Scanning with a Postman collection
You can use your existing Postman automation test scripts, also known as collections, to conduct scans of REST API applications. This topic provides general information about Postman and the additional third-party software that is required.
What is Postman?
Postman is an API development environment that enables you to design, collaborate on, and test APIs. Postman lets you create collections for your API calls, where each collection can be organized into subfolders and multiple requests. You can import and export collections, making it easy to share files across your development and testing environment. Through the use of a Collection Runner such as Newman, tests can be run in multiple iterations, saving time on repetitive tests.
Benefits of a Postman collection
A REST API application does not expose all the endpoints in a format that a human with a browser or an automated tool can consume. It is often simply a collection of endpoints that accepts various posts, puts, and gets with a specific set of request data. To successfully audit these endpoints, OpenText DAST needs to understand key details about the API. A well-defined Postman collection can expose these endpoints so that OpenText DAST can audit the API application.
Known limitations with Postman variables
OpenText DAST does not support Data variables in Postman. However, it does support Collection, Global, and Environment variables, as well as Local variables in a collection.
As a workaround, you can specify Data variables in an Environment, which is a set of variables that you can use in your Postman requests.
Options for Postman scans
You can conduct a Postman scan using one of following options:
-
API Scan Wizard (See Using the API Scan Wizard)
-
WI.exe or the OpenText DAST REST API (See Postman API scan using WI.exe or OpenText DAST REST API)
Postman prerequisites
A Postman collection version 2.0 or 2.1 is required for conducting scans in OpenText DAST. Additionally, you must install Newman command-line collection runner, Node.js, and Node Package Manager (NPM). For specific version information and additional instructions, see the OpenTextâ„¢ Application Security Software System Requirements.
Using client certificates with Postman
To use a client certificate as authentication for a Postman scan, the certificate file format must be supported by Windows. If the client certificate is not Windows-compatible, you can convert the certificate to a Windows-compatible format and then use the converted file for your Postman scan.
The following table describes the process for converting and using a client certificate with Postman.
| Stage | Description |
|---|---|
| 1. |
Use a tool such as OpenSSL to convert the certificate to a Windows format. |
| 2. |
Install the converted certificate in the Windows certificate store on the machine where OpenText DAST is installed. |
| 3. | Add the certificate to the Scan Settings: Authentication. For more information, see Scan settings: Authentication. |