Introduction to PostBot

For those who might not know, Postman is a powerful tool widely used in API security, and PostBot is an AI-driven feature within it. It allows you to type an AI prompt that generates a test script, which you can then run on an endpoint or a series of endpoints. Combining PostBot with Postman’s Collection Runner enables you to automate testing for an entire collection of endpoints—a real game-changer for anyone involved in API security.

Exploring PostBot

Imagine you’re working with a deliberately vulnerable API, such as the one called Krapi, which is commonly used in API penetration testing courses. Here’s a step-by-step guide on how to use PostBot effectively.

1. Setting Up in Postman: Start by loading the Krapi collection in Postman. Select the collection and ensure the Tests tab is selected.
2. Generating a Script with PostBot: Click the PostBot icon at the bottom of the screen and enter a prompt. For example, "write a test that passes if there is a JSON web token in the request headers." This script will help identify endpoints with authentication tokens.
3. Running the Collection: Copy the generated script, paste it into the Tests tab, and click on the run collection button. This opens the Collection Runner, where you can run the test on all endpoints in the collection.

‍

Practical Use Cases

Example 1: Finding Authenticated Endpoints with URL Parameters

To look for vulnerabilities, you might want to identify authenticated endpoints with URL parameters that could be exploited. Use a prompt like, "add a test that passes if there is a JSON Web Token in the request header and if the character question mark is anywhere in the request URL." This test highlights endpoints with potential parameters for further investigation.

Example 2: Identifying Email Leaks

Another scenario involves checking for endpoints that leak user emails. A prompt such as, "add a test that passes if there is an email anywhere in the response body," can help find such vulnerabilities. PostBot might use a regex to look for strings with the "@" symbol in the response body.

‍

Advanced Use Case: Fuzzing for Vulnerabilities

For a more complex scenario, consider using PostBot to fuzz an endpoint. For example, if you previously identified an endpoint leaking mechanic reports, you could use a prompt like, "add a test that loops through numbers 1 to 15 and pollutes the report ID parameter of each request. Pass the test if more than one response has a 200 response code." This approach can help you find Broken Object Level Authorization (BOLA) vulnerabilities.

‍

Handling Errors and Limitations

While PostBot is powerful, it’s not infallible. Sometimes the generated code might need tweaking. For example, if the initial script throws an error, you might need to modify parts of the code manually. Basic JavaScript knowledge can help resolve such issues.

‍

PostBot Usage Limits and Alternatives

Postman’s free account limits you to 50 PostBot calls and 25 manual collection runs per month. If you need more, Postman offers a $9 monthly subscription for unlimited PostBot usage. For additional collection runs, you’ll need to upgrade to a basic plan at $14 per month plus $49 for unlimited runs.

Alternatively, you can use ChatGPT or CustomGPT for generating Postman tests. These tools often provide explanations alongside the code, making them particularly useful for beginners.

‍

Conclusion

PostBot is a valuable tool for anyone involved in API security, offering a streamlined way to generate and run tests. By leveraging AI, it points you in the right direction, saving time and effort. Whether you’re a hobbyist or a professional, PostBot can enhance your API testing capabilities, making it easier to identify and exploit vulnerabilities.

‍

Watch Edward's APISEC|CON session here.

‍