Postman Scan Discovery
Postman is an API Platform for building and using APIs. Postman helps coordinate APIs with Postman Collection files, which can be used for Discovery of an application with HawkScan.
To use Postman Scan Discovery in HawkScan, add the following settings to your stackhawk.yml
file:
stackhawk.yml
hawk:
spider:
base: false # disable the default base spider; optional
postmanConfig:
filePath: # file path of the Postman collection from the base directory
apikey: # api key to authenticate the user with Postman
collectionUID: # Id of the collection to be pulled from Postman
You must either provide a postmanConfig.filePath
with a path to a Postman Collection, or specify the postmanConfig.apikey
and postmanConfig.collectionUID
with values for your collection from Postman API Network.
These settings can be configured under the hawk.spider.postmanConfig
section of the stackhawk.yml
file.
NOTE: You must have Newman and NodeJS installed and on the path HawkScan runs from. At the moment this feature is unavailable for use from the HawkScan Docker image.
Get your Postman Collection ready
Create or import a Postman Collection for the scanned application and export the collection. You can save the collection as a JSON file and review its contents.
This Postman Collection is then fed into Newman, the cli runner testing tool for Postman.
NOTE: Paths in your Postman Collection will only scanned by HawkScan if the app.host
being scanned matches the host being tested with newman.
Under the hood
Using Custom Scan Discovery, you can get fine-grained control of how Newman or any other tool is called with your collection. Otherwise it runs the following interpolation:
filePath
newman run --insecure ${postmanConfig.filePath}
collectionUID
newman run --insecure https://api.getpostman.com/collections/${postmanConfig.collectionUID}?apikey=${postmanConfig.apikey}