Exposed Postman Collections

A Significant Security Risk You Should Be Aware Of

I have observed a significant increase in the number of exposed Postman instances. This upward trend is particularly concerning due to the widespread usage of Postman, with approximately 500,000 organizations and 20 million developers relying on it globally.

Postman Collection

Postman Collections are a feature of the Postman API development platform. A Postman Collection is a structured, organized, and shareable group of API requests. It allows developers to capture and store API endpoints, headers, parameters, authentication details, and other information needed to make API calls

Security Risk — Exposed Postman Collection

A Postman public workspace can potentially lead to the exposure of an API collection that contains secrets and credentials belonging to multiple companies. It is crucial to emphasize that these secrets are strictly intended for internal use by their respective firms only.

How We Discovered Exposed Postman Collections Globally: Critical Security Risk

During the Reconnaissance Phase of the Red Team Assessment, we utilized Google dork techniques and discovered public workspaces of various companies that contain their postman collections, authentication tokens, API keys, and other sensitive data in the request body.

Postman Search Endpoint — https://www.postman.com/search?q={Org_Name}&scope=all&type=all

For the purpose of demonstration, we are using an example of a vulnerable site that does not include or expose any sensitive information related to any organization

Public Postman collections can pose security risks for several reasons:

Exposure of sensitive information:Public Postman collections may contain sensitive data such as API keys, access tokens, credentials, or other confidential information. If these collections are exposed to unauthorized individuals, it can lead to unauthorized access and potential misuse of the sensitive information.Lack of access controls: If Postman collections are not properly secured with access controls, anyone with the collection URL can potentially view or modify the requests and configurations. This can lead to unauthorized access, tampering with the API calls, or even potential data breaches.Disclosure of internal network details: Postman collections might include endpoints or configurations that reveal internal network details, such as IP addresses or specific URLs. This information can be leveraged by malicious actors to launch targeted attacks or gain unauthorized access to internal systems.Vulnerabilities in shared collections: If a shared Postman collection contains flawed or insecure configurations, it can introduce vulnerabilities into the development or testing environments. This can lead to security weaknesses, exploitation opportunities, or even the exposure of sensitive data.API abuse and unauthorized usage: If Postman collections with valid API keys or access tokens are exposed or accessed by unauthorized individuals, it can result in abuse of the APIs, excessive usage, or even financial implications for the API provider.

To mitigate these security risks:

Implement proper access controls, secure storage of sensitive information, and regularly review and update Postman collections to ensure they do not expose any confidential or sensitive data.Educating developers and users about the potential risks and best practices for secure usage of Postman can help mitigate these security concerns.

Please share your thoughts about this blog post in the comments box below. Reach out to me on Linkedin @utkarshporwal24 if you have any questions.