I was recently in an engagement with a web application that was interconnected with about half a dozen services while offering up a few dozen API routes that had to be tested within three days. As I stared at the flow chart provided and tried to gather an understanding of what I needed to test I thought to myself:
…how in the hell am I going to wrap my head around this enough to test?
Well, I lucked out. The reason for that is because the engineers I was working with were using Postman for not just development, but also built some “Collections” that enabled my jumpstart into security-focused testing for this application.
What is Postman?
Postman provides a graphical interface for developing and testing APIs for the web. Whether you tun the native desktop app or embedded browser version, the functionality is the same.
- Set an endpoint
- Provide some details (credentials, headers, etc.)
- Send the request
- Thank yourself for not having to write that our in a cURL command
While tools like cURL, wget, and BurpSuite all have their place in testing, this isn’t meant to replace them, but Postman makes generating the request more user-friendly when it comes to testing APIs.
For developers, Postman also supports variables and test scripts you can run pre and post-request to help aid in your testing.
What is a Postman Collection?
Simply put, a Postman Collection is a “collection” of Postman requests.
What makes Collections great is that you can bundle batches of API requests with variables set that can be easily passed to another person. Postman allows you to import and export Collections to really increase cross-collaboration.
So, what does this have to do with security and how can I use it?
If you haven’t guessed it by now, a Collection can greatly speed up your understanding of an application. Knowing what a developer has been focusing on can help you understand what routes exist to even begin testing. Better yet, chances are that the application you need to test is built with the help of Postman in some capacity. Like I mentioned earlier, Collections can be easily exported into a JSON file.
Here’s one right now!
{
"info": {
"_postman_id": "37481942-e301-43dc-9a01-aa162803d71c",
"name": "Star Wars",
"schema": "https://schema.getpostman.com/json/collection/v2.1.0/collection.json"
},
"item": [
{
"name": "GET /people",
"request": {
"method": "GET",
"header": [
{
"key": "Content-Type",
"value": "application/json",
"type": "text"
}
],
"url": {
"raw": "{{baseUrl}}/people/",
"host": [
"{{baseUrl}}"
],
"path": [
"people",
""
]
}
},
"response": []
}
],
"event": [
{
"listen": "prerequest",
"script": {
"type": "text/javascript",
"exec": [
""
]
}
},
{
"listen": "test",
"script": {
"type": "text/javascript",
"exec": [
""
]
}
}
],
"variable": [
{
"key": "baseUrl",
"value": "https://swapi.dev/api"
}
]
}When it comes to generating requests to test later, Postman also has proxy options. Just like with any other web browser, you can proxy Postman requests elsewhere to someplace like BurpSuite to view the traffic. After that, take your requests to send them to the Repeater, Intruder, etc. to do your security testing.
Wrapping up
I’ll acknowledge there’s nothing earth-shattering in this article, but it feels common sense after putting this into practice.
For developers using Postman, save your requests into Collections. Chances are someone could benefit from them.
For security practitioners and pentesters, ask if Collections are available if you are in a white box or grey box engagement. While Collections won’t provide you with everything, an advantage in an engagement like this saves time that can be focused on testing.
On a final note, be careful with credentials when it comes to Postman. I personally would not recommend saving credentials in a Collection nor within Postman if you are logged into a Postman account. This is because when you use a Postman account, your account syncs to their cloud — this includes credentials. I’m sure Postman’s security team has thought this through, but something to keep n mind. It really is a wonderful tool.
