.png)
3 weeks ago
21 BOOK THIS SPACE FOR AD
ARTICLE ADWEB SECURITY
Testing APIs with Certificate-based authentication
When assessing APIs that use certificate-based authentication, it is necessary to add the certificates to our tools like Postman and Burp Suite. This allows us to proxy requests between the client and server in order to properly evaluate the API’s security.
In this quick guide, we will cover the steps of incorporating certificates and private keys into Postman for authentication purposes. We will also cover how to include client certificates in the pkcs12 format for seamless traffic interception using Burp Suite.
Pre-requisites
Client Certificate filePrivate Key fileBurp Suite (Free or Pro)PostmanImporting Client Certificates to Postman
To add certificates in Postman, we will need to download the Postman Desktop agent from its official website. This application is cross-platform and supports Windows, Linux, and MacOS.
Download link at https://www.postman.com/downloadsAfter downloading Postman, open the Workspace dashboard and access the “Settings” menu by clicking on the gear icon. In the “Certificate” section, click the “Add Certificate” button.
Then, we enter the certificate information, including both the certificate file, often in .crt, .pem, or .cer format, and the private key file, which is in .key or .pem format. If the certificate uses a passphrase, we will need to provide that as well.
Once we have entered all the required details, we can click on “Add”. This will add the new certificate under the Client Certificates section, which can be accessed from the Settings, as shown in Figure 4.
Postman now will include the client certificate with all HTTPS requests sent to the “test.com” domain. To verify this, we send a request to the domain using HTTPS and inspect the certificate in the console.
Configuring Proxy Settings in Postman
After adding the client certificate, we need to set up Postman to proxy requests to Burp Suite. To achieve this, we navigate to the “Settings” menu again, click on the “Proxy” section, and enable the toggle button for the “Use custom proxy configuration”.
After that, select the proxy type as HTTP and HTTPS and specify the IP address of the proxy server, which in this case is the localhost, by entering 127.0.0.1 and the port number for Burp Suite as 8080, the default port.
Importing Client Certificates to Burp Suite
To add certificates to Burp Suite, we need to bundle the certificate and private key files into pkcs12 format using OpenSSL in the command below. If the private key uses a passphrase, OpenSSL will ask for it.
sudo openssl pkcs12 -export -out cert.pfx -inkey private.key -in certificate.crtIt will also ask for an export password that is required when extracting the certificate. It’s important to remember the export password as we’ll need it later when adding the cert to Burp.
Next, we go to Burp Settings, and under the Network section, we navigate to TLS > Client Certificates. We click on “Add” and select the Certificate type as “PKCS#12”, then click next.
We select the newly converted certificate in .pfx format and provide the export password we used when converting the files. Once everything is loaded correctly, we’ll get a “the certificate was loaded successfully” message.
After completing these steps, we can intercept HTTPS requests coming from Postman with Burp without any issues.
That’s all for today’s post, thanks for reading!
Bengali (Bangladesh) · 
English (United States) ·