A few weeks ago, I contributed to Cherrybomb (an open-source project written in RUST) for my company.
I admit that RUST is not very common, and without a strong background in RUST, I was in doubt if it was possible to do it.
In this story, I will share with you my first thoughts about this programming language and explain a little about its API Specification.
Introduction to Cherrybomb
According to BLST Cherrybomb is a open source tool dedicate to find an anomalies on your API.
"CLI tool that helps you avoid undefined user behavior by validating your API specifications."
The product is designed to meet the need to resolve business logic flaws in modern APIs.
Since 2021, the Broken Access Control figure has ranked first in OWASP.
A bad access control list can cause a serious problem in your business.
SWAGGER
Swagger today Called Open API Specification (OAS), defines a standard, language-agnostic interface to RESTful APIs which allows both humans and computers to discover and understand the capabilities of the service without access to source code, documentation, or through network traffic inspection.
BLST Security still choose to call their feature SWAGGER.
The swagger is design to take as input a OAS file and parse it in order to check for security anomalies.
I wrote an article about AOS for pentester you can check it.
Few Words about RUST..
Honestly I have no experience with this programming languages during my contribution. So RUST is very different from others languages that I learned until today.
But I believe that Rust is a good programming language. It has a strong focus on safety and security, which is important in today's world.
There are many things that make Rust special, but one of the most notable is performance, and don't forget its unique ownership/borrowing system. These features make it an excellent choice for systems programming, and it is quickly gaining popularity in the wider programming community.
Additionally, it has a very active and supportive community.
For Further information I suggest to check out the RUST Book.
My Contribution
In order to contribute there is a need to understand the OAS structure.
Then Check this manual to begin to contribute.
My contribution was to verify CRUD's permission following the given OAS.
-GET has to be only read permission
-POST has read write permission
-PUT has only write permission
The following code describe the GET permission Check:
fn get_check(security:&Option<Vec<Security>>,path:&str)->Vec<Alert>{
let mut alerts = vec![];
match security {
Some(x) => {
for i in x {
let y = i.values().cloned().flatten().collect::<Vec<String>>();
for item in y {
if !item.starts_with("read"){
alerts.push(Alert::new(Level::Medium,"Request GET has to be only read permission",format!("swagger path:{} method:{}",path,Method::GET)));
}
}
}
},
None => (),
};
alerts
}
I agree, the syntax is very different compared to other common programming languages, but time does its job.
So that's all. The function seems easy, but for a non-rustacean, that was not easy.
If you have some knowledge of RUST, don't hesitate to contribute.
Cheer's 🥂
Top comments (2)
I'm struggling to find connection between post title and it's content :D
That is a click-baity headline especially given that you’re basing your whole article on one lone experience
Some comments have been hidden by the post's author - find out more