Postman Scan Discovery

postman

Postman is an API Platform for building and using APIs. Postman helps coordinate APIs with Postman Collection files, which can be used for Discovery of an application with HawkScan.

To use Postman Scan Discovery in HawkScan, add the following settings to your stackhawk.yml file:

stackhawk.yml

hawk:
  spider:
    base: false # disable the default base spider; optional
    postmanConfig:
      filePath: # file path of the Postman collection from the base directory
      apikey: # api key to authenticate the user with Postman
      collectionUID: # Id of the collection to be pulled from Postman

You must either provide a postmanConfig.filePath with a path to a Postman Collection, or specify the postmanConfig.apikey and postmanConfig.collectionUID with values for your collection from Postman API Network.

These settings can be configured under the hawk.spider.postmanConfig section of the stackhawk.yml file.

NOTE: You must have Newman and NodeJS installed and on the path HawkScan runs from. At the moment this feature is unavailable for use from the HawkScan Docker image.

Get your Postman Collection ready

Create or import a Postman Collection for the scanned application and export the collection. You can save the collection as a JSON file and review its contents.

This Postman Collection is then fed into Newman, the cli runner testing tool for Postman.

NOTE: Paths in your Postman Collection will only scanned by HawkScan if the app.host being scanned matches the host being tested with newman.

Under the hood

Using Custom Scan Discovery, you can get fine-grained control of how Newman or any other tool is called with your collection. Otherwise it runs the following interpolation:

filePath

newman run --insecure ${postmanConfig.filePath}

collectionUID

newman run --insecure https://api.getpostman.com/collections/${postmanConfig.collectionUID}?apikey=${postmanConfig.apikey}