Bug-0x03: Exposure of credentials through postman

According to their website “Postman is an API platform for building and using APIs. Postman simplifies each step of the API lifecycle and streamlines collaboration so you can create better APIs—faster.”

Postman is also used as an API testing tool. Let us become familiar with some postman terminologies.

Collections: You can group your API requests and examples into collections. It contains a group of similar APIs and flows

Workspaces: It helps you to organize your API work and collaborate across your organization or across the world. It is a group of several collections.

There are three different kinds of Postman workspaces :

  1. Personal workspaces: They are designed for individual, focused work. they’re synced in real time so you can move between different Postman instances or between Postman’s desktop version or web version seamlessly.
  2. Team workspaces: We can invite team members to collaborate on your API work within a workspace. Maintain access control by assigning roles to workspace members at either the workspace or element level.
  3. Public workspaces: Public workspaces allow you to share your APIs publicly with the entire world.All public workspaces are searchable and accessible through the Postman Public API Network.

We can import or export the API collection to a workspace for testing. If set to public, anyone can view that workspace.

Sensitive information Disclosure

API collection and credentials like passwords, access tokens, cookies etc of an organisation might get exposed through public workspaces. It occurs when someone authorized to test [an employee/ a contractor ] import these collections to the workspace that is set as public making it visible to anyone. This is a pretty clear case of policy violations and has to perform a strong analysis to confirm this information were not abused.

Finding the exposed workspace

  1. Google dork
site:postman.com inurl:/workspace "example"

2. Postman search: We can search using the keyword like organisation name, staging environments, subdomains etc

Postman search

Automating the process

PMHunter is a tool written in python to automate searching in postman for public data.

Demo
python3 pmhunter.py -f <filenme>
https://github.com/jerinshajit97/PMHunter

Below is a sample input file, example.txt

stage
dev
test
token
example.com
www.example.com

We can use this to sort out valid keywords and then verify them manually.

Remediation

Change the workspace visibility to Private. Remove all sensitive information before adding it to the workspace. Perform a sound analysis to confirm this exposed information was not abused.

Jerin

A Learner, who is understanding the technologies to break it.Information security enthusiast,always curious and happy to say a Hello.

View all posts by Jerin →

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.