Testing Postman APIs with Fuzzing

Alex Rebert
April 6, 2021
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Postman Collections are a great way to document, test, and share your APIs.  Combined with Newman, Postman allows you to reuse your test suites to create a CI/CD pipeline so you can test at every push. Automated CI testing helps you put guard rails in place to ensure that errors are caught early in development instead of in a production incident!

Testing Postman APIs with fuzzing

With Mayhem, you can squeeze even more testing out of your existing Postman collections, without having to write any additional tests. As opposed to Newman which requires you to provide values for request parameters, Mayhem comes up with those values automatically!

Mayhem  generates all sorts of values for those parameters using a custom fuzzing engine without any assistance from you.

Did you test that your endpoints support non-printable characters or invalid UTF-8 �? Japanese characters ブーム? Emojis 💥 ? And did you test apostrophes or ‘../../’ don’t lead to security vulnerabilities? Yeah, neither did we until we had Mayhem.


It’s a huge pain to test all the edge cases on every single endpoint and API parameters. If you did that, you’d face a combinatorial explosion of tests to handle every possibility. Those tests would become a pain to maintain, slowing down development significantly every time you have to make a change.

Using Mayhem to Test Your Postman Collection

Let’s go through an example together on how you’d use Mayhem to fuzz your Postman API. If you want to follow along, sign up for a 30-day no-strings-attached free trial

Here's a Postman collection for a demo API. It lists a few GET/POST/PUT endpoints like any other postman collections you might have. To fuzz it, you simply have to call Mayhem and give it the path to the postman collection as well as the URL where it’s running:

mapi run -i --url https://demo-api.mayhem4api.forallsecure.com/api/v3/
postman-demo 20 ~/Downloads/petstore.postman.json

You’ll start seeing the Mayhem terminal UI, and some red endpoints (indicating bugs!) show up almost immediately:

And here you go: Mayhem generates a ton of requests to your API  automatically, extending test coverage of your API. It tests the weird edge cases nobody wants to test manually.

If your API was running on localhost (either on your dev machine or in CI), Mayhem would send hundreds of requests per second to your API. If that’s not enough, you can use `-j` to parallelize the fuzzer (load testing anyone?)

If you want to see more details about the bugs, the request that triggered bugs are included in our junit and html reports. Those reports are especially useful in CI. Here’s what the html report looks like on this API after a couple minutes of fuzzing:

Want to test your own APIs? Head over to Mayhem & get started for free!

Share this post

Add a Little Mayhem to Your Inbox

Subscribe to our weekly newsletter for expert insights and news on DevSecOps topics, plus Mayhem tips and tutorials.

By subscribing, you're agreeing to our website terms and privacy policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Add Mayhem to Your DevSecOps for Free.

Get a full-featured 30 day free trial.

Complete API Security in 5 Minutes

Get started with Mayhem today for fast, comprehensive, API security. 

Get Mayhem

Maximize Code Coverage in Minutes

Mayhem is an award-winning AI that autonomously finds new exploitable bugs and improves your test suites.

Get Mayhem