Stop half-done APIs! Cherrybomb is a CLI tool that helps you avoid undefined user behaviour by auditing your API specifications, validating them and running API security tests.
go to /swagger/sca/src/active/additional_checks.rs
add this function:
`pub async fn check_idors(&self, auth: &Authorization) -> CheckRetVal {
//// reformat get with path parameter
let mut ret_val = CheckRetVal::default();
for oas_map in self.payloads.iter() {
for (json_path, schema) in &oas_map.payload.map {
println!("PATH: {}",oas_map.path.path );
let url;
if let Some(servers) = &self.oas.servers() {
if let Some(s) = servers.first() {
url = s.url.clone();
} else {
continue;
};
} else {
continue;
};
}
}
ret_val
}
}
`
Check the ouput. It miss some path: ""/pet/{petId}": from example
Expected behavior
This code should print all the existing OAS's path. But it miss some path: ""/pet/{petId}": from example
Desktop (please complete the following information):
@RazMag During writing an active scan, I encountered strange behavior. Description The code do not parse every path on the OAS file.
To Reproduce Steps to reproduce the behavior:
Set the OAS file with this file. petstore.txt
rename it with .json
go to /swagger/sca/src/active/additional_checks.rs
add this function: `pub async fn check_idors(&self, auth: &Authorization) -> CheckRetVal { //// reformat get with path parameter let mut ret_val = CheckRetVal::default();
for oas_map in self.payloads.iter() { for (json_path, schema) in &oas_map.payload.map { println!("PATH: {}",oas_map.path.path ); let url; if let Some(servers) = &self.oas.servers() { if let Some(s) = servers.first() { url = s.url.clone(); } else { continue; }; } else { continue; }; }
}
ret_val } } `
Check the ouput. It miss some path: ""/pet/{petId}": from example Expected behavior This code should print all the existing OAS's path. But it miss some path: ""/pet/{petId}": from example
Desktop (please complete the following information):