Skip to content

Commit

Permalink
Merge pull request #155 from jayvdb/fix-spelling
Browse files Browse the repository at this point in the history 
Fix typos
  • Loading branch information
@GuyL99
GuyL99 authored Oct 16, 2024
2 parents c64a1c4 + d4e3723 commit a880e8e
Show file tree
Hide file tree
Showing 9 changed files with 38 additions and 38 deletions.
2 changes: 1 addition & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ The script requires sudo permissions to move the cherrybomb bin into <b>/usr/loc
(If you want to view the shell script(or even help to improving it - [/scripts/install.sh](/scripts/install.sh))

##### Containerized version
You can get Cherrybomb through its containerized version which is hosted on AWS ECR, and requires an API key that you can get on that addess(the loading is a bit slow) - [https://cicd.blstsecurity.com/](https://cicd.blstsecurity.com/)
You can get Cherrybomb through its containerized version which is hosted on AWS ECR, and requires an API key that you can get on that address(the loading is a bit slow) - [https://cicd.blstsecurity.com/](https://cicd.blstsecurity.com/)

```
docker run --mount type=bind,source=[PATH TO OAS],destination=/home public.ecr.aws/blst-security/cherrybomb:latest cherrybomb -f /home/[OAS NAME] --api-key=[API-KEY]
Expand Down
2 changes: 1 addition & 1 deletion cherrybomb-engine/src/lib.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@ pub async fn run(config: &mut Config) -> anyhow::Result<Value> {
};
(oas,oas_json)
}else {
return Err(anyhow!("Misconfigured file extention"));
return Err(anyhow!("Misconfigured file extension"));
};
match config.profile {
config::Profile::Info => run_profile_info(&config, &oas, &oas_json),
Expand Down
2 changes: 1 addition & 1 deletion cherrybomb-engine/src/scan/active/active_scanner.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ pub struct OASMap {
pub struct ResponseData {
pub(crate) location: String,
pub(crate) alert_text: String,
pub(crate) serverity: Level,
pub(crate) severity: Level,
}

#[derive(Debug, Clone, Serialize, Default, PartialEq)]
Expand Down
38 changes: 19 additions & 19 deletions cherrybomb-engine/src/scan/active/additional_checks.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@ impl<T: OAS + Serialize> ActiveScan<T> {
"The parameter {} seems to be vulenrable to sqli on the endpoint {:?}",
i.inner(&self.oas_value).name, path
),
serverity: Level::High,
severity: Level::High,
},
response,
));
Expand Down Expand Up @@ -134,10 +134,10 @@ impl<T: OAS + Serialize> ActiveScan<T> {
);
}
if !vec_param.is_empty() {
//chek if there is a relevent parameter
//check if there is a relevant parameter
for param in &vec_param {
///TODO check how it is possible to insert the different params
// if ther is more than one vuln parameter
// TODO check how it is possible to insert the different params
// if there is more than one vuln parameter
for payload in &vec_payload {
//check all the SQLI payload
let req = AttackRequest::builder()
Expand Down Expand Up @@ -172,7 +172,7 @@ impl<T: OAS + Serialize> ActiveScan<T> {
"The endpoint {} seems to be vulnerable to SQLI with paramteter {:?}",
&oas_map.path.path.clone(),payload
),
serverity: Level::Medium,
severity: Level::Medium,
},
response,
));
Expand Down Expand Up @@ -232,7 +232,7 @@ impl<T: OAS + Serialize> ActiveScan<T> {
ResponseData {
location: path.to_string(),
alert_text: format!("The endpoint seems to be not secure {:?}, with the method : {method} ", &path ),
serverity: Level::High,
severity: Level::High,
},
response,
));
Expand Down Expand Up @@ -305,7 +305,7 @@ impl<T: OAS + Serialize> ActiveScan<T> {
oas_map.path.path.clone(),
i
),
serverity: Level::Low,
severity: Level::Low,
},
response,
));
Expand Down Expand Up @@ -370,7 +370,7 @@ impl<T: OAS + Serialize> ActiveScan<T> {
alert_text: format!(
"The endpoint {path} seems to be vulnerable to SSRF"
),
serverity: Level::Medium,
severity: Level::Medium,
},
response,
));
Expand Down Expand Up @@ -445,7 +445,7 @@ impl<T: OAS + Serialize> ActiveScan<T> {
"The endpoint {} seems to be vulnerable to SSRF",
&oas_map.path.path.clone()
),
serverity: Level::Medium,
severity: Level::Medium,
},
response,
));
