This is our second post in a series about credential leakage on Postman. Part one documents the what, where, why and how secrets leak on Postman. We conclude that ~2% of all public workspaces leak a live secret!
We’re super excited to announce that you can now scan Postman for secrets using TruffleHog. This enables users of Postman’s public (and private) workspaces to scan for more than 800 different types of secrets across HTTP requests, environments, and much more.
Scanning Postman
Install the most recent version of TruffleHog (see here for instructions). Get a Postman API key (these are free). Get the Workspace ID of the Postman workspace that you want to scan (see animation below).
Once you have the Workspace ID and API key, run the following command:
You should see output like the image below:
Follow the same process to scan Collections and Environments (but change the --workspace flag to --collection or --environment).
Interpreting the output
As always, TruffleHog provides the same details about verified and unverified secrets. Since secrets can leak in many different places inside Postman, we expanded the output quite a bit to help you navigate to the exact location of the leak. When in doubt, just click the Link to navigate directly to the relevant page.
The following fields are always present:
Workspace_name: The name of the user’s workspace
Workspace_uuid: The workspace ID
Field_type: The type of field where the secret was found. The goal is to help navigate you to exactly where the secret was found. For example:
request > request auth > authorizationmeans the secret was found in a request’s authorization input.Link: This is a direct link to the item that contains the secret.
If the secret was found in an environment variable, the following field will be present:
Environment_id: The environment’s ID
If the secret was found in a collection variable or script, the following fields will be present:
Collection_id: The collection ID
Collection_name: The name of the collection containing the secret
If the secret was found in a request item, all* of the fields above will be present as well as:
Request_id: The request ID
Request_name: The name of the request
*It’s possible that Environment_id will not be included in a request item’s output, if the secret did not require substituting an environment key/value into the request.
Sometimes, a secret found in a request item will include the following two fields:
Folder_id: The name for the subfolder within the collection containing the request
Folder_name: The name of the subfolder within the collection containing the request. If this value contains a “>” character, then it’s likely inside a nested folder.
For example, in the image above, if a secret were located inside the “Get Access Tokens of Pages…” request, Folder_name: Token would be provided, as well as the Folder_id.
Current Limitations
TruffleHog can scan a large portion of Postman, but it doesn’t do everything (yet!).
Authentication Types
TruffleHog scans the following authentication methods: Basic Auth, Bearer Tokens, API Keys, AWS, OAuth2, and NoAuth. There are more than 5 additional authentication methods supported within Postman that TruffleHog cannot scan at the time of release. (Feel free to make a community contribution!)
Database Connection Strings
If a user places their database username, password, host, port and other values in separate variable fields, TruffleHog will not always combine them for testing and that secret will be missed.
Non-HTTP Requests
Postman supports Websockets, gRPC, Socket.io and MQTT transactions. TruffleHog hasn’t added support for scanning those data types at the moment.
Collection Descriptions
Surprisingly, users will place secrets directly into their collection’s description. We haven’t found that often, but it definitely happens (see the sensitive link in the screenshot below).
History
The Postman API does not provide access to your request history. As a result, we chose not to include history scanning in TruffleHog. An upcoming post will provide a one-off script that allows individuals to scan their own history.
Feedback
Postman is a new type of source for TruffleHog. As an open source company, we highly value our community’s input. If you have ideas for expanding TruffleHog’s reach within Postman or a better way to display the secret output, please feel free to reach out to us in our community Slack or Discord.
