Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New Module: Postman spider #923

Merged
merged 10 commits into from
Jan 3, 2024
Merged

New Module: Postman spider #923

merged 10 commits into from
Jan 3, 2024

Conversation

domwhewell-sage
Copy link
Contributor

As discussed in #921.
This module will query the parent DNS_NAME against the postman public API network. I decided against using the ORG_STUB as using dorks queries yielded better results in my case.

It will loop over any objects found workspaces, collections, requests, API's, flows and teams to compile a list of workspaces to which these objects belong. It will then emit all sensitive locations within these workspaces that could contain secrets as URL_UNVERIFIED events to be consumed by the secrets scanning modules.

The content of the URLs are in JSON format but the secrets scanning modules should be able to pickup secrets from these.
Headers are in handy lists on these pages but I decided against looping through this list and flagging any "Authorization" headers with this module as that could produce too many false positives.

I have seen a request from a postman workspace that had a real password in the body of a request but this would be difficult to pickup using a secrets scanner. There is a discussion on this topic #907 so having that look at HTTP_RESPONSE events would fit in nicely with this module.

@domwhewell-sage domwhewell-sage changed the base branch from stable to dev December 20, 2023 15:53
@codecov Codecov
Copy link

codecov bot commented Dec 20, 2023
edited
Loading

Codecov Report

Attention: 12 lines in your changes are missing coverage. Please review.

Comparison is base (4c9ecb9) 92% compared to head (e441ea5) 92%.
Report is 17 commits behind head on dev.

Files Patch % Lines
bbot/modules/postman.py 86% 12 Missing ⚠️
Additional details and impacted files 
@@          Coverage Diff           @@
##             dev    #923    +/-   ##
======================================
- Coverage     92%     92%    -0%     
======================================
  Files        297     299     +2     
  Lines      18498   18611   +113     
======================================
+ Hits       16989   17089   +100     
- Misses      1509    1522    +13

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@domwhewell-sage domwhewell-sage marked this pull request as ready for review December 20, 2023 18:26
@TheTechromancer TheTechromancer self-assigned this Dec 22, 2023
@TheTechromancer
Copy link
Collaborator

Nice work on this. I went ahead and tagged the URL_UNVERIFIED events as "httpx-safe" so they can be raised as HTTP_RESPONSE for excavate/secretsdb and any future secrets modules.

After the new changes I ran a test on ebay.com and holy moly...it was finding secrets left and right, not to mention a huge amount of subdomains. Awesome module.

@TheTechromancer TheTechromancer mentioned this pull request Dec 23, 2023
Merged
@TheTechromancer TheTechromancer merged commit ba95225 into blacklanternsecurity:dev Jan 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@TheTechromancer TheTechromancer TheTechromancer approved these changes

@batgoose batgoose batgoose approved these changes

@liquidsec liquidsec Awaiting requested review from liquidsec

Assignees

@TheTechromancer TheTechromancer

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@domwhewell-sage @TheTechromancer @batgoose