Pentest with Postman Collection


This page explains how to use Postman collections to create a PAC configuration that can be used to conduct API pentