Imagine you found an IDOR/BOLA vuln in an API endpoint where the URL path is predictable. You want to build a Postman Flow that will iterate over every ID until you get a 500 status code, which tells you there are no more objects of that resource type left.
So you decide to use a repeat block, setting the index counter from 0 to 1000. You put in a “send request” block that takes the index as the input variable for each request and it works.
However, after 10 iterations, you hit the 500 code.
At this point, how do you exit the loop? Simply setting the “collection” block in the failure output node of the send request block is not enough. The repeat block continues on and on.
The docs say:
For and Repeat blocks will stop repeating once this block is reached.
We don’t have a way to break out of the repeat block. It’s meant to do something a specified number of times before it ends and have the results all accumulate in the collect block (i’ll update our docs to make that clearer).
There is another way to solve this though, with an evaluate block that increments a counter just like the repeat block would, and an if block to check the condition and break when a 500 status is returned.
If you attach a log block to the Collect block list you’ll see values 5-9 are in there so the repeat block still finishes all it’s iterations. If you put in a much larger number like 1000 to start with you’ll see it still takes awhile to complete because it will go through all 1000 iterations.
You need to connect some input to the trigger variable. Every variable in a flows block is considered required and the block won’t execute until it receives every required input. In this case, trigger receives an input only once, and then never again. You can either remove the trigger variable altogether (the start block isn’t required to be connected for the flow to run locally) or re-trigger it based on the output of the true/false in your if block.