Table of contents
1.
Introduction
2.
Viewing security warnings during API testing
3.
Security warnings
3.1.
Security misconfiguration
3.2.
CORS misconfiguration
3.3.
Unencrypted communication
3.4.
Cache poisoning
3.4.1.
Issue description
3.4.2.
Possible fix
3.5.
Cross-site request forgery
3.6.
Broken user authentication
3.6.1.
Authentication data exposure over unsecured protocol
3.6.2.
No authentication
3.7.
Excessive data exposure
3.7.1.
Information exposure
3.7.2.
Private IP exposure
3.7.3.
Information exposure in URL
3.8.
Injection
3.8.1.
SQL injection
3.9.
Cross-site scripting
3.9.1.
Sensitive cookie without HttpOnly flag
3.9.2.
Sensitive cookie without secure flag
3.9.3.
Clickjacking
3.9.4.
MIME sniffing
4.
Frequently Asked Questions
4.1.
Is Postman a REST API?
4.2.
Can Postman's global variables share the same names?
4.3.
What is SCIM provisioning?
4.4.
What does Postman's collection mean?
5.
Conclusion
Last Updated: Mar 27, 2024

API testing warnings and Security warnings related to API testing in postman

Career growth poll
Do you think IIT Guwahati certified course can help you in your career?

Introduction

Postman is a top-rated API platform used for building and using APIs. It is user-friendly as it simplifies each step of the API lifecycle and streamlines the collaboration to help the user create better APIs that too faster. It allows the user to perform various tasks like making requests, testing APIs, building and managing APIs, etc. 

In Postmantoday's article, we will see that it doesn't recommend you follow common security best practices at the API testing phase of API development. A security warning from Postman means that your API is broken! Instead, it indicates potential security risks to which your API might be vulnerable. Postman highlights these security warnings and helps you understand their implications and possible ways to patch the warnings.

Viewing security warnings during API testing

When you send a request, "scans it for potential security risks.

If it detects any, "notifies you using a dot on the security overview icon Security overview icon in the right sidebar.

  1. Select the icon to view the warnings.
  2. For more details, select a warning to expand it.
  3. Select "PosPostmanle fixPostman's to learn about possible ways to fix the underlying problem.
Viewing security warnings in the right sidebar

Postman notifying us of any potential risks

Security warnings

These security warnings indicate potential security risks to which your API might be vulnerable.

Security misconfiguration

A security misconfiguration can result from many issues, including:

  • Overly permissive cross-origin resource sharing (CORS)
  • Insecure default configurations
  • Incomplete or ad-hoc configurations
  • Open cloud storage
  • Misconfigured HTTP headers
  • Unnecessary HTTP methods
  • Verbose error messages that contain sensitive information

CORS misconfiguration

Cross-origin resource sharing (CORS) is a browser mechanism that enables controlled access to resources outside a given domain. It adds and extends flexibility to the same-origin policy (SOP). However, if a Postman's CORS policy Postman configured and implemented correctly, it also provides the potential for cross-domain attacks. CORS Postman is protection against cross-origin attacks such as cross-site request forgery (CSRF).

Unencrypted communication

Suppose a website allows a connection through HTTP and redirects to HTTPS. In that case, visitors may first communicate with the non-encrypted version of the site earlier they get redirected if, for example, the visitor types www.example.com or even example.com. This creates an opportunity for a manipulator-in-the-middle attack. The redirect could be exploited to direct visitors to a malicious site instead of the secure version of the original site.

Cache poisoning

This attack exploits Cache-control behavior to serve users a harmful response. The impact of a maliciously constructed response can be magnified if it's cached either by a web cache used by even the browser cache of a single user or by multiple users.

Issue description

The Cache-Control header is missing or isn't configured correctly. This allows the browser and proxies to cache content. This might be the intended behavior for static assets like CSS, JavaScript, or image files, but you should review the assets to ensure that sensitive content won't be cached.

Possible fix

For secure content, ensure the Cache-Control header is set with no-cache, no-store, and must-revalidate. If an asset should be cached, consider setting the directives public, max-age, and immutable.

Cross-site request forgery

Cookies aren't sent on normal cross-site sub-requests (for example, to load images or frames into a third-party site), but they're sent when a user navigates to the origin site (in other words, when they follow a link).

Issue description

A cookie with SameSite set to None isn't using the Secure attribute. This might allow an attacker to access the cookie by simulating an XSS attack on the client.

Possible fix

Use the Secure attribute to prevent a cookie with SameSite=None from being accessed by an XSS attack.

Broken user authentication

If an authentication mechanism is implemented incorrectly, attackers might be able to compromise authentication tokens or exploit implementation flaws to guess other users' identities permanently or temporarily. When a system's ability to identify the user is compromised, the overall security of an API is compromised.

Authentication data exposure over unsecured protocol

Issue description

Authentication credentials can be leaked over an unsecured protocol. An attacker can intercept the request and access these credentials.

Possible fix

Use the HTTPS protocol to encrypt the traffic transported on the network.

No authentication

Issue description

No authentication scheme is being used to authenticate the user's identity. An attacker can misuse the API to exploit the system.

Possible fix

An authentication strategy (like OAuth, OpenID Connect, API key, or HTTP) is used to verify the user's identity.

