Postman Usage

Install

Install and update Postman | Postman Learning CenterPostman Learning Center

$ sudo wget https://dl.pstmn.io/download/latest/linux64 -O postman-linux-x64.tar.gz
$ sudo tar -xvzf postman-linux-x64.tar.gz -C /opt
$ sudo ln -s /opt/Postman/Postman /usr/bin/postman

Proxy

127.0.0.1, and set the port to 5555, the default port for Postman’s proxy.

Import

On DevTools, Network, right click on a API request, "Copy as cURL".

Once you have copied the desired request, open Postman. Select Import and click on the "Raw text" tab. Paste in the cURL request and select import.

Collections

Create a Workspace to save your collections in.

To build your own collection in Postman with the Proxy, use the Capture Requests button, found at the bottom right of the Postman window.

In the Capture requests window, select Enable proxy. The port should match with the number that is set up in FoxyProxy (5555). Next, enable the Postman Proxy, add your target URL to the "URL must contain" field, and click the Start Capture button.

Enable the proxy with FoxyProxy, visit all pages of the target and perform all possible actions (registration, login, upload, etc.)

Once you have captured all of the features you can find with manual exploration then you will want to Stop the Proxy. Next, it is time to build the collection: select the new button (top left side of Postman) and then choose Collection. Rename the collection.

Navigate back to the Proxy debug session and open up the Requests tab. Select all of the requests that you captured and use the "add to Collection" link. Choose the "organize the requests by Endpoints" option.

Automatic Documentation

How to craft your own rogue API docs for a target when they don't existDana Epp's Blog

Mitmweb | Simplest Way To Intercept Between Server And Client - Technical NavigatorTechnical Navigator

Don't forget to import the certificate

Launch mitmweb

$ mitmweb

FoxyProxy to listen on 8080. Perform all the actions and visit all pages of the target.

You can see the captured traffic by using a browser to visit the mitmweb web server located at http://127.0.0.1:8081.

Save the captured requests: File > Save

$ sudo mitmproxy2swagger -i /Downloads/flows -o spec.yml -p https://api.example.com -f flow

# -p <api_prefix>
# For example if an app has made requests like these:
# https://api.example.com/v1/login
# https://api.example.com/v1/users/2
# https://api.example.com/v1/users/2/profile
# The likely prefix is https://api.example.com/v1.

Update the YAML file so that "ignore:" is removed from the endpoints that you want to include.

Run the script once more. This second run will correct the format and spacing. This time around you can add the "--examples" flag to enhance your API documentation

$ sudo mitmproxy2swagger -i /Downloads/flows -o spec.yml -p https://api.example.com -f flow --examples

Validate the documentation by visiting https://editor.swagger.io/ and by importing your spec file into the Swagger Editor. Use File>Import file and select your spec.yml file

You can also import this file as a Postman Collection that way you can prepare to attack the target API. At the top left of your Postman Workspace, you can click the "Import" button. Next, select the spec.yml file and import the collection.

Check your Collection variables Get to the collection editor by using your collection, select the three circles on the right side of a collection, and the "Edit". Select the Variables tab will show you that the variable "baseUrl" is used. Make sure that the baseUrl Current Value matches up with the URL to your target

Use Authorization

Add an authorization method to the collection to do authenticated requests.

Using the Authorization tab, within the collection editor, we will need to select the right type for authorization.

Send request to Burp

Configure Postman to use a proxy server | Postman DocsPostman Docs

Disable the SSL certificate verification in the General subtab of Postman’s settings to prevent ‘Self-signed Certificates Blocked’ errors

Open Postman settings by pressing CTRL-, (comma) or navigating to File4Settings.
Click the Proxy tab.
Click the checkbox for adding a custom proxy configuration.
Make sure to set the proxy server to 127.0.0.1.
Set the proxy server port to 8080.
Select the General tab and turn SSL certificate verification Off.

Fuzzing

Documentation | Test examples in Postman | Postman API Network

Fuzzing with PostmanMedium

big-list-of-naughty-strings/blns.json at master · minimaxir/big-list-of-naughty-stringsGitHub

Parameter Fuzzing

The API Hacker's Guide to Payload Injection with Postman - Dana Epp's BlogDana Epp's Blog

Getting Started with Postman for API Security Testing: Part 2Optiv

4 ways to enhance exploratory testing with Postman | Postman BlogPostman Blog

Add variable to the request

Set up the Collection Runner to use the request and a payload CSV file

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

Hacking APIs: Breaking Web Application Programming Interfaces A crash course in web API security testing that will prepare you to penetration-test APIs, reap high rewards on bug bounty programs, and make your own APIs more secure.
Black Hat GraphQL: Attacking Next Generation APIs This hands-on book teaches penetration testers how to identify vulnerabilities in apps that use GraphQL, a data query and manipulation language for APIs adopted by major companies like Facebook and GitHub.

Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.

PreviousSensitive Data (API Key, JWT token, etc.) Exposed NextZAP Scanner & other scanning methods

Last updated 22 days ago