Getting Started with Postman for API Security Testing: Part 1

Postman is a useful tool used by many developers to document, test and interact with Application Programming Interfaces (APIs). With the ubiquity of APIs in mobile, web and other applications, Postman can be a useful tool for a security tester or developer to evaluate the security posture of the API. Part 1 of this blog series is to provide the basics of using Postman, explaining the main components and features. Part 2 will explore a couple of use cases for security testing such as using data-driven tests for parameter fuzzing and using the Postman Sandbox JS execution environment for HMAC Header Implementation. Though the main functionality of the tool is for functional testing, interacting, documenting the API and not security analysis, this write up can be used as a beginner guide for using Postman as a useful security tool.  

Postman is primarily used to test and interact with RESTful APIs. RESTful APIs are based on representational state transfer (REST) technology, an architectural style and approach to communications that uses HTTP Verbs GET, PUT, POST and DELETE to implement Create, Retrieve, Update and Delete (CRUD) operations on objects/data. The Postman tool is primarily focused on REST API using JSON, a lightweight data-interchange format and preferred form of communication in REST API. But it also can be used for working with most other forms of data. 

BASICS OF POSTMAN

Postman was initially developed as a Chrome application, but over time has matured into a full native application. The download is available for Windows, Mac and Linux at https://www.getpostman.com/apps. 

Figure 1: UI of Postman Native Application

The user interface (UI) of the app is straightforward; we can build an API request from scratch or by importing either a Postman collection or a CURL command, which is a common way of defining a complete HTTP Requests.   

Below are a few concepts that a beginner user of the app should be aware of.

Collections – Collections in Postman is a way of grouping similar individual API requests. A user can share the collection with the relevant headers, body, URL parameters, authorization configurations and description added to each request. Exporting the collection can be useful to onboard a new developer or to provide complete scoping details and mock request data for a security tester. Postman allows collections to be shared online by providing a link.  

Runner – When you run a collection, you’re essentially sending all requests in your collection, one after another. Using scripts, you can build integration test suites, pass data between API requests, and build workflows that mirror your actual API use cases.

Variables – Variables in Postman are like variables in general programming. Variables have different scopes. From broad to narrow the scopes are Global, Collection, Environments, Local and Data. Variables can be called from within the URL, Body or the Headers of the request.

Environments – Environments store the variables as a set of Key-value pairs. Environments can be thought of as contexts for the API requests. For example, if there are multiple users with different API-Keys, we can switch between users by changing the environment by using the same variable {{api-key}} stored in the environments for the API request.

Pre-Request Script – Pre-request scripts can be used to setup any data or variables in the request or for testing the response. 

Tests – Tests are run after the response is received for the API request sent. Scripts written here can parse response details, such as the Reponses Code, Cookies, and Body. Tests have a fail/pass result - for example, if the response code is 500 or not. 

Workflow for an API Request in Postman 

Pre-Request Script → Request → Response → Test 

To create an API request, begin by selecting the HTTP verb used and filling the Request URL (API End Point). Then there are subtabs for filling Authorization details (Basic, OAuth, AWS Signature etc.), the different Headers required, and the Body of the request (if needed). The Body of the request can be form-data, form-url-encoded data, raw data (text, JSON, XML) or binary data. Once the API request is sent, the response is shown in the bottom section of the app. 

The quickest way to get started with Postman is importing collections. Postman allows importing collections from a JSON file (Swagger file or Postman Collection file) or from Postman collection link or by pasting a CURL command. 

Importing Collections 

File → Import 

Figure 2: Collections can be imported by dropping the Swagger or Postman JSON files

Figure 3: API requests can also be imported by copying the shared Postman Collection link  

Working with Postman makes it very convenient to test and interact with REST APIs. It has capabilities to work with different authentication mechanisms, different forms of data and to import and export API Collections. By providing an intuitive UI to build requests, implement authentication and import API collections, Postman makes it easy to identify parameters that need further analysis and is useful for logical testing of the APIs. In the next blog article, I’ll expand upon using Postman for security testing of APIs.