Testing APIs with POSTMAN

You may find yourself in the position of having a Swagger/Open API documentation or POSTMAN file that you need to use as part of your security assessment. Here's how to set that up.

Firstly, download and you'll need too.

Now go to POSTMAN and click settings:

Turn off "SSL certification verification" so you don't get error messages:

Now go to Burp Suite and the Proxy tab. Your listener should be 127.0.0.1:8080

Back to the POSTMAN settings, click on the Proxy tab and set the Burp Suite listener in here:

We are now ready to import that Swagger/Open API or POSTMAN file. Click import:

Then paste the JSON/YAML text into the box or upload the file:

This will then populate the navigation area on the left.

You can click on any of these API requests and use them how you want to:

When you click SEND in POSTMAN, this will be sent to Burp Suite, so make sure you have intercept turned on and do your thing!

If you would like to see this in practice, take a look at the video below: