Use Postman Collection Runner as vulnerability scanner

Sometimes, as a test engineer, you need to perform a brief security testing under your application.

Andrey

Of course, if you have enough time and relevant skills you will use Burp Scanner for searching XSS vulnerabilities in you API. But if it is needed to get a trivial and really fast feedback you can choose something simpler. And Postman is almost perfectly suited for this task.

Let assume that you already know an endpoint you want to scan. For testing purposes lets take the example of Google Books API because it’s open (I do not want to explore it, just show how it works):

https://www.googleapis.com/books/v1/volumes?q=isbn:1788624785

In selected API endpoint you need to determine a part for application «vectors of attack»:

https://www.googleapis.com/books/v1/volumes?q={{vector}}

Then you need Postman Collection Runner and a data file full of XSS vectors.

In the Postman Collection Runner you can import file in JSON or CSV format, which lines of data will be iterated (for more info read «Working with data files»).

CSV is more simple, so I prefer it and I use a list of «666 lines of XSS vectors, suitable for attacking an API» with a few lines of my own additions.

Unfortunately, Postman does not work with double quotes and extra commas in selected file, so the CSV data should be sanitised from this characters. It dramatically reduces variety of test cases, but it is the fee for using tool which is not quite appropriate.

At least you need to write a test to catch undesirable behavior. Due to many reasons: hard to catch stored XSS in response (in case of 200 response code), exceed rate limits (in case of 429 or 403 response codes) or proper backend reaction to invalid request (in case of 400 response code), lets expect only for Internal Server Error. In terms of Postman Test scripts it will look like:

pm.test("Status code is not 500", function () {
pm.response.to.have.not.status(500);
});
Variable {{vector}} references to the first line in of CSV file

Now run the collection:

  1. Open Collection Runner;
  2. Select prepared data file;
  3. Click [Run].
Data file type will choose automatically

If you get 500 of any request you can definitely submit an issue.

In this example everything is OK

Try it yourself, with sample of Postman Collection and CSV files.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade