ForAllSecure Blog

Testing Postman APIs with Fuzzing

Alex Rebert
April 06, 2021

Postman Collections are a great way to document, test, and share your APIs.  Combined with Newman, Postman allows you to reuse your test suites to create a CI/CD pipeline so you can test at every push. Automated CI testing helps you put guard rails in place to ensure that errors are caught early in development instead of in a production incident!

Testing Postman APIs with fuzzing

With Mayhem for API, you can squeeze even more testing out of your existing postman collections, without having to write any additional tests! As opposed to Newman which requires you to provide values for request parameters, Mayhem for API comes up with those values automatically!

Mayhem for API generates all sorts of values for those parameters using a custom fuzzing engine without any assistance from you. Did you test that your endpoints support non-printable characters or invalid UTF-8 �? Japanese characters ブーム? Emojis 💥 ? And did you test apostrophes or ‘../../’ don’t lead to security vulnerabilities? Yeah, neither did we until we had Mayhem for API!

It’s a huge pain to test all the edge cases on every single endpoint and API parameters. If you did that, you’d face a combinatorial explosion of tests to handle every possibility. Those tests would become a pain to maintain, slowing down development significantly every time you have to make a change.

Mayhem for API ❤️ Postman

Let’s go through an example together on how you’d use Mayhem for API to fuzz your Postman API. If you want to follow along, sign up for a 30-day no-string-attached free trial

Here's a postman collection for a demo API. It lists a few GET/POST/PUT endpoints like any other postman collections you might have. To fuzz it, you simply have to call Mayhem for API and give it the path to the postman collection as well as the URL where it’s running:

mapi run -i --url 
postman-demo 20 ~/Downloads/petstore.postman.json

You’ll start seeing the Mayhem for API terminal UI, and some red endpoints (indicating bugs!) show up almost immediately:

And here you go, Mayhem for API generates a ton of requests to your API all automatically, extending test coverage of your API. It tests the weird edge cases nobody wants to test manually. If your API was running on localhost (either on your dev machine or in CI), Mayhem for API would send 100s of requests per second to your API. If that’s not enough, you can use `-j` to parallelize the fuzzer (load testing anyone?)

If you want to see more details about the bugs, the request that triggered bugs are included in our junit and html reports. Those reports are especially useful in CI. Here’s what the html report looks like on this API after a couple minutes of fuzzing:

Want to test your own APIs? Head over to Mayhem for API & get started for free!

Stay Connected

Subscribe to Updates

By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement.