Postman
When testing a typical web application, we first configure the system proxy to point to Burp Suite. Now, all of our requests can be inspected as we walk through the app. It's easy to launch attacks because these requests are built for us by the user interface that Burp can see over the wire. During normal operation, users enter data in a search field, for example, and the application constructs the GET
or POST
request with all the appropriate parameters, before sending it over the wire. All of these valid requests are now available for replay, modification, and scanning through the attack proxy. The discovery process is much simpler when there is a user interface to drive traffic generation.
If there is no user interface component and all we have is an API endpoint, and some documentation to work with, it is very tedious to build a series of curl
requests and manually parse the responses. If authentication is required for interaction, requesting tokens would be a nightmare for complex...