Getting Started with Postman for API Security Testing: Part 2

In part 1 of this blog series, I provided the basics of using Postman, explaining the main components and features. This post will explore a couple of use cases for security testing, such as using data-driven tests (Postman Collection Runner) for parameter fuzzing and using the Postman Sandbox JS execution (Pre-request Script) environment for Hashed Message Authentication Code (HMAC) Header Implementation.

But before discussing the functionalities of Postman, let’s review the methodology and practices for testing REST APIs for security vulnerabilities.

Testing Concepts

Authentication – There are several ways authentication can be implemented in APIs, such as Basic, cookies, tokens (JWT, OAuth2), etc. At minimum, testing needs to verify the proper implementation of authentication controls. Postman makes it very easy to work with cookies, tokens, client certificates, or other different authentication mechanisms. 

Authorization – APIs can communicate sensitive information and use common HTTP methods such as PUT, DELETE, or GET to send information to and from the server. Proper authorization controls need to be put in place to prevent unprivileged access to sensitive information. 

Common Web Vulnerabilities – APIs can inherit many of the common vulnerabilities found in web applications, such as cross-site scripting (XSS), injections, error exposure, etc. It is important to understand the context in which the API will be used to determine which type of vulnerabilities might affect it.

Proxying Postman Traffic through Burp

It’s important to configure an effective security toolchain to test APIs efficiently. Postman can proxy API traffic through familiar security testing tools such as Burp; this can be used to utilize the capabilities of Burp, such as Scanner, Intruder, Repeater, etc. to provide full testing coverage for the API.

Step 1 – Start Burp and set the listener on TCP port 8080 (or any unused local port)

Step 2 – Point Postman’s proxy settings to the local Burp listener

Figure 1: Postman Settings Proxy subtab

Step 3 – Disable the SSL certificate verification in the General subtab of Postman’s settings to prevent ‘Self-signed Certificates Blocked’ errors.

Figure 2: Postman Settings General subtab

Figure 3: Postman traffic captured in Burp Scanner

Parameter Fuzzing with Postman’s Collection Runner

Postman can be used independently of Burp to execute certain types of security test cases. Here I will show how to configure Postman for parameter fuzzing.

For this use case, I have downloaded a sample collection provided by Postman. I placed variables in the parameters that I want to fuzz.

Figure 4: Body of the Post request with password parameter to be fuzzed

Figure 5: GET request example with URL parameter to be fuzzed

For the next step, we open Collection Runner window and select the Postman collection to be iterated. The test CSV file is selected in the data section with ‘password’ and GET parameter values to be fuzzed. Number of parameters can be fuzzed in each iteration, and the data file can be in JSON or CSV format. Through each iteration Collection Runner will pass each row of the data file and look for the variables in the API requests and replace them, before sending the requests. Runner will send all the requests in the collection, and if only some certain parameters in a small number of requests are to be injected, it is preferred to create a collection with those requests.

Figure 6: A preview of the Data file 'test.csv' shows the variables of each iteration

Example – test.csv

Figure 7: Console View showing the API requests sent in each iteration with values in the data file

HMAC Implementation in Postman

HMAC – Hashed Message Authentication Code is one common method of authenticating API requests. This method is usually used in kiosk-to-server or server-to-server communications because the secret to be used must be added to the client-side code.

When Hash = Hashfunction(message+secret), the base64encoded Hash value is usually added as a signature header to each request. Without this header, the API requests will not be authorized.

The Postman Sandbox JS environment provides several built-in modules to be used for scripts in the Pre-request Script. A full list of the available JavaScript libraries can be found at - https://www.getpostman.com/docs/v6/postman/scripts/postman_sandbox_api_reference

In the following example of HMAC Implementation, the message string is the concatenation of the path of the URL, the message body, and the timestamp. The secret for hashing is stored as an environment variable and is retrieved by using environment.get("secret").

Message = path+body+timestamp; Hash = SHA256(message+secret); Signature Header = base64.encode(Hash)

To use a JS library in the sandbox – use the require function. The request information, such as the URL, Headers and the Body, can also be accessed from the script, but only in read-only format and cannot be changed from the script. Variables in the request aren’t available to the script from the pm.request.* functions as their values but only as the variable names. The list of pm functions available to the script can be found at http://www.postmanlabs.com/postman-collection/index.html

Examples of pm.request functions:

Request URL path – pm.request.url.getPath(); Request Body – pm.request.body.toString();

Sample Postman Pre-request Script for HMAC Implementation:

var crypto = require('crypto-js'); var time = (new Date()).getTime(); pm.environment.set("timestamp", time); var path = pm.request.url.getPath(); var body = pm.request.body.toString(); var message = path+body+time; console.log(message); var hash = crypto.HmacSHA256(message,pm.environment.get("secret")); var hashHeader = CryptoJS.enc.Base64.stringify(hash); pm.environment.set("hmac",hashHeader);

Figure 8: Pre-request Script for HMAC Implementation

Once the Hash value is calculated, it is set as an environment variable “hmac” and added to the request headers as Signature = {{hmac}}. Errors from the script can be viewed in the Postman console and can be used to debug the script.

Figure 9: Console view of the request sent with the "Signature" HMAC Header

Postman is a common tool used by developers for testing and interacting with REST APIs. As we’ve shown, it can also provide support for security analysis through parameter fuzzing, testing authorization, and authentication implementations, or for logical testing of the APIs. The Collections function can be an easy way for developers to share a group of API requests with security teams to scope a security test effort. Collections can also be used to provide testers with sample data and headers necessary for issuing valid API requests. Postman can also proxy traffic through scanners and provide full security testing coverage of APIs. These are some of the ways Postman can be a useful API security tool.