There are many available testing tools that help Security and Software engineers to automate their security testing. However, there are situations which requires some manual testing in order to discover vulnerabilities. Still, we don’t have to manual test the same test cases every time. After we discover the test workflow, we can write a test case in Postman and run it automatically in our CI/CD platform.
Capturing Traffic of the workflow
In this example, I will be using Burp suite (Community Edition) to demonstrate how we can capture the workflow and export it to Postman.
First, install the Postman Integration extension to Burp suite. This allows us to export the request to Postman.
Now, we will be using http://demo.testfire.net/login.jsp to capture a XSS payload request.
We can observe that the payload ‘<script>alert(‘1′)</script>’ appears in the response. Later on, we want to use this observation to write a test case that will fail the XSS test if ‘<script>alert(‘1′)</script>’ appears in the response.
Now we want to export this request to Postman. Simply right click on the request and click ‘Export as Postman Collection’.
There will be a pop-out that allows us to set the Collection Name and Folder Name. We can also name the Test case (in this case, I named it as ‘Test XSS in Search Bar’). After the values are set, we can export it and then import the file into Postman.
Open up Postman and click ‘Import’. Choose the exported file and import to Postman. The Collection will appear at the side menu and we will see a folder called XSS. The request will be found in the folder.
Run the test and we shall see that the payload is in the response.
Writing Test case in Postman to validate
Since we know that this web application does not use any JS Frameworks (like Angular / ReactJS), we can simply check if the response will return the exact payload to validate if it contains a reflected XSS vulnerability.
In Postman, click on the ‘Tests’ tab. We can write a test case to test for reflected XSS. So if the response does not include the payload ‘<script>alert(‘1′)</script>’, then it passes the reflected XSS. And we can include different payload as well to ensure that the web application defence against XSS is robust.
In this scenario, we can see that the test failed because reflected XSS is found.