{"id":845,"date":"2021-12-01T11:47:18","date_gmt":"2021-12-01T11:47:18","guid":{"rendered":"https:\/\/apimike.com\/?p=845"},"modified":"2022-12-12T22:00:09","modified_gmt":"2022-12-12T22:00:09","slug":"blst-firecracker-review","status":"publish","type":"post","link":"https:\/\/apimike.com\/blst-firecracker-review","title":{"rendered":"Review of BLST Security pentester Firecracker CLI"},"content":{"rendered":"\n

A few days ago I’ve came across an interesting Cyber security press release<\/a> over at marketwatch.com and suddenly I was struck that as of today there is no product on the market that can automate pentesting for business Logic. 
Most products are human based pentester or encapsules different methods of pentesting.<\/p>\n\n\n\n

After a little bit of searching I found that BLST Security<\/a> (a young start-up in the cyber security field) claims to be able to do that with integrated Artificial Intelligence.<\/p>\n\n\n\n

Today, I’m reviewing Firecracker v.1by BLST Security, a CLI tool that protects organizations from logical flaws.<\/p>\n\n\n\n

\"BLST<\/a><\/figure>\n\n\n\n

Firecracker provides an intelligent attacker that simulates business flows in your API. The CLI tool provides detailed analyses of existing attack surfaces, vulnerable flows, and simplifies the architecture of the API.<\/p>\n\n\n\n

The company released their first CLI tool, the free version is available at http:\/\/blstsecurity.com\/firecracker<\/a> and the open sourced code is available at https:\/\/github.com\/blst-security\/firecracker<\/a>.<\/p>\n\n\n\n

After a quick look in their GitHub page, it looks like a simple to use CLI tool. The main goal of this tool is to attack your API and scan for invalid business logic flaws, as a secondary value it can also produce a map of your current API<\/p>\n\n\n\n

structure and show you the logical connections between different endpoints and parameters. <\/p>\n\n\n\n

The product suits any stage in the SDLC – Software Development Life Cycle.<\/p>\n\n\n\n

Let’s dive deeper.<\/p>\n\n\n\n

The tool is delivered in a Binary version. It\u2019s a perfect solution for me as I won\u2019t need to install Rust nor build the open sourced code.<\/p>\n\n\n\n

Installing Firecracker<\/h2>\n\n\n\n

Inorder to install the tool we need to use git with the following steps:<\/p>\n\n\n\n

`git clone https:\/\/github.com\/blst-security\/firecracker<\/p>\n\n\n\n

cd firecracker<\/p>\n\n\n\n

cargo build –release`<\/p>\n\n\n\n

Or we can just download and install the binary version in https:\/\/www.blstsecurity.com\/firecracker<\/p>\n\n\n\n

We can start by reading all the given possibilities using the help flag .\/firecracker –help<\/p>\n\n\n\n

Before we use firecracker binary we need to import our token from the BLST Security website.<\/p>\n\n\n\n

\"BLST<\/a><\/figure>\n\n\n\n

Firecracker features<\/h2>\n\n\n\n

Firecracker has several features:<\/p>\n\n\n\n

Mapper<\/strong><\/p>\n\n\n\n

Takes in traffic logs and maps the business logic flow of the application, outputs a digest file.N<\/p>\n\n\n\n

Decider<\/strong><\/p>\n\n\n\n

Takes in traffic logs and decides whether a certain business logic flow is an anomaly or not.<\/p>\n\n\n\n

Attacker<\/strong><\/p>\n\n\n\n

Takes in the digest file from the mapper and “attacks” the API while using the Decider to determine whether something is an anomaly or not.<\/p>\n\n\n\n

Visualizer<\/strong><\/p>\n\n\n\n

Takes in the digest file from the mapper and visualizes the business logic flow of the application.<\/p>\n\n\n\n

\"BLST<\/a><\/figure>\n\n\n\n

So the Mapper is supposed to receive a log file formatted in json, and then it will map it.<\/p>\n\n\n\n

After the mapping is complete you can take your map file (the default name is map.json) and upload it to the following address – https:\/\/www.blstsecurity.com\/firecracker\/Visualizer<\/a> in BLST Security\u2019s website.<\/p>\n\n\n\n

After mapping the API we will use the attacker (the automatic penetration tester), his aim is to spoof the current request conventions by sending in different API logic flows and fuzzing the parameters.<\/p>\n\n\n\n

Before we start the attacker we need to prepare it using the prepare command <\/p>\n\n\n\n

.\/firecracker prepare –url https:\/\/blstsecurity.com<\/a> –map map.json<\/p>\n\n\n\n

while maintaining the following format

\u201cfirecracker prepare –url <URL_TO_ATTACK> –map <MAPPED_FILE_PATH>\u201d<\/p>\n\n\n\n

Release the attacker<\/h2>\n\n\n\n

Then launch the attacker module:<\/p>\n\n\n\n

\"BLST<\/a><\/figure>\n\n\n\n

.\/firecracker attack<\/p>\n\n\n\n

At this point we can see if anomalies were discovered and outputted in the current attack generation<\/p>\n\n\n\n

\"BLST<\/a><\/figure>\n\n\n\n

There is another option in which you can use the decider as a stand alone without the attacker and load other users logs into the decider and see whether or not anomalies exist in your current user logs and data without launching an attack against your API.<\/p>\n\n\n\n

Copy and execute the following command to activate the decider and test your existing logs.<\/p>\n\n\n\n

.\/firecracker decide –file log.json.<\/p>\n\n\n\n

In conclusion<\/h2>\n\n\n\n

I give this tool 5 stars, the CLI tool is very intuitive and simple to use.<\/p>\n\n\n\n

From a technical view the CLI tool provides immense value in a short amount of time with very few false positives and produces outstanding results.<\/p>\n\n\n\n

In my opinion The key values that this product provides are:<\/p>\n\n\n\n

    \n
  • API Logic visibility<\/li>\n\n\n\n
  • User behavior anomaly detection<\/li>\n\n\n\n
  • Easy installation and integration into current environments<\/li>\n\n\n\n
  • Advanced security testing<\/li>\n\n\n\n
  • Intuitive interface<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"

    As of today there is no product that can automate pentesting for business Logic.\u00a0<\/p>\n","protected":false},"author":3,"featured_media":869,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"_links":{"self":[{"href":"https:\/\/apimike.com\/wp-json\/wp\/v2\/posts\/845"}],"collection":[{"href":"https:\/\/apimike.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/apimike.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/apimike.com\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/apimike.com\/wp-json\/wp\/v2\/comments?post=845"}],"version-history":[{"count":1,"href":"https:\/\/apimike.com\/wp-json\/wp\/v2\/posts\/845\/revisions"}],"predecessor-version":[{"id":2372,"href":"https:\/\/apimike.com\/wp-json\/wp\/v2\/posts\/845\/revisions\/2372"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/apimike.com\/wp-json\/wp\/v2\/media\/869"}],"wp:attachment":[{"href":"https:\/\/apimike.com\/wp-json\/wp\/v2\/media?parent=845"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/apimike.com\/wp-json\/wp\/v2\/categories?post=845"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/apimike.com\/wp-json\/wp\/v2\/tags?post=845"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}