1. Home
  2. Training Library
  3. API Pentesting

Postman

The course is part of this learning path

Start course
Overview
Difficulty
Intermediate
Duration
3h
Students
34
Ratings
5/5
starstarstarstarstar
Description

This course focuses on API Security and explains the kinds of vulnerabilities that we can find inside APIs, how to exploit them, and how to secure them as well. These skills will allow you to obtain bug bounties from vulnerabilities and also protect your own APIs as well.

Transcript

Hi. Within this lecture, we're going to see how to install and use Postman. Now that we have the Burp Suite, we need one last thing to start pen testing on our vulnerable API and that is the Postman. So far our vAPI Is working, so there's nothing left to do over here. So, what I am going to do  I  am go into Google and search for Postman like this. So, Postman and of course you can just write Postman download and something like that. But it's very simple, it's postman.com. So, what is Postman?

Postman is an actually tool that lets us send requests  and get some responses back from a server, or from an endpoint, from an API, and analyze them. It sounds a lot like Burp Suite, I know that, but they have completely different purposes.

In Burp Suite, we generally do penetration tests, we interrupt or intercept the request, and when we manipulate them and we observe the changes. And we can do something like brute forcing or encrypting and decrypting. In Postman, we don't do that kind of stuff. We simply send requests and get some responses back. And it's a crucial tool in order to create APIs and also test APIs. If you're a web developer or a mobile application developer, I am pretty certain that you have used Postman before. So, if you have the Postman on your computer up and running right now, maybe you can just fast forward a little bit and just see how to import the JSON file that comes with the resources of this vAPI challenge and then go along. But if you are new to Postman then just stick with me and see how to download it and install it.

And in fact it is not that hard to download and install it. You can just come over here to postman.com and you can see the product over here. Of course, there is like a free version and also paid options as well. We're going to completely use the free version and in fact you can use the web version, web interface of the Postman without even downloading it. But I am going to download it. So, I am going to show you how to use the web as well,  that version as well. So, if you take a look at the tool section, you can see why we use the Postman. For example, we can use Postman to test our APIs. So, we can send requests, we can get responses back. We can actually write headers and parameters and also we can design the APIs inside of the Postman, so that it would be much more structural.

We can write documentation, we can do testing, we can actually use mock servers in order to test the APIs and add points, we can monitor what's going on, and we can detect the APIs as well. So, it's a very good platform. It's all in one solution for the APIs and if you go over here you can try the test version,  try the web version,  web interface, and you don't even need to download it. But I suggest you to download it because it's a very good tool. It's a good tool to have it on your computer and you can actually create a free account. And that's it. When you go to postman.com/downloads, you will see that you can download it for your own specific operating system. Right now I am going to choose Mac Intel Chip because that is what I am using right now. But if you're using something else then just download it, like if it is compatible with Windows, it is compatible with Linux. But this is one of the reasons why we're doing this section inside of our own host machines rather than the Kali Linux.

I haven't tried Postman on Kali Linux yet. I am pretty certain that it works but I am very certain that it works on Mac and Windows without any issues. Furthermore, we don't need any kind of functionality from Kali Linux as well Postman and Burp Suite will be okay for us. So, make sure you download this Postman app and if it asks for you to sign up please make sure you sign up as well. There is nothing special; you have to do about installing it, just double click on it and hit 'Next', 'Next', 'Next'. Give the necessary permissions and it's okay.  It's going to be okay. So, what I am going to do  I am going to open the Postman and show you what it looks like. So, right now I can just minimize this and I am going to delete the certificate as well. I am going to search for a Postman and just open it.

So, feel free to pause the video, download the Postman, install the Postman, and open it. Once you open it, it will probably ask you to sign up and after you sign up freely,  without any paying anything,  you can just go in a dashboard like this. So, this user interface changes from time to time. It gets updated. But you will see this kind of menus every time. Right now I have this vAPI collection over here. I am going to delete it. I have tried it before, so I am going to delete it so that you can see how to import it as well. So, this is a workspace. In a workspace, you can import the API documentation or endpoints, you can test them, you can create them, and so much more. And on the left hand side we see the collections, we see the API module, we see environments, I am going to delete this as well. I am going to talk about what an environment is later on. Don't worry about it. Right now it is empty. We see other stuff, but basically we will work on collections most of the time. In collections, you can create a collection of your own, like for different endpoints of this vAPI. As you can see, there are 10 APIs in this vulnerable API CTF. You can create it one by one yourself. But in order to be convenient, this vAPI guys gave us the JSON as a resource, so as you can see there're endpoints over here, like POST this, GET this. So, rather than dealing with this, we're going to just import this thingy and make it compatible with our own server. Like I am going to show you how to run one of these things. For example, if we go to my IP address  /vapi/api1/user  for example, nothing happens, because it's supposed to request, we need to send some parameters along with it, but if we do kind of a GET request we may get something out of it. Sending a request is nothing more than sending or just browsing to that link. As you can see it asks for an API ID over here, let me just test this. So, I am going to go over here and try to get the first user and it gives me 404 but you get the point, rather than just browsing here, rather than pasting this endpoints to my URL like this, we're going to send it via Postman and we can send the parameters and headers and all the necessary information along with this request, so that it would actually work. Because if we go to this URL on our browser, as you can see, we are not sending the required parameters and so it doesn't work. So, that's exactly what we're going to do. Let me show you how to do it. Go into the resources.

