Stop half-done APIs! Cherrybomb is a CLI tool that helps you avoid undefined user behaviour by auditing your API specifications, validating them and running API security tests.
The active checks send requests without authentication.
So several actives checks fails.
In order to check:
Insert the macro dbg!(&auth) in any active request and you can notice that the auth is "None".
Steps to locate the error:
go to cherrrybomb engine -> lib.rs -> run_active_profile()
scoll down to line 111.
see authorization is None
I replace with the following code and the auth is send through all requests.
let auth = config.security.get(0).unwrap().auth_value.to_string(); let a = Authorization::from_parts("1", auth); active_scan .run(active_scanner::ActiveScanType::Full, &a) .await;
!!!
My code is not for production but just to understand where the bug occurs.
I fixed the from_parts() function in the branch reformat_test.
We can discuss about it
Additional context
The function from_parts() in "auth.rs" seems to used the old model of authentication and should be modify apart if there is a dedicate function.
The active checks send requests without authentication. So several actives checks fails. In order to check: Insert the macro dbg!(&auth) in any active request and you can notice that the auth is "None".
Steps to locate the error:
I replace with the following code and the auth is send through all requests.
let auth = config.security.get(0).unwrap().auth_value.to_string(); let a = Authorization::from_parts("1", auth); active_scan .run(active_scanner::ActiveScanType::Full, &a) .await;!!! My code is not for production but just to understand where the bug occurs. I fixed the from_parts() function in the branch reformat_test. We can discuss about it
Additional context The function from_parts() in "auth.rs" seems to used the old model of authentication and should be modify apart if there is a dedicate function.
@RazMag