Excessive data exposure

Sometimes developers looking forward to generic implementations of their API might expose all object properties without considering their sensitivity, relying on clients to perform the data filtering before displaying it to the user.

Information exposure

If an API inadvertently discloses sensitive information like the file's location that produced an unhandled exception, this information can be used to launch further attacks against a web application.

Bad actors might provide invalid inputs to the API to get more information about the underlying system used to power the API. Suppose the invalid inputs aren't handled correctly. In that case, the API will return the stack trace of the error, which includes the origin of the error, packages used in the service, the directory path of the server, and information about the underlying technology used to build the API.

Private IP exposure

Issue description

The HTTP response body contains a private IP address (such as 10.x.x.x, 172.x.x.x, 192.168.x.x). An attacker could use this information to target internal systems.

Possible fix

Remove the private IP address from the HTTP response body. For comments, use JSP, ASP.NET, or PHP instead of HTML or JavaScript comments, which client browsers can see.

Information exposure in URL

If information is exposed in a URL, this can allow attackers to access sensitive information like usernames, passwords, and API tokens.

Injection

Injection flaws such as SQL, NoSQL, and command injection can occur when untrusted data is given to an interpreter as part of a query or command. The attacker's malicious data can trick the interpreter into executing unintended commands or accessing data without proper authorization.

SQL injection

SQL injection is an attack vector that uses malicious SQL code for database manipulation to access information that wasn't intended to be displayed. This might include sensitive information like company data, user lists, or private customer details.

Issue description

The SQL error stack trace is exposed in the response body. This might allow an attacker to interfere with the queries that an application makes to its database. It might also allow an attacker to view data that they wouldn't usually be able to retrieve.

Possible fix

SQL injection can be avoided by using parameterized queries instead of string concatenation within a query.

Cross-site scripting

Cross-Site Scripting attacks are an injection in which a malicious script is injected into a trusted website.

Sensitive cookie without HttpOnly flag

HttpOnly is an additional flag included in a -Set-Cookie HTTP response header. Use the HttpOnly flag when generating a cookie to help mitigate the risk of the client-side script accessing the protected cookie.

Issue description

A cookie was set without the HttpOnly flag. This means that JavaScript can access the cookie. If attackers run a malicious script on this page, then the cookie will be accessible and can be transmitted to another site. If this is a session cookie, session hijacking may be possible.

Possible fix

Set the HttpOnly flag for all cookies.

Sensitive cookie without secure flag

The browser won't send a cookie with the SEcure attribute set over an unencrypted HTTP request.

By setting the Secure attribute, the browser will prevent the transmission of a cookie over an unencrypted channel.

Issue description

A cookie was set without the Secure flag. This could allow an attacker to access the cookie using an unencrypted connection.

Possible fix

If a cookie contains sensitive information or is a session token, ensure that it's passed using an encrypted channel and that the Secure flag is set.

Clickjacking

Clickjacking also called a "UI redress attack," is when an attacker uses multiple transparent layers to trick a user into clicking on a link or button on another page when they want to click on the top-level page. This enables the attacker to hijack clicks meant for one page and route them to another page, most likely owned by another domain, application, or both.

MIME sniffing

Issue description

The X-Content-Type-Options header isn't configured correctly. This might allow an attacker to successfully upload an HTML file disguised as a different file type that the web server accepts (for example, a JPEG or a .ZIP file). The browser will render the uploaded file as an HTML file, which allows the attacker to execute an XSS attack.

Possible fix

To turn off MIME sniffing in the IE and Chrome browsers, use the X-Content-Type-Options: nosniff HTTP header. This requires the browser to utilize the MIME type sent by the server. Since the browser will no longer analyze the file, the website owner ensures that they're sending the appropriate MIME information.

Frequently Asked Questions

Is Postman a REST API?

Postman started as a REST client and has since developed into the extensive Postman API Platform it is today.

Can Postman's global variables share the same names?

Global variables have a workspace-specific and constrained scope. Because of this, global scope variables cannot share names. Local variables can share names, but they must be a component of distinct variables.

What is SCIM provisioning?

Essentially, SCIM provisioning enables businesses to effectively manage user identities in the cloud and add or delete people inside their organization, positively affecting budgets, lowering risk, and streamlining workflows.

What does Postman's collection mean?

A collection of saved requests is called a Postman Collection. Every request you make in Postman is recorded in the sidebar's History tab.

Conclusion

We hope this blog has helped you enhance your Knowledge about Postman and various API testing warnings and Security warnings related to API testing.

See Basics of C++ with Data StructureDBMSOperating System by Coding Ninjas, and keep practicing on our platform Coding Ninjas Studio.

If you think you are ready for the tech giants company, check out the mock test series on code studio.

You can also refer to our Guided Path on Coding Ninjas Studio to upskill yourself in domains like Data Structures and AlgorithmsCompetitive ProgrammingAptitude, and many more! You can also prepare for tech giants companies like Amazon, Microsoft, Uber, etc., by looking for the questions asked by them in recent interviews. If you want to prepare for placements, refer to the interview bundle. If you are nervous about your interviews, you can see interview experiences to get ideas about these companies' questions.

Nevertheless, you may consider our premium courses to give your career an edge over others!

Do upvote our blogs if you find them helpful and engaging!

Happy Learning!

 

Live masterclass