Scan using a Postman Collection

If you have a Postman Collection of requests to your web API, you can import it and use it as the basis for a scan.

Following import, AppScan runs its own Explore stage using the collection, and displays the resulting data in Dashboard and Data views. You choose whether AppScan continues automatically to the Test stage, to complete the scan, or whether you prefer to start the Test stage later.

A sample Postman Collection for scanning the AppScan demo test site is included in the AppScan installation, see Sample files.

Prerequisites:
  • If the web API requires authorization, the authorization request must include valid credentials (API Key, Basic Auth., OAuth 2 refresh token, or other fixed token and passwords). The authorization request must be one of the first requests in the collection. By default, AppScan examines the first seven requests for the authorization request, but if needed this can be increased in Configuration > Advanced Configuration > Postman.
    Limitation: Authentication methods that require a user to be present, such as OAuth2 with Prompt User, are not supported. However, you can use OAuth2 with an offline grant type that uses a refresh token (also known as a service token).
To import a Postman Collection:
  1. If custom proxy settings are needed for AppScan to access the web API, configure them first in Configuration dialog box > Communication and Proxy > Proxy > Custom proxy. For details, see Communication and proxy.
  2. Go to Configuration > API and select the API type. Click Select Postman collection to add your postman collection.
  3. In Postman collection files area enter the following:
    • Postman Collection file: Full URL or path to the JSON file.
      Important: The file extension must be .json
    • Linked files (Optional): If the collection includes links to other files, you must include them all in a single ZIP file and select it here. The following conditions apply:
      • File paths must be relative to the collection, and not absolute
      • Files must be located within the Postman Collection folder (can be a sub folder), not outside it
      • Path must be identical to the path used in Postman
    • Postman Environment file (Optional): If your collection uses environment variables, you must provide the full URL or path to the Postman Environment JSON file.
    • Postman Globals file (Optional): If your collection uses global variables, you must provide the full URL or path to the Postman Globals JSON file.
  4. In the Domains area, add all domains you want included in the scan. You can add these domains individually or add multiple domains at once using a CSV file. Both these formats are valid:
    https://demo.testfire.net/
demo.testfire.net
    Important: Domains not listed will not be scanned.
  5. If you are scanning an OpenAPI, then in the OpenAPI description file area, provide a valid description file to include the parameters for better scan coverage.
  6. Click Import. The postman collection is imported. Run the scan to detect any vulnerabilities in your web API.
    Note: Once you add a Postman Collection to a configuration, you cannot export it as a SCANT (template) file, as the collection cannot be included in a template. You must either remove the collection or save as a SCAN file.
  7. If your collection includes login credentials, go to Configuration > Login Management and look for the green "Login successfully configured" icon to confirm that the login details were detected.If the login was not detected, refer to Postman Collection scan troubleshooting.

Working with multiple collections

Currently only one Postman Collection can be imported per scan.

To scan a second collection using the same configuration as the first:
  • After configuring and saving a scan with your first collection, go to File > New scan from current configuration and import the second collection.
If you do not need the same configuration, simply create a new scan for the second collection.