Virtual all modern applications use APIs to communicate with internal components and 3rd party services. Postman is a cross platform API client tool which is popular with developers, QA and security testers alike. Postman provides a power and intuitive user interface for interacting with RESTful API servers. The best part is the tool has a free tier with very affordable paid tiers for collaborative capabilities, auditing and mock server support. Let’s dive into all things Postman.
Postman is like a browser for sending API requests but instead of receiving HTML you are receiving the API responses. Postman is highly configurable to enable the users to explore and manipulate APIs, test for security flaws and find hidden requests. Postman provides a myriad of methods including GET, POST, HEAD, TRACE, OPTIONS, PUT, PATCH and DELETE just to name a few. And that is not all, Postman enables users to add or manipulate params, headers and values into the body of the API requests which can help identify weakness or misconfigurations within the API.
When interacting with APIs, especially in a QA or security testing role, there will be times when you will be sending a variety of API requests. Postman tracks the history of your API requests, similar to a browsers history, but also tracks the response from the server. This is great for reviewing testing results and Postman also provides the ability to replays API requests.
Collections are predefined groupings of API requests from popular platforms such as Quickbooks, F5, MS Graph, Facebook, Github and everyone in between. Users of Postman can load up a given collection and have the foundational API requests to start building more complex requests as well as fuzz the APIs for hidden features.
Environmental Variables and Credentials
Postman also supports storing environmental variables which can be added manually by the user or populate from previous requests. This feature helps avoid having to modify values in the API request itself but rather placing variable references within the API request and storing the values with the environment store.
And of course the tool supports handling authentication and authorization functions so that users can authenticate once and interact with the targeted API servers without having to worry about authentication.