How to create a target to scan an API (Postman Collection)
To scan an API for vulnerabilities, you have to create a target that will define the scope and the behavior of the scan. To specify the API you can use a Postman Collection schema in one of two ways:
- Postman Collection URL - Provide a URL to the Postman Collection schema, and Probely fetches it to scan the API endpoints. This means that when the Postman Collection changes, Probely will use the latest changes.
- Postman Collection file - Upload a file with the Postman Collection schema, and Probely uses it to scan the API endpoints. This means that when the Postman Collection changes, a file with the latest changes should be uploaded.
As an alternative to a Postman Collection schema, you can use an OpenAPI schema. Learn more in the tutorial about how to create a target to scan an API (OpenAPI).
Prerequisites
Before creating a target, ensure you have created and verified the target domain. Learn more in this tutorial about how to create and verify a target domain.
Step 1: Create the Target
Create the target using a Postman Collection URL or a Postman Collection file.
- Postman Collection URL
- Postman Collection file
If you are using a Postman Collection URL, create the target with the following information:
- A recognizable name for the target.
- The URL of the API to scan.
- The type of target (
"type": "api"). - The type of API schema (
"api_schema_type": "postman"). - The URL of the Postman Collection schema (in
"api_schema_url").
In this request, we use the target name as My target (API), the API URL as https://api.example.com, and the Postman Collection schema URL as https://api.example.com/postman-collection.json.
curl https://api.probely.com/targets/ \
-X POST \
-H 'Authorization: JWT <YOUR_API_TOKEN>' \
-H 'Content-Type: application/json' \
-d '{
"site": {
"name": "My target (API)",
"url": "https://api.example.com",
"api_scan_settings": {
"api_schema_type": "postman",
"api_schema_url" : "https://api.example.com/postman-collection.json"
}
}, \
"type": "api"
}'
The response will return the newly created target with the identifier (id), and the information provided (name, url, api_schema_type, and api_schema_url).
You will find other information such as:
host- It must have the domain corresponding to the URL you provided. In this tutorial, it isapi.example.combecause the URL ishttps://api.example.com.verified- If you followed the prerequisites, it must betrue. If not, the target scans can be interpreted as malicious attacks. Learn more about how to create and verify a target domain.
{
"id": "2YWf4uvViqu3",
"site": {
"id": "3efd5U4vwGLG",
"name": "My target (API)",
"desc": "",
"url": "https://api.example.com",
"host": "api.example.com",
"has_form_login": false,
...
"stack": [],
"verified": true,
"verification_token": "5041700e-e954-4905-95d3-20324666134c",
...
"api_scan_settings": {
"api_schema_type": "postman",
"api_schema_url": "https://api.example.com/postman-collection.json",
"api_schema_file": "",
"custom_api_parameters": [],
...
}
},
...
}
If you using a Postman Collection file, start by creating the target with the following information:
- A recognizable name for the target.
- The URL of the API to scan.
- The type of target (
"type": "api"). - The type of API schema (
"api_schema_type": "postman").
In this request, we use the target name as My target (API), and the API URL as https://api.example.com,
curl https://api.probely.com/targets/ \
-X POST \
-H 'Authorization: JWT <YOUR_API_TOKEN>' \
-H 'Content-Type: application/json' \
-d '{
"site": {
"name": "My target (API)",
"url": "https://api.example.com",
"api_scan_settings": {
"api_schema_type": "postman"
}
}, \
"type": "api"
}'
The response will return the newly created target with the identifier (id), and the information you provided (name, url, and api_schema_type).
You will find other information such as:
host- It must have the domain corresponding to the URL you provided. In this tutorial, it isapi.example.combecause the URL ishttps://api.example.com.verified- If you followed the prerequisites, it must betrue. If not, the target scans can be interpreted as malicious attacks. Learn more about how to create and verify a target domain.
{
"id": "2GMK1dNzZXFL",
"site": {
"id": "3pizXuyurjHx",
"name": "My target (API)",
"desc": "",
"url": "https://api.example.com",
"host": "api.example.com",
"has_form_login": false,
...
"stack": [],
"verified": true,
"verification_token": "5041700e-e954-4905-95d3-20324666134c",
...
"api_scan_settings": {
"api_schema_type": "postman",
"api_schema_url": null,
"api_schema_file": null,
"custom_api_parameters": [],
...
}
},
...
}
Step 2: Upload the API schema file
The next step is to upload the Postman Collection file with the schema.
In this request, we use a Postman Collection schema file in JSON format located at /Users/TheUserName/Downloads/postman-collection.json.
curl 'https://api.probely.com/targets/ZjvNQa2shD17/upload_api_schema_file/' \
-X POST |
-H 'Authorization: JWT <YOUR_API_TOKEN>' \
-H 'Content-Type: application/json' \
-F 'file=@"/Users/TheUserName/Downloads/postman-collection.json"'
The response will return the target with the path of the uploaded API schema file in api_schema_file.
{
"id": "ZjvNQa2shD17",
"site": {
"id": "HPVA4pT6Epa3",
"name": "My target (API)",
"desc": "",
"url": "https://api.example.com",
"host": "api.example.com",
...
"api_scan_settings": {
"api_schema_type": "postman",
"api_schema_url": null,
"api_schema_file": "/targets/5TTehNQhBQvN/download_api_schema_file/",
"custom_api_parameters": [],
...
}
},
...
}
Now that your target has been created, you can start a scan. Learn more in how to start a scan.