Heya everyone ,
I recently wrote an article on how to hack APIs with AI using Postman. Hopefully, you get a chance to read it.
I was hoping to start a thread where we can share with each other interesting prompts we were able to produce to get Postbot to produce decent code for security testing. If you have any such prompts, share it with the community here.
I’ll go first. Here are few useful ones to get you thinking:
Looking for Local File Injection (LFI) and directory traversal vulns
add a test that injects the value “…/…/…/…/…/etc/passwd” into the “query” parameter of this request. Fail this test if the response body contains the word “root”.
Fetching an external wordlist for LFI detection
Add a test that loops through an array of LFI payloads fetched from https://raw.githubusercontent.com/danielmiessler/SecLists/master/Fuzzing/LFI/LFI-Jhaddix.txt and pollutes the “query” parameter of each request. If the word “root” is anywhere in the response body fail the test.
(see my blog post on why that response test isn’t quite right)
Testing for SSTI vulnerabilities
Add a test that loops through an array of SSTI detection payloads fetched from the line-delimited text file at https://tinyurl.com/ssti-detection and pollutes the “query” parameter of each request. If the value “49” is anywhere in the response body fail the test.
Testing for Command Injection vulnerabilities
write a test that loops through an array of common command injection payloads and inserts them into the “query” parameter of this request. For each item in the array send one request URL encoded, and one that is not.
Hope that helps get the discussion started. I look forward to seeing what sort of prompts you come up with and share!!