Expand Down Expand Up @@ -499,7 +499,7 @@ impl<T: OAS + Serialize> ActiveScan<T> {
"The endpoint {} seems to be vulnerable to SSRF",
&oas_map.path.path.clone()
),
serverity: Level::Medium,
severity: Level::Medium,
},
response,
));
Expand Down Expand Up @@ -562,7 +562,7 @@ impl<T: OAS + Serialize> ActiveScan<T> {
alert_text: format!(
"The {} parameter in the {} endpoint seems to be vulnerable to parameter pollution"
, vec_param.last().unwrap().name, path),
serverity: Level::Medium,
severity: Level::Medium,
},
response,
));
Expand Down Expand Up @@ -611,7 +611,7 @@ impl<T: OAS + Serialize> ActiveScan<T> {
location: path.clone(),
alert_text: format!(
"The parameter {param_to_redirect} seems to be vulnerable to open-redirect, location: {path}" ),
serverity: Level::Medium,
severity: Level::Medium,
},
response,
));
Expand Down Expand Up @@ -683,7 +683,7 @@ impl<T: OAS + Serialize> ActiveScan<T> {
alert_text: format!(
"The {max_len} length limit for {json_path:?} is not enforced by the server"
),
serverity: Level::Low,
severity: Level::Low,
},
response,
));
Expand Down Expand Up @@ -744,7 +744,7 @@ impl<T: OAS + Serialize> ActiveScan<T> {
"The {} for {json_path:?} is not enforced by the server",
val.0,
),
serverity: Level::Low,
severity: Level::Low,
},
response,
));
Expand Down Expand Up @@ -815,7 +815,7 @@ impl<T: OAS + Serialize> ActiveScan<T> {
ResponseData{
location: path.clone(),
alert_text: format!("The parameter {:?} seems to be vulnerable to BOLA, location: {path}.", i.inner(&self.oas_value).name),
serverity: Level::High,
severity: Level::High,
},
res.clone(),
));
Expand Down Expand Up @@ -888,7 +888,7 @@ impl<T: OAS + Serialize> ActiveScan<T> {
alert_text: format!(
"The endpoint {path} seems to broken in context of authorization with parameter {var_int:?}."
),
serverity: Level::Medium,
severity: Level::Medium,
},
res.clone(),
));
Expand Down Expand Up @@ -925,7 +925,7 @@ impl<T: OAS + Serialize> ActiveScan<T> {
"The server does not seem to be using SSL, status code: {}",
response.status
),
serverity: Level::Medium,
severity: Level::Medium,
},
response.clone(),
));
Expand Down Expand Up @@ -968,7 +968,7 @@ impl<T: OAS + Serialize> ActiveScan<T> {
ResponseData {
location: oas_map.path.path.to_string(),
alert_text: format!("The endpoint seems to be not secure {:?}, with the method : {m} ", &oas_map.path.path),
serverity: Level::High,
severity: Level::High,
},
response,
));
Expand Down Expand Up @@ -1010,7 +1010,7 @@ impl<T: OAS + Serialize> ActiveScan<T> {
ResponseData{
location: path.to_string(),
alert_text: format!("The endpoint seems to be not secure {path:?}, with the method : {m}"),
serverity: Level::High,
severity: Level::High,
},
response,
));
Expand Down
6 changes: 3 additions & 3 deletions cherrybomb-engine/src/scan/active/response_checks.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ impl<T: OAS + Serialize> ActiveScan<T> {
for (res_data, response) in check_ret.0.into_iter() {
if (200..300u16).contains(&response.status) {
ret_val.push(Alert::with_certainty(
res_data.serverity,
res_data.severity,
res_data.alert_text,
res_data.location,
Certainty::Low,
Expand All @@ -26,7 +26,7 @@ impl<T: OAS + Serialize> ActiveScan<T> {
for (res_data, response) in check_ret.0.into_iter() {
if (300..310).contains(&response.status) {
ret_val.push(Alert::with_certainty(
res_data.serverity,
res_data.severity,
res_data.alert_text,
res_data.location,
Certainty::Certain,
Expand All @@ -46,7 +46,7 @@ impl<T: OAS + Serialize> ActiveScan<T> {
for polluted in &check_ret_param.1 {
if (200..300u16).contains(&response.status) && response.payload.contains(polluted) {
ret_val.push(Alert::with_certainty(
res_data.serverity.clone(),
res_data.severity.clone(),
res_data.alert_text.to_string(),
res_data.location.to_string(),
Certainty::Certain,
Expand Down
14 changes: 7 additions & 7 deletions cherrybomb-engine/src/scan/passive/additions_checks.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ impl<T: OAS + Serialize> PassiveSwaggerScan<T> {
}

pub fn check_int_type(&self) -> Vec<Alert> {
// this function check the get paramter schema all component and response and request body that does not use component
