Idea: Postman Workspace Spider

[domwhewell-sage]

Description
I have seen a few OSINT reports of late with secrets obtained via public postman workspaces. Many organizations with API's may use postman and by signing up to a free account saves all the users workspaces online. There is a privacy toggle in postman but I believe by default this is disabled. It may be a good place to look for secrets

An organization can be determined from the DNS_NAME event, pop this organization into a GET request
https://www.postman.com/search?q=$organization&scope=all&type=workspace and spider all the returned workspaces.

It could be a source of email address's and secrets.

Here is a link to a medium article on the subject https://medium.com/@utkarshporwal24/exposed-postman-collections-ed6086b96ba5

[TheTechromancer]

I 100% support this idea. This relates back to your suggestion about trufflehog because ideally we want to have a single module responsible for extracting secrets/goodies from text, which would consume data from multiple other modules like httpx, github, and postman. This would simplify this module since all it would need to do is retrieve the data itself.

[domwhewell-sage]

Yeh my thinking with this one is it could be exactly like the current github.py module but tailored to look at postman workspaces and produce URL_UNVERIFIED events that could be consumed later down the chain.

Again we would need some way to verify that the discovered postman workspace is actually in-scope before it's pillaged. But that shouldn't be to difficult.

[TheTechromancer]

Migrating to discussion.

[TheTechromancer]

New postman tool: https://github.com/MandConsultingGroup/porch-pirate

Our module already does most this but still it looks like it might have some good tricks. I'm looking forward to when we can start feeding HTTP_RESPONSE events into trufflehog.

[domwhewell-sage]

The Porch-Pirate source was used to write the module 😅. I notice trufflehog also now has the ability to search postman for secrets https://github.com/trufflesecurity/trufflehog?tab=readme-ov-file#12-scan-a-postman-workspace. Don't think we're missing anything that those can do 😉.

[TheTechromancer]

That's what I like to hear 😁🙏