Fuzz test your API with Mayhem and Postman

James Kessler
October 12, 2022
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Previously, we talked about what fuzz testing is and how Mayhem can read a Postman collection. In this post, we'll look at how we've enhanced our Postman integration.

Mayhem compliments Postman tests with security tests for all of the edge cases your tests do not cover. Ultimately, if your Postman request works, we want Mayhem to just work.

Getting Started

In addition to reading from an exported collection, Mayhem can now read Postman collections from the Postman API. Exporting and hosting a postman collection file is no longer necessary. You will need to create an API key in Postman.

Try running the demo yourself against the Pet Store API:

mapi run \
--url https://demo-api.mayhem4api.forallsecure.com/api/v3/ \
--postman-api-key PMAK-XXXXXX \
postman-integration-demo 30 \
20703797-6e8ad861-088b-44e5-8712-37a5e1566a5c

You will soon notice that the Petstore API has some problems. Some of the endpoints are crashing when the request is mutated, and are returning 500 errors. Also an endpoint accepted a POST, which was unexpected since it is not part of the Postman collection.

Mayhem is capable of causing and detecting many other types of issues, and informs you of how to reproduce the issue it found.

To run against your own collection, you will need the id of your Postman collection. Then run Mayhem to see how your own API does:

mapi run \
--url TARGET_URL \
--postman-api-key PMAK-XXXXXX \
your-target-name 30 \
POSTMAN_COLLECTION_ID

Authentication

If the API you are testing requires authentication, you probably already have that configured in your Postman collection. Mayhem now has the capability to leverage your collection’s settings.

We now support API Key, Bearer Token, Basic Auth and OAuth 2.0. Note that for OAuth 2.0, the access token must be synced in order for Mayhem to pick it up.

Supplying Mayhem with authentication arguments overrides all Postman authentication.

Environments

Grouping variables by environment is a great way to reuse the same requests against different environments in Postman. Mayhem is now capable of reading the variable values from environments. Look up the ID of your environment, and then run Mayhem:

mapi run \
--url TARGET_URL \
--postman-api-key PMAK-XXXXXX \
--postman-environment POSTMAN_ENVIRONMENT_ID \
your-target-name 30 \
POSTMAN_COLLECTION_ID

Secret environment variables are never sent from Postman to Mayhem, so their values will not be available to or inspected by the fuzzer.

Troubleshooting

The more complete a Postman collection is, the better results you will get out of Mayhem. Sometimes it is necessary to tune up a Postman collection with an erroneous configuration. To make this simpler, Mayhem tracks the Postman requests folder, name and id while fuzzing. If an issue is found, this information is attached to the issue and can be found in Mayhem.

Try Mayhem for free!

In addition to the improvements above, we have made a number of improvements internally to improve the fuzzing engine’s performance against Postman collections. Try Mayhem out for free against your own Postman collections today at Mayhem for API!

{{api-cta}}

Share this post

Fancy some inbox Mayhem?

Subscribe to our monthly newsletter for expert insights and news on DevSecOps topics, plus Mayhem tips and tutorials.

By subscribing, you're agreeing to our website terms and privacy policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Add Mayhem to Your DevSecOps for Free.

Get a full-featured 30 day free trial.

Complete API Security in 5 Minutes

Get started with Mayhem today for fast, comprehensive, API security. 

Get Mayhem

Maximize Code Coverage in Minutes

Mayhem is an award-winning AI that autonomously finds new exploitable bugs and improves your test suites.

Get Mayhem