Use Postman Collection Runner as Vulnerability Scanner

Sometimes, as a test engineer, you need to perform a brief security testing under your application.

Andrey Enin
2 min readJul 28, 2019

Of course, if you have enough time and relevant skills you will use Burp Scanner for searching XSS vulnerabilities in your API. But if it is needed to get trivial and really fast feedback you can choose something simpler. And Postman is almost perfectly suited for this task.

Let’s assume that you already know the endpoint you want to scan. For testing purposes, let’s take the example of Google Books API because it’s open (I do not want to explore it, just show how it works):

https://www.googleapis.com/books/v1/volumes?q=isbn:1788624785

In the selected API endpoint, you need to determine a part for application’s «vectors of attack»:

https://www.googleapis.com/books/v1/volumes?q={{vector}}

Then you need a Postman Collection Runner and a data file full of XSS vectors.

In the Postman Collection Runner, you can import files in JSON or CSV format, which lines of data will be iterated (for more info, read «Working with data files»).

CSV is more simple, so I prefer it and I use a list of «666 lines of XSS vectors, suitable for attacking an API» with a few lines of my own additions.

Unfortunately, Postman does not work with double quotes and extra commas in selected files, so the CSV data should be sanitized from these characters. It dramatically reduces a variety of test cases, but it is the fee for using a tool that is not quite appropriate.

At least you need to write a test to catch undesirable behavior. Due to many reasons: hard to catch stored XSS in response (in case of 200 response code), exceeding rate limits (in case of 429 or 403 response codes), or proper backend reaction to invalid request (in case of 400 response code), let’s expect only for Internal Server Error. In terms of Postman Test scripts, it will look like this:

pm.test("Status code is not 500", function () {
pm.response.to.have.not.status(500);
});
Variable {{vector}} references to the first line in of CSV file
Fig. 1. Variable {{vector}} references to the first line in of CSV file

Now run the collection:

  1. Open Collection Runner;
  2. Select the prepared data file;
  3. Click [Run].
Data file type will be chosen automatically
Fig. 2. Data file type will be chosen automatically

If you get 500 of any request, you can definitely submit an issue.

In this example everything is OK
Fig. 3. In this example everything is OK

Try it yourself, with the sample of Postman Collection and CSV files.

--

--

Andrey Enin

Quality assurance engineer: I’m testing web applications, APIs and do automation testing.