Why does Postman produce inconsistent security testing results compared to other API clients?
When testing an endpoint with an SQL injection in Postman, I receive a ‘201 Created’ response, which aligns with hitting a create endpoint.
However, sending the same request in other API clients returns a ‘401 Unauthorized’ response, which is the expected outcome for this scenario.
Is Postman unsuitable for basic security tests, such as sending SQL injections or attempting to drop a database?
Example payload:
{
"code": "' OR '1'='1", //Injection test
"name": "<script>alert('XSS')</script>"
}
Hey @spaceflight-explore7 
Welcome to the Postman Community! 
There seems to be a lot of contextual information here, It’s not clear what the rest of the request looks like, the HTTP method, Auth, Request Headers, if you’ve already made the same request to the same endpoints, What’s the implementation of the API for the database, etc.
Which clients are giving you different results, can you share examples of both request side by side?
Ultimately, Postman isn’t a dedicated security testing tool, it can provide you with the means to test security based scenarios against an API but there are other purpose build tools out there that do a better job because they have been designed for that specific task.
1 Like