Use Postman Collection Runner as Vulnerability Scanner

Of course, if you have enough time and relevant skills you will use Burp Scanner for searching XSS vulnerabilities in your API. But if it is needed to get trivial and really fast feedback you can choose something simpler. And Postman is almost perfectly suited for this task.

Let assume that you already know an endpoint you want to scan. For testing purposes let’s take the example of Google Books API because it’s open (I do not want to explore it, just show how it works):

https://www.googleapis.com/books/v1/volumes?q=isbn:1788624785

In selected API endpoint you need to determine a part for application «vectors of attack»:

https://www.googleapis.com/books/v1/volumes?q={{vector}}

Then you need Postman Collection Runner and a data file full of XSS vectors.

In the Postman Collection Runner you can import files in JSON or CSV format, which lines of data will be iterated (for more info read «Working with data files»).

CSV is more simple, so I prefer it and I use a list of «666 lines of XSS vectors, suitable for attacking an API» with a few lines of my own additions.

Unfortunately, Postman does not work with double quotes and extra commas in selected files, so the CSV data should be sanitised from these characters. It dramatically reduces a variety of test cases, but it is the fee for using a tool which is not quite appropriate.

At least you need to write a test to catch undesirable behavior. Due to many reasons: hard to catch stored XSS in response (in case of 200 response code), exceed rate limits (in case of 429 or 403 response codes) or proper backend reaction to invalid request (in case of 400 response code), lets expect only for Internal Server Error. In terms of Postman Test scripts it will look like:

pm.test("Status code is not 500", function () {
pm.response.to.have.not.status(500);
});
Variable {{vector}} references to the first line in of CSV file

Now run the collection:

  1. Open Collection Runner;
  2. Select prepared data file;
  3. Click [Run].
Data file type will choose automatically

If you get 500 of any request you can definitely submit an issue.

In this example everything is OK

Try it yourself, with the sample of Postman Collection and CSV files.

--

--

--

Quality assurance engineer

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

How To Use John The Ripper Tool In Linux For Cracking Passwords?

Launching a VPC with Public & Private subnet in AWS using Terraform!

Configure WSO2 Identity Server for Self Service Authorization using Admin REST APIs

My Experience with Linux

Tech Lead or Team Lead — A Senior Developer’s Choice

string manipulation in python class 11 programs

Python3 + OpenCV3 , Crack Verification code

How to Create a Responsive Grid Layout With Under 10 Lines of CSS.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Andrey Enin

Andrey Enin

Quality assurance engineer

More from Medium

XSS and XSRF Demystified

6/30 XSS study log

A Brief Security Testing for Manual Testers

Chrome DevTools Security Panel

The Bad Twin: a peculiar case of JWT exploitation scenario