API Security with Cherrybomb

API Security with Cherrybomb

Before getting into the security aspect of APIs, let's talk about what they are, and why are we talking about that?

What are APIs?

An API is the messenger that takes requests and tells a system what you want to do, and then returns the response back to you. Think of it like a waiter in a Hotel, He/She receives the requests from you, gets back into the kitchen section and then brings the dish for you post cooking. One of the visuals will help you understand better about the role of APIs.

apis.jpg

Why APIs matter?

APIs are everywhere. APIs are the engine under the hood because of which we are living in a connected world.

Swagger and OpenAPI ( Where's the confustion?)

The API specification was developed by a company called smartbear and later it was donated to openAPI which comes under the umbrella of Linux Foundation. openAPI is a standard that defines how we define our APIs. Since, this is a standard of defining APIs, we have many tools built around it. Swagger editor is one of the tool that we will be checking out later in the blog. So to summarize swagger is a tool and openAPI is the specification

Why openAPI specification?

One of the question that you might be having in your head is that why one would use openAPI specification and why not directly develop the API? It's language agnostic, so it's easier for anyone to get familiar with the API without any barrier of having knowledge about a language. There are many tools around openAPI spec, so you can leverage that to develop your APIs pretty fast. You can use tools for document generation, testing and validating your APIs. With openAPI we can develop a prototype of the API before implementing it and that's useful in order to get feedback on the API that we are going to build.


Take a break, We have covered the basics of APIs, and now we are entering into the zone where we will talk about the security aspect of APIs.

API security

Introduction to CherryBomb

Just like we have many tools out there that simplifies the generation of YAML manifests when it comes to kubernetes. Similarly, We have a bunch of tools that simplifies the genration, testing and documentation of APIs. Cherrybomb is one of the tool that is developed by BLST security.

Lab Section

  • In this, I will be writing a openAPI spec for the books API. We can fetch the book details with the API and simultaneously.
openapi: 3.0.1
info: 
  title: Books API
  description: A simple API which gives you info related to books  
  version: 1.0.1
  contact:
    name: library
    url: demo-example.com 
servers:
  - url: https://booksapi.com
paths:
  /book:
    description: Book Resource 
    get: 
      description: Opeartion to fetch Book details
      parameters:
        - in: query 
          name: bookName
          required: true
          schema:
            type: string 
            example: Jake 
      responses:
        200:
          description: success response 
          content: 
            application/json: 
              schema:
                $ref: '#/components/schemas/books'

    post:
      description: Add a new book 
      requestBody:
        content:
          application/json: 
            schema:
              $ref: '#/components/schemas/book'
      responses: 
        201:
            description: record successfully added 
  /book{id}:
    description: get student based on path parameter 
    get:
      parameters: 
        - in: path
          name: id
          required: true 
          schema:
            type: integer 
      responses:
        200: 
          description: successful response with path Parameter 
          content: 
            application/json: 
              schema: 
                type: object 
                properties: 
                    studentID: 
                      type: integer 
                      example: 3 
                    studentName: 
                      type: string 
                      example: David 
                    studentRemarks:
                      type: string 
                      example: High Grade student

components: 
  schemas: 
    book: 
      type: object 
      properties: 
        studentID: 
          type: integer 
          example: 3 
        studentName: 
          type: string 
          example: David 
        studentRemarks:
          type: string 
          example: High Grade student
    books: 
      type: object 
      properties: 
        studentID: 
          type: integer 
          example: 3 
        studentName: 
          type: string 
          example: David 
        studentRemarks:
          type: string 
          example: High Grade student
  • If you'll look at the swagger editor, then the API will look something like this.

Screenshot from 2022-06-19 11-36-57.png

  • Now, we have written one sample API. It's time to test the same with cherrybomb.
  • First we will test the API with the CLI, then we will use the GUI.

Install cherrybomb & verify the installation

curl https://cherrybomb.blstsecurity.com/install | /bin/bash
cherrybomb --version

After finishing the installation, let's try out cherrybomb. Write your openAPI spec in your system and recall the path of the file.

Execute the following command

cherrybomb oas --file <path-to-your-file>

Screenshot from 2022-06-19 11-52-18.png

You will notice that cherrybomb gives you the result of your API spec based on several parameters. You can use this and improve your API spec before implementation of the API.

Furthermore, you can have a look at the endpoints of your API spec using the command

cherrybomb ep-table --file <path-to-your-file>

Screenshot from 2022-06-19 11-57-01.png

Cherrybomb works perfect on the CLI, but one problem I faced is because of my hardware. If you using a small screen laptop like me then you have to adjust the size again and again and it can be frustrating at times. If you've large screen then it will work perfect.

One possible solution for this is to use the web UI that is provided by BLST security. Let's explore that.

You first need to signup here After signing up, you will see the dashboard and here you need to upload your openAPI spec file.

blst1.png

After uploading, you will see that the actions are running in the background and your results will be visible to you in the UI soon.

Screenshot from 2022-06-19 12-13-42.png

You can visualize all the endpoints, and for me, it's better than the CLI.

Screenshot from 2022-06-19 12-18-43.png

You can look at the summary of your API spec under the summary tab.

Screenshot from 2022-06-19 12-22-40.png

There are several parameters on which you can evaluate your API spec in the browser UI, and it looks great. You can query your API on a number of parameters.

Screenshot from 2022-06-19 12-23-29.png

Thank you for Reading. Please reach out if you want to suggest any improvement.

Reference