Automated API testing with Postman

Getting stock prices from Alpha Vantage with Postman

Contract Tests

Contract tests allow you to verify that API request and response schemas have not changed. This is especially useful when working on a mobile application with a large team with separate mobile and API developers.

Testing that Alpha Vantage’s stock quote API contract has not changed.

Security Tests

Postman tests can also be used to perform automated security tests.

Logging in to Google Gruyere using Postman and setting the cookie in the environment.
Environment variables are surrounded by 2 curly brackets.
Submitting XSS payload.
This test will fail if the XSS vulnerability is still present.
The Postman test runner running through the exploit chain.

Newman and your Pipeline

To really see the benefits of automated Postman tests, it’s best to add them as a build step using your Continuous Integration build pipeline software. Newman allows you to run Postman test collections whenever code is pushed to your repository.

Running a collection using Newman with an environment.

Try It Out

TargetPractice has vulnerable servers that you can hack to your heart’s content. Test real tools and exploits that work on live targets without going to jail. It’s not a crime if it’s TargetPractice.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Jonathan Cooper

I’m a cybersecurity consultant who develops software. I help agile teams deliver secure digital experiences to their customers.