No, not the resources. Go into the postman folder, inside of the postman folder  you will see there are two JSONs, first of which is the environment and second of which is the collection. So, right now I am going to find a way to import them. So, I am inside of the collection tab at left hand side. What I am going to do, I am going to click on this '+' button. It creates a new collection. Let me delete that. It was not a good idea. I believe we can delete that and I believe we can just go to menu from File and say something like Import. Here you go. So, I am going to delete this new collection. I am not going to use it. I am going to go to the menu and say Import and choose the file from my computer. You can also drag and drop obviously but I am going to go into the desktop and to postman and not the environment one  but the collection one. I am going to choose the collection and say 'Import'. Once I do that, it will appear over here like this. And as you can see, once you click on it, you can see the API1, API2, API3. We're going to see how to use it but I am going to import this one more time because I am going to invert import the environment again. So, what is the environment? We're going to talk about it. Don't worry about it. If you go to the environment section, you can see the environment over here. So, in the collections, go to the API1 and as you can see we can see the Get User, Create User, Update User along with the URL. So, this is it. This is the URL and once I give the necessary information I can hit the 'Send' button and it will send a request for me. Right now if I send this request, it won't work because it doesn't have the necessary information. We haven't given it yet. But as you can see we get the error and we can just do something accordingly to solve this problem. For example, if I click over here, if I hover over the host, it says that Unresolved Variable. So, what does it mean?

It means that I have to come over here and give my IP address rather than host, but I'm not going to do that. Okay, I'm not going to do that because every time I go into any API over here like any endpoint, I will have to do that if I just change it manually. As you can see it all has the host variable and host sends for our IP address. Okay, so rather than changing it one by one I'm going to go into the environment and click on the 'vAPI_ENV'. So, as you can see there is a host variable over here, and the initial value's localhost, rather than localhost I'm just going to write my own IP address. And this is my IP address over here. I'm going to copy it and paste it over there and also paste it over the current value and then I'm going to save this. Okay, so if you hit on the 'Save' button over here, don't forget to hit on the 'Save' button. If you go to 'Collection' now it will reserve the resolve to the IP address of our own. It doesn't resolve. It says that Unresolved Variable because we need to change the environment, I believe. Click on the 'vAPI'. Okay, click on the 'vAPI' and come over here to 'No Environment' and select the 'vAPI_ENV'. Here you go. Once you do that, as you can see, it will inherit all the variables that we have written over there in the environment. Now, you know what an environment is. If you come over here, hover over the host variable as you can see, we get the value, we get the IP address, and that is what we need. If I send this right now. Again, it doesn't send for some reason because, because I believe we need to change this, we need to change this id as well. As you can see there is another unresolved value over here, but if we change this I believe it will work. Let me try this, okay? And by the way, I can go to environment and change the variable from there as well, but it doesn't make much sense because it's only in one API. We can also change the variables from here as well without touching the environment, but it's a very good idea to go with the environment. So, it would be applicable for all of the things inside of our API. I'm just showing you guys how to use the Postman. I'm just getting you to know it. Okay, don't worry about it, we're going to see this in details. Let me do one API call. I'm going to go into the first one. The post to Create User. Okay, let us test to see if this is working. So, we have a post-request, and we also have the Get-request, Put-request. Maybe` you don't know the difference between them. Generally, when we send the data to a server or to an endpoint, we use post request. It is not mandatory, but it's the general convention. Many developers choose to do that. If we're trying to get some information from the API, we can use the get request. If we're trying to update any value, we can use the put request. Okay. So, we know what kind of request that we're getting over here. Like post request, get request, put request. You don't have to change any of this, okay? So, first one is to create a user, so I'm seeing this post request and you can change the taps from here like authorization. We don't need any authorization, as you can see, you can see the headers like Content-Length, Content-Type many of the time you won't even have to touch the headers over here. So, you don't need to change any of this. This is play field for us inside of the Postman. And if it if you didn't get this Postman, as you can see, you should go to the Body suite and catch the package and try with it. And it's going to take so much time, so make sure you install the Postman and import the Json file that comes with the challenge. So, here we have the username, name, and the course and password thing is. I'm just going to give some random things over here like "username": "atil", "name": "my name", "course": "web pentesting", "passwords": I don't know "atil123". I'm just going with the random parameters. I just want to see if I send something. there are some tests over here, we're going to talk about this. So, when we send the request, this test gets executed automatically.

We don't need to change anything. All you going to do is just change the parameters in the body and we're just doing this for test purposes. Okay. And I sent this and as you can see, it didn't even get a response back. It doesn't work. That's what I was trying to find out. And if I go over host. By mistake, we included http tag two times in the host, as you can see it says http, so it's coming http, http doesn't work. Going to the Environment one more time. The lead http just leave the IP address over here from the initial value and also current value as well. Make sure you delete every possible space and stuff, okay? Don't leave anything over here rather than the IP address. Delete everything. Just leave the IP address. Come over here and try to send it one more time. Just give some random, random user names and names and stuff. As you can see host is okay right now. All I got to do is just send this and see what happens. So, right now it works as you can see. I'm getting the username, I'm getting the name, so we created a user. So, what we did in this lecture is to just to install the Postman and make sure it works. We're going to talk about what we're doing here and why we are doing here. We get an ID. So, we don't know what to do with it. Maybe you don't understand what's going on. That's okay. All you got to do is just make sure your Postman works. And we're going to talk about this in-depth in the upcoming lectures. Right now, we have what we need. We have the Postman, we have the Burp suite, and we have the up and running API. So, we're going stop here, and within the next lecture, we're going start pan testing.

 

About the Author
Students
909
Courses
55
Learning Paths
3

Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.