servers(self.verbosity, self.ignore_tls_error)
.await;
// dbg!(&response_vector);
for response in response_vector {
ret_val.1.push(
Expand Down Expand Up @@ -598,8 +600,9 @@ impl<T: OAS + Serialize> ActiveScan<T> {
.headers(vec![])
.auth(auth.clone())
.build();
let response_vector =
req.send_request_all_servers(self.verbosity > 0).await;
let response_vector = req
.send_request_all_servers(self.verbosity, self.ignore_tls_error)
.await;
for response in response_vector {
ret_val.1.push(
&req,
Expand Down Expand Up @@ -669,8 +672,9 @@ impl<T: OAS + Serialize> ActiveScan<T> {
.to_string(),
)
.build();
let response_vector =
req.send_request_all_servers(self.verbosity > 0).await;
let response_vector = req
.send_request_all_servers(self.verbosity, self.ignore_tls_error)
.await;
for response in response_vector {
ret_val.1.push(
&req,
Expand Down Expand Up @@ -731,8 +735,9 @@ impl<T: OAS + Serialize> ActiveScan<T> {
.to_string(),
)
.build();
let response_vector =
req.send_request_all_servers(self.verbosity > 0).await;
let response_vector = req
.send_request_all_servers(self.verbosity, self.ignore_tls_error)
.await;
for response in response_vector {
ret_val
.1
Expand Down Expand Up @@ -802,7 +807,9 @@ impl<T: OAS + Serialize> ActiveScan<T> {
.method(Method::GET)
.headers(vec![])
.build();
let response_vector = req.send_request(self.verbosity > 0).await;
let response_vector = req
.send_request(self.verbosity, self.ignore_tls_error)
.await;
if let Ok(res) = response_vector {
//logging
//logging request/response/description
Expand Down Expand Up @@ -877,8 +884,9 @@ impl<T: OAS + Serialize> ActiveScan<T> {
.parameters(vec_param.clone())
.build();

let response_vector =
req.send_request(self.verbosity > 0).await;
let response_vector = req
.send_request(self.verbosity, self.ignore_tls_error)
.await;
if let Ok(res) = response_vector {
//logging request/response/description
ret_val.1.push(&req, &res, "Testing for BOLA".to_string());
Expand Down Expand Up @@ -915,7 +923,9 @@ impl<T: OAS + Serialize> ActiveScan<T> {
.headers(vec![])
.auth(auth.clone())
.build();
let response_vector = req.send_request_all_servers(self.verbosity > 0).await;
let response_vector = req
.send_request_all_servers(self.verbosity, self.ignore_tls_error)
.await;
for (response, server) in response_vector.iter().zip(req.servers.iter()) {
ret_val.1.push(&req, response, "Testing SSL".to_string());
ret_val.0.push((
Expand Down Expand Up @@ -958,8 +968,9 @@ impl<T: OAS + Serialize> ActiveScan<T> {
.payload(&oas_map.payload.payload.to_string())
.build();

let response_vector =
req.send_request_all_servers(self.verbosity > 0).await;
let response_vector = req
.send_request_all_servers(self.verbosity, self.ignore_tls_error)
.await;
for response in response_vector {
ret_val
.1
Expand Down Expand Up @@ -999,7 +1010,9 @@ impl<T: OAS + Serialize> ActiveScan<T> {
.headers(vec![])
.parameters(vec_param.clone())
.build();
let response_vector = req.send_request_all_servers(self.verbosity > 0).await;
let response_vector = req
.send_request_all_servers(self.verbosity, self.ignore_tls_error)
.await;
for response in response_vector {
//logging request/response/description
ret_val
Expand Down
Loading