These instructions are the bare minimum sets of data in order to provide test data for a pentest. If you already use Insomnia within your environment and want to provide the data for pentesting, please scroll down to the ‘Exporting Insomnia Workspaces’ section. How to Use Insomnia To Create Data for Pentesting Oftentimes Insomnia does not need to be used again after performing the initial API call. From there, pentesters use the Intercepting Proxy to perform various active and manual testing by interacting with the API directly. Using pre-built test data will greatly speed up the pentesting timeframe, often lowers the pentest project cost, and provides higher pentest report quality. Very simply, Insomnia is used to proxy pre-built and known good API calls into various Intercepting Proxy tools (such as Burp or OWASP ZAP). It is often selected due to its free and open source nature. It supports REST APIs, along with importing Curl and Swagger files. About InsomniaĪccording to their website, Insomnia (and more specifically Insomnia Core) is a free “cross-platform desktop application that takes the pain out of interacting with HTTP-based APIs.” Developers can use Insomnia to share ‘workspaces’ of API calls to perform QA testing of their application. In this post, we will focus on using the Insomnia program to provide data. As such, pentesters should ask for test data and the ability to access the API for security testing. It may not be possible to provide a URL to a pentester and say test everything underneath this. However, an API may not be as straightforward to test as a web application. Similar to web applications, web APIs (Application Programming Interfaces) should undergo security testing to determine whether or not any vulnerabilities exist. Check back in the near future for additional content. This is one part of a series of posts on how to prepare your API for a pentest.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |