Postman Usage
Last updated
Last updated
127.0.0.1, and set the port to 5555, the default port for Postman’s proxy.
On DevTools, Network, right click on a API request, "Copy as cURL".
Once you have copied the desired request, open Postman. Select Import and click on the "Raw text" tab. Paste in the cURL request and select import.
Create a Workspace to save your collections in.
To build your own collection in Postman with the Proxy, use the Capture Requests button, found at the bottom right of the Postman window.
In the Capture requests window, select Enable proxy. The port should match with the number that is set up in FoxyProxy (5555). Next, enable the Postman Proxy, add your target URL to the "URL must contain" field, and click the Start Capture button.
Enable the proxy with FoxyProxy, visit all pages of the target and perform all possible actions (registration, login, upload, etc.)
Once you have captured all of the features you can find with manual exploration then you will want to Stop the Proxy. Next, it is time to build the collection: select the new button (top left side of Postman) and then choose Collection. Rename the collection.
Navigate back to the Proxy debug session and open up the Requests tab. Select all of the requests that you captured and use the "add to Collection" link. Choose the "organize the requests by Endpoints" option.
Don't forget to import the certificate
Launch mitmweb
FoxyProxy to listen on 8080. Perform all the actions and visit all pages of the target.
You can see the captured traffic by using a browser to visit the mitmweb web server located at http://127.0.0.1:8081.
Save the captured requests: File > Save
Update the YAML file so that "ignore:" is removed from the endpoints that you want to include.
Run the script once more. This second run will correct the format and spacing. This time around you can add the "--examples" flag to enhance your API documentation
You can also import this file as a Postman Collection that way you can prepare to attack the target API. At the top left of your Postman Workspace, you can click the "Import" button. Next, select the spec.yml file and import the collection.
Check your Collection variables Get to the collection editor by using your collection, select the three circles on the right side of a collection, and the "Edit". Select the Variables tab will show you that the variable "baseUrl" is used. Make sure that the baseUrl Current Value matches up with the URL to your target
Add an authorization method to the collection to do authenticated requests.
Using the Authorization tab, within the collection editor, we will need to select the right type for authorization.
Disable the SSL certificate verification in the General subtab of Postman’s settings to prevent ‘Self-signed Certificates Blocked’ errors
Open Postman settings by pressing CTRL-, (comma) or navigating to File4Settings.
Click the Proxy tab.
Click the checkbox for adding a custom proxy configuration.
Make sure to set the proxy server to 127.0.0.1.
Set the proxy server port to 8080.
Select the General tab and turn SSL certificate verification Off.
Add variable to the request
Set up the Collection Runner to use the request and a payload CSV file
I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.
Validate the documentation by visiting and by importing your spec file into the Swagger Editor. Use File>Import file and select your spec.yml file
A crash course in web API security testing that will prepare you to penetration-test APIs, reap high rewards on bug bounty programs, and make your own APIs more secure.
This hands-on book teaches penetration testers how to identify vulnerabilities in apps that use GraphQL, a data query and manipulation language for APIs adopted by major companies like Facebook and GitHub.
