Lab setup

Burpsuite can be easily used with Postman to perform API testing.

Import a collection

Import the API

An API can be import from different sources such as Files, Folder, Link, Raw Text or Code repository from GitHub.

Edit Collection variables

Make sure that you set all collections variables needed to be able to make requests. The requires variables needed should be specified in the API documentation.

Edit Collection variables in Postman

Configure Postman with Burpsuite

In File > Setting, turn the SSL certificate OFF to avoid any issues with the certificate verification.

SSL certificate turns OFF

In the proxy settings of Postman, set the Proxy server with your localhost and port 8080, which corresponds to the Burpsuite proxy settings by default.

Set the proxy server on Postman

Only HTTP and HTTPS proxy are supported by Postman. If our vulnerable web application is hosted on a remote machine, we can tell Burp suite to use a SOCKS proxy to relay our traffic. The traffic flow will go as follow Postman->Burp suite->Remote server.

# On our local host
ssh maBoxGS -N -D 9000

Burp suite socks proxy.