// this function check the get parameter schema all component and response and request body that does not use component
// The purpose of the check is to ensure that the type number correspond to integer format and type number has a float format
let mut hashset_compo_name: HashSet<String> = HashSet::new();

Expand All @@ -52,9 +52,9 @@ impl<T: OAS + Serialize> PassiveSwaggerScan<T> {
//dive into schema
let _name = format!("#/components/schemas/{key}"); // building the whole components value
hashset_compo_name.insert(key.to_string()); // insert the key of the schema into hashset
if let Some(propert) = value.inner(&self.swagger_value).properties {
if let Some(property) = value.inner(&self.swagger_value).properties {
//if there is properties
for (key, schemaref) in propert {
for (key, schemaref) in property {
if let Some(format_value) = schemaref.inner(&self.swagger_value).format {
if format_value.eq("int32") || format_value.eq("int64") {
// check if the format is int32 or int64
Expand Down Expand Up @@ -120,10 +120,10 @@ impl<T: OAS + Serialize> PassiveSwaggerScan<T> {
SchemaRef::Ref(_) => (),

SchemaRef::Schema(_) => {
if let Some(propertie) =
if let Some(properties) =
schema.inner(&self.swagger_value).properties
{
for (_key, schema_ref) in propertie {
for (_key, schema_ref) in properties {
self.check_schema(
schema_ref,
&mut alerts,
Expand All @@ -145,10 +145,10 @@ impl<T: OAS + Serialize> PassiveSwaggerScan<T> {
match &schema {
SchemaRef::Ref(_) => (),
SchemaRef::Schema(_) => {
if let Some(propertie) =
if let Some(properties) =
schema.inner(&self.swagger_value).properties
{
for (_key, schema_ref) in propertie {
for (_key, schema_ref) in properties {
self.check_schema(
schema_ref,
&mut alerts,
Expand Down
4 changes: 2 additions & 2 deletions cherrybomb-engine/src/scan/passive/auth.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ pub trait PassiveAuthScan {
fn check_fn_auth(&self) -> Vec<Alert>;
}
impl<T: OAS + Serialize> PassiveAuthScan for PassiveSwaggerScan<T> {
///Rule fucntion
///Rule function
fn check_401(&self) -> Vec<Alert> {
let mut alerts = vec![];
for (path, method, p_sec, resps) in get_path_responses(&self.swagger) {
Expand All @@ -39,7 +39,7 @@ impl<T: OAS + Serialize> PassiveAuthScan for PassiveSwaggerScan<T> {
}
alerts
}
//Checks for auth existance and type and alerts if non existant or basic
//Checks for auth existence and type and alerts if non existent or basic
fn check_auth(&self) -> Vec<Alert> {
let mut alerts = vec![];
if let Some(sec_schemes) = get_auth(&self.swagger) {
Expand Down
6 changes: 3 additions & 3 deletions cherrybomb-engine/src/scan/passive/general.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,14 +10,14 @@ pub trait PassiveGeneralScan {
fn check_successes(&self) -> Vec<Alert>;
fn check_default_response(&self) -> Vec<Alert>;
fn check_response_body_schema(&self) -> Vec<Alert>;
fn example_inconsistant_schema(&self) -> Vec<Alert>;
fn example_inconsistent_schema(&self) -> Vec<Alert>;
fn check_default_type(&self) -> Vec<Alert>;
fn check_enum_type(&self) -> Vec<Alert>;
fn check_required_undefined(&self) -> Vec<Alert>;
fn check_unused_schema(&self) -> Vec<Alert>;
}

///Rule fucntions implementation
///Rule functions implementation
impl<T: OAS + Serialize> PassiveGeneralScan for PassiveSwaggerScan<T> {
///Can raise no https alert and invalid url in server alert
fn check_server_url(&self) -> Vec<Alert> {
Expand Down Expand Up @@ -114,7 +114,7 @@ impl<T: OAS + Serialize> PassiveGeneralScan for PassiveSwaggerScan<T> {
}
alerts
}
fn example_inconsistant_schema(&self) -> Vec<Alert> {
fn example_inconsistent_schema(&self) -> Vec<Alert> {
vec![]
}
fn check_default_type(&self) -> Vec<Alert> {
Expand Down
2 changes: 1 addition & 1 deletion cherrybomb-oas/src/legacy/legacy_oas.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ pub type Callback = HashMap<String, HashMap<String, PathItem>>;
pub type Content = HashMap<String, MediaType>;
pub type Examples = HashMap<String, Example>;
pub type EncodingMap = HashMap<String, Encoding>;
//Practicaly Any
//Practically Any
//type Schema = Value;
pub type HeaderMap = HashMap<String, HeaderRef>;
pub type Responses = HashMap<String, ResponseRef>;
Expand Down

0 comments on commit a880e8e

Please sign in to comment.