search

blst-security / cherrybomb

Stop half-done APIs! Cherrybomb is a CLI tool that helps you avoid undefined user behaviour by auditing your API specifications, validating them and running API security tests.
https://www.blstsecurity.com/cherrybomb
Apache License 2.0
1.08k stars 78 forks source link

TLS error when scanning an internal API #94

Closed TmmmmmR closed 8 months ago

TmmmmmR commented 1 year ago

Describe the bug I’m trying to integrate cherrybomb within our CI/CD but I faced the following a TLS error.

To Reproduce Steps to reproduce the behavior:

cherrybomb oas --file swagger_docs.json -a 1 --format txt -v 2

ERROR: error sending request for url ([https://internal-api//v1/rates/](https://internal-api/v1/rates/)): error trying to connect: invalid peer certificate contents: invalid peer certificate: UnknownIssuer

It’s an internal API of my company, and the certificate is already installed/trusted in my local machine (other installed tool, like curl, can access the same URL without any TLS error) and it's not self-signed certificate.

Expected behavior The ability to trust pre installed certificate on the local machine, or just simply a setting parameter to ignore certificate check (which can be a bit dangerous).

Desktop (please complete the following information):

Additional context I've installed cherrybomb using the cargo install cherrybomb cmd.

RazMag commented 1 year ago

Hey @TmmmmmR, Thank you for bringing this to our attention. a new CLI will soon be implemented which will include the --ignore-tls-errors flag. As for using the certificates trusted on the machine, we are looking into our implementation of the reqwest crate

DeliciousBounty commented 8 months ago

We already solved I close this issue