Building a Collection in
Postman
- Start Postman
/snap/bin/postman & - Create new workspace
- Create a collection in new workspace
- Select
Capture Requests, and enable proxy to BURP in settings.
- On browser set the proxy to port
5555over to postman. - Navigate each function on the target, while traffic is captured in Postman.
- In Postman
stopcapture requests and select the requests that indicateAPIendpoints to add to the collection.
- Create folders and move the requests in collection to folders matching endpoints of the API.
Build collection of endpoint functions of API through MITMProxy:
- start
mitmproxy/mitmweb- command line tool used to proxy web traffic - Browse to MITMProxy web interface,
http://127.0.0.1:8081- mitmweb proxy. - On browser set the proxy port as
8080 - Navigate each endpoint of the API performing functions to be captured.
- In MITMweb save the capture to file.
- Then run command
mitmproxy2swagger -i flows -o spec.yml -p http://127.0.0.1:8888 -f flow --examples - Edit online swagger at new
https://editor-next.swagger.io/, also used to visualize API Documentation.
Learn to use Postman functions and features.
Updating Postman Collection Authorization:
Get Authentication token, by sending login request to the API:
response received include latest bearer authentication token in the response body, copy and place at top of collection for this API as global bearer authenticaiton token:
SAVE
note:
When changing the content of request body data, thecontent-lengthdo not automatically adjust to number of bytes.
Unselect the headercontent-type, and then send request to target API:
Browsing the API requests and looking for response containing more information that is display to the web user browser, is considered finding, OWASP API 3: Excessive Data Exposure:
Excessive Data Exposure occurs when an API provider sends back a full data object,
typically depending on the client to filter out the information that they need.
From an attacker's perspective, the security issue here isn't that too much information is sent,
instead, it is more about the sensitivity of the sent data.
When using vAPI, which fields are documented for the POST request to
/vapi/api1/user?
Send Postman requests to the Burp proxy port
8080:
Postman, settings, proxy, custom proxy configuration:
Which request methods are documented for
/vapi/api1/user?
Documentation show HTTP verbs to be:
POST,GET,PUT, but the endpoint for the specific user profile show HTTP verbs:HEAD,GET,PUT
Which of the following response headers are returned with a successful request to
/vapi/api1/user?
Which vAPI endpoint is used to get the flag for Insufficient Logging & Monitoring?
Scanning APIs with OWASP ZAP ^^
crAPI Solution Chalanges crAPI walkthrough
In the current state of API security, which vulnerability do automated scanners detect? API7:2019 Security Misconfiguration
What kind of results can a generic vulnerability scan of a web API lead to? False-Negative
Which of the following are security misconfigurations detected when using the automated scan feature of ZAP on http://vapi.apisec.ai/vapi?
- Application Error Disclosure
.htaccessInformation Leak- X-Content-Type Options Header Missing
Which of the following endpoints are detected when using the automated scan feature of ZAP on http://vapi.apisec.ai/vapi?
- API1
- API5
Which of the following vulnerabilities are indicated at http://vapi.apisec.ai/vapi#tag/API7?
- Cross-Origin resource sharing (CORS) Misconfiguration