ForAllSecure Blog

Fuzz test your API with Mayhem and Postman

James Kessler
·
October 12, 2022

Previously we talked about what fuzz testing is, and how Mayhem can read a postman collection.  This is still a great post to learn about what fuzzing is.  Mayhem compliments Postman tests with security tests for all of the edge cases your tests do not cover.  Since the last post, we have enhanced our postman integration, and that is what we will look at.  Ultimately, if your Postman request works, we want Mayhem to just work.

Getting Started

In addition to reading from an exported collection, Mayhem can now read postman collections from the Postman API. Exporting and hosting a postman collection file is no longer necessary.  You will need to create an API key in postman.

Try running the demo yourself against the Pet Store API:

mapi run \
--url https://demo-api.mayhem4api.forallsecure.com/api/v3/ \
--postman-api-key PMAK-XXXXXX \
postman-integration-demo 30 \
20703797-6e8ad861-088b-44e5-8712-37a5e1566a5c

You will soon notice that the Petstore API has some problems.  Some of the endpoints are crashing when the request is mutated, and are returning 500 errors.  Also an endpoint accepted a POST, which was unexpected since it is not part of the Postman collection.

Mayhem is capable of causing and detecting many other types of issues, and informs you of how to reproduce the issue it found.

To run against your own collection, you will need the id of your postman collection. Then run Mayhem to see how your own API does:

mapi run \
--url TARGET_URL \
--postman-api-key PMAK-XXXXXX \
your-target-name 30 \
POSTMAN_COLLECTION_ID

Authentication

If the API you are testing requires authentication, you probably already have that configured in your Postman collection.  Mayhem now has the capability to leverage your collection’s settings.  We now support API Key, Bearer Token, Basic Auth and OAuth 2.0.  Note that for OAuth 2.0, the access token must be synced in order for Mayhem to pick it up.

Supplying Mayhem with authentication arguments overrides all Postman authentication.

Environments

Grouping variables by environment is a great way to reuse the same requests against different environments in Postman.  Mayhem is now capable of reading the variable values from environments.  Look up the ID of your environment, and then run Mayhem:

mapi run \
--url TARGET_URL \
--postman-api-key PMAK-XXXXXX \
--postman-environment POSTMAN_ENVIRONMENT_ID \
your-target-name 30 \
POSTMAN_COLLECTION_ID

Secret environment variables are never sent from Postman to Mayhem, so their values will not be available to or inspected by the fuzzer.

Troubleshooting

The more complete a Postman collection is, the better results you will get out of Mayhem.  Sometimes it is necessary to tune up a Postman collection with an erroneous configuration.  To make this simpler, Mayhem tracks the Postman requests folder, name and id while fuzzing.  If an issue is found, this information is attached to the issue and can be found in Mayhem.

Try Mayhem for free!

In addition to the improvements above, we have made a number of improvements internally to improve the fuzzing engine’s performance against Postman collections.  Try Mayhem out for free against your own Postman collections today at Mayhem for API!

Stay Connected


Subscribe to Updates

By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement.