Joe Leon

The Dig

May 2, 2024

Scan Postman for Secrets with TruffleHog

Scan Postman for Secrets with TruffleHog

Joe Leon

May 2, 2024

This is our second post in a series about credential leakage on Postman. Part one documents the what, where, why and how secrets leak on Postman. We conclude that ~2% of all public workspaces leak a live secret!

We’re super excited to announce that you can now scan Postman for secrets using TruffleHog. This enables users of Postman’s public (and private) workspaces to scan for more than 800 different types of secrets across HTTP requests, environments, and much more.

Scanning Postman

Install the most recent version of TruffleHog (see here for instructions). Get a Postman API key (these are free). Get the Workspace ID of the Postman workspace that you want to scan (see animation below).


Once you have the Workspace ID and API key, run the following command:


trufflehog postman --token $POSTMAN_TOKEN --workspace <WORKSPACE_ID


You should see output like the image below:


Follow the same process to scan Collections and Environments (but change the --workspace flag to --collection or --environment).

Interpreting the output

As always, TruffleHog provides the same details about verified and unverified secrets. Since secrets can leak in many different places inside Postman, we expanded the output quite a bit to help you navigate to the exact location of the leak. When in doubt, just click the Link to navigate directly to the relevant page.

The following fields are always present:

  • Workspace_name: The name of the user’s workspace

  • Workspace_uuid: The workspace ID

  • Field_type: The type of field where the secret was found. The goal is to help navigate you to exactly where the secret was found. For example: request > request auth > authorization means the secret was found in a request’s authorization input. 

  • Link: This is a direct link to the item that contains the secret.

If the secret was found in an environment variable, the following field will be present:

  • Environment_id: The environment’s ID

If the secret was found in a collection variable or script, the following fields will be present:

  • Collection_id: The collection ID 

  • Collection_name: The name of the collection containing the secret

If the secret was found in a request item, all* of the fields above will be present as well as:

  • Request_id: The request ID

  • Request_name: The name of the request

*It’s possible that Environment_id will not be included in a request item’s output, if the secret did not require substituting an environment key/value into the request.

Sometimes, a secret found in a request item will include the following two fields:

  • Folder_id: The name for the subfolder within the collection containing the request

  • Folder_name: The name of the subfolder within the collection containing the request. If this value contains a “>” character, then it’s likely inside a nested folder.


For example, in the image above, if a secret were located inside the “Get Access Tokens of Pages…” request, Folder_name: Token would be provided, as well as the Folder_id. 

Current Limitations

TruffleHog can scan a large portion of Postman, but it doesn’t do everything (yet!).

Authentication Types

TruffleHog scans the following authentication methods: Basic Auth, Bearer Tokens, API Keys, AWS, OAuth2, and NoAuth. There are more than 5 additional authentication methods supported within Postman that TruffleHog cannot scan at the time of release. (Feel free to make a community contribution!)


Database Connection Strings

If a user places their database username, password, host, port and other values in separate variable fields, TruffleHog will not always combine them for testing and that secret will be missed.

Non-HTTP Requests

Postman supports Websockets, gRPC, Socket.io and MQTT transactions. TruffleHog hasn’t added support for scanning those data types at the moment. 


Collection Descriptions

Surprisingly, users will place secrets directly into their collection’s description. We haven’t found that often, but it definitely happens (see the sensitive link in the screenshot below).


History

The Postman API does not provide access to your request history. As a result, we chose not to include history scanning in TruffleHog. An upcoming post will provide a one-off script that allows individuals to scan their own history. 

Feedback

Postman is a new type of source for TruffleHog. As an open source company, we highly value our community’s input. If you have ideas for expanding TruffleHog’s reach within Postman or a better way to display the secret output, please feel free to reach out to us in our community Slack or Discord.