According to their website “Postman is an API platform for building and using APIs. Postman simplifies each step of the API lifecycle and streamlines collaboration so you can create better APIs—faster.”
Postman is also used as an API testing tool. Let us become familiar with some postman terminologies.
Collections: You can group your API requests and examples into collections. It contains a group of similar APIs and flows
Workspaces: It helps you to organize your API work and collaborate across your organization or across the world. It is a group of several collections.
There are three different kinds of Postman workspaces :
- Personal workspaces: They are designed for individual, focused work. they’re synced in real time so you can move between different Postman instances or between Postman’s desktop version or web version seamlessly.
- Team workspaces: We can invite team members to collaborate on your API work within a workspace. Maintain access control by assigning roles to workspace members at either the workspace or element level.
- Public workspaces: Public workspaces allow you to share your APIs publicly with the entire world.All public workspaces are searchable and accessible through the Postman Public API Network.
We can import or export the API collection to a workspace for testing. If set to public, anyone can view that workspace.
Sensitive information Disclosure
API collection and credentials like passwords, access tokens, cookies etc of an organisation might get exposed through public workspaces. It occurs when someone authorized to test [an employee/ a contractor ] import these collections to the workspace that is set as public making it visible to anyone. This is a pretty clear case of policy violations and has to perform a strong analysis to confirm this information were not abused.
Finding the exposed workspace
- Google dork
site:postman.com inurl:/workspace "example"
2. Postman search: We can search using the keyword like organisation name, staging environments, subdomains etc
Automating the process
PMHunter is a tool written in python to automate searching in postman for public data.
python3 pmhunter.py -f <filenme>
Below is a sample input file, example.txt
stage dev test token example.com www.example.com
We can use this to sort out valid keywords and then verify them manually.
Change the workspace visibility to Private. Remove all sensitive information before adding it to the workspace. Perform a sound analysis to confirm this exposed information was not abused.