Scanning with a Postman Collection
You can use your existing Postman automation test scripts, also known as collections, to conduct scans of REST API applications. This topic provides general information about Postman and the additional third-party software that is required.
What is Postman?
Postman is an API development environment that allows you to design, collaborate on, and test APIs. Postman lets you create collections for your API calls, where each collection can be organized into subfolders and multiple requests. You can import and export collections, making it easy to share files across your development and testing environment. Through the use of a Collection Runner such as Newman, tests can be run in multiple iterations, saving time on repetitive tests.
Benefits of a Postman Collection
A REST API application does not expose all the endpoints in a format that a human with a browser or an automated tool can consume. It is often simply a collection of endpoints that accepts various posts, puts, and gets with a specific set of request data. To successfully audit these endpoints, Fortify WebInspect needs to understand key details about the API. A well-defined Postman collection can expose these endpoints so that Fortify WebInspect can audit the API application.
Known Limitations with Postman Variables
Fortify WebInspect does not support Global variables or Data variables in Postman. However, it does support Environment and Collection variables, as well as Local variables in a collection.
As a workaround, you can specify Global variables and Data variables in an Environment, which is a set of variables that you can use in your Postman requests.
Options for Postman Scans
You can conduct a Postman scan using one of following options:
-
API Scan Wizard (See Using the API Scan Wizard)
-
WI.exe or the Fortify WebInspect REST API (See Postman API Scan Using WI.exe or WebInspect REST API)
Postman Prerequisites
A Postman collection version 2.0 or 2.1 is required for conducting scans in Fortify WebInspect. Additionally, you must install Newman command-line collection runner, Node.js, and Node Package Manager (NPM). For specific version information and additional instructions, see the Micro Focus Fortify Software System Requirements.
Using Client Certificates with Postman
To use a client certificate as authentication for a Postman scan, the certificate file format must be supported by Windows. If the client certificate is not Windows-compatible, you can convert the certificate to a Windows-compatible format and then use the converted file for your Postman scan.
The following table describes the process for converting and using a client certificate with Postman.
| Stage | Description |
|---|---|
| 1. |
Use a tool such as OpenSSL to convert the certificate to a Windows format. |
| 2. |
Install the converted certificate in the Windows certificate store on the machine where Fortify WebInspect is installed. |
| 3. | Add the certificate to the Scan Settings: Authentication. For more information, see Scan Settings: Authentication. |