Use Postman Collection Runner as Vulnerability Scanner

Sometimes, as a test engineer, you need to perform a brief security testing under your application

Of course, if you have enough time and relevant skills you will use Burp Scanner for searching XSS vulnerabilities in your API. But if it is needed to get trivial and really fast feedback you can choose something simpler. And Postman is almost perfectly suited for this task.

Let assume that you already know an endpoint you want to scan. For testing purposes let’s take the example of Google Books API because it’s open (I do not want to explore it, just show how it works):

In selected API endpoint you need to determine a part for application «vectors of attack»:

Then you need Postman Collection Runner and a data file full of XSS vectors.

In the Postman Collection Runner you can import files in JSON or CSV format, which lines of data will be iterated (for more info read «Working with data files»).

CSV is more simple, so I prefer it and I use a list of «666 lines of XSS vectors, suitable for attacking an API» with a few lines of my own additions.

Unfortunately, Postman does not work with double quotes and extra commas in selected files, so the CSV data should be sanitised from these characters. It dramatically reduces a variety of test cases, but it is the fee for using a tool which is not quite appropriate.

At least you need to write a test to catch undesirable behavior. Due to many reasons: hard to catch stored XSS in response (in case of 200 response code), exceed rate limits (in case of 429 or 403 response codes) or proper backend reaction to invalid request (in case of 400 response code), lets expect only for Internal Server Error. In terms of Postman Test scripts it will look like:

Variable {{vector}} references to the first line in of CSV file

Now run the collection:

  1. Open Collection Runner;
  2. Select prepared data file;
  3. Click [Run].
Data file type will choose automatically

If you get 500 of any request you can definitely submit an issue.

In this example everything is OK

Try it yourself, with the sample of Postman Collection and CSV files.

Quality assurance engineer