AP 101: Using Postman with Burp (20 pts extra)

What You Need

Burp

Purpose

To find sensitive data exposed via API requests to an OWASP crAPI training server. We will use Postman in addition to Burp.

Connecting to crAPI

Open Burp. Click the Proxy tab. Click the Intercept tab.

Click the "Intercept is on" button so it changes to "Intercept is off".

Click the "Open Browser" button.

In Burp's browser, go to

https://crAPI.samsclass.info The crAPI login page opens, as shown below.

Signing Up for an Account

In Burp's browser, on the crAPI login page, click the SignUp link.

Fill in the form with test data of your choice, as shown below. Then click the Signup button.

You should see a message saying "User Registered Successfully!".

Viewing a Signup Request

In Burp, on the Proxy tab, on the "HTTP history" sub-tab, click the "POST /identity/api/auth/signup" line.

In the lower pane, on the Request tab, you can see the request used to sign up.

Notice these features:

It's a POST request
URL: /identity/api/auth/signup
Content-Type: application/json
The data you entered into the form appears as a JSON object at the bottom

Getting Postman

Postman is the main tool used to work with APIs. Download and install it from this site:

https://www.postman.com/downloads/

Starting Postman

Launch Postman. If it asks you to set up an account, click "Skip signing up and take me straight to the app".

From the main Postman page, in the top center, click the + sign, outlined in green in the image below, to open a new tab.

Building a Request

A tab titled "Untitled Request" opens, as shown below.

Here you can build an HTTP request.

Make these selections, to match the request you see in Burp:

Change the method from GET to POST
Enter a URL of: https://crapi.samsclass.info/identity/api/auth/signup

Under the POST line, click the Body tab. Make these selections:

Change the type from "none" to raw
Change the sub-type from "Text" to JSON
Paste in this data, changing the username, email, and phone number to something that has not been used before:
{"name":"YOUR NAME TWO","email":"YOURNAME2@aol.com","number":"415551112","password":"P@ssw0rd"}
On the right side, click Beautify

Your request should look like the image below, but with a different username:

Using the Burp Proxy in Postman

In Postman, at the top right, click the gear icon, outlined in green in the image above.

Click Settings.

In SETTINGS, on the General tab, click the "SSL certificate verification" slider to turn it OFF, as shown below.

If you don't do this, it will refuse the Burp certificates.

In SETTINGS, click the Proxy tab.

Check the "Add a custom proxy configuration" box, and set the server to 127.0.0.1 on port 8080, as shown below.

Then close the SETTINGS box.

Sending the Signup Request

In Postman, on the right side, click the blue Send button.

The lower pane should show "User registered successfully! Please Login.", as shown below.

Flag AP 101.1: User-Agent (10 pts)
In Burp, on the Proxy tab, on the "HTTP history" sub-tab, click the most recent "POST /identity/api/auth/signup" line.
In the lower pane, on the Request tab, you see the request sent by Postman.
The flag is covered by a green rectangle in the image below.

Logging In

In Burp's browser, log in with the email and password you chose when signing up.

Getting the Bearer Token

In Burp, on the Proxy tab, on the "HTTP history" sub-tab, you see a POST request to /identity/api/auth/login, followed by several GET requests.

Click the GET requests to /identity/api/v2/vehicle/vehicles.

As shown below, the Request tab shows an Authorization header with a long blob of Base64-encoded data. This is a Bearer Token.

Highlight the blob of Base64-encoded data and copy it, as shown below.

Creating a Postman Collection

We'll make a Collection to contain the authenticated API requests for the crAPI server.

In Postman, on the left side, verify that Collections is selected. Then click the + sign next to "Collections", outlined in red in the image below, to create a new Collection.

Name your Collection crAPI, as outlined in green in the image below.

Adding the Bearer Token to Postman

In the center pane, the Authorization tab is selected.

Select a Type of "Bearer Token". Paste in your Token value, as shown below.

At the top right, click the floppy disk icon, outlined in blue in the image below, to save your authorization credentials.

Now the requests in the crAPI container will be authorized by your account.

Posting to the Community

In the Burp browser, at the top, click Community. Click the "New Post" button, as shown below, and add a new post with any title and comment you choose.

A box pops up saying "Post Created". Click OK.

Examining the Recent Posts Request

In Burp, examine the request:

GET /community/api/v2/community/posts/recent

This is a GET request, as shown below.

Sending the Recent Posts Request from Postman

In Postman, on the left side, in the crAPI container, click "Add a request".

In Burp, right-click the request and click "Copy URL".

Paste the URL into Postman, as shown below.

Flag AP 101.2: External API Endpoint (10 pts)
In Postman, click the blue Send button.
The response appears in the lower pane.
Scroll down to see that this response contains sensitive information about each user who posted, such as user IDs, email addresses, and vehicle IDs Search all the JavaScript files used on this page, and find the URL matching the image below.
The flag is covered by a green rectangle in the image below.

Source

Hacking APIs

Posted 5-4-22
Video added 5-11-23
Flag 2 changed 7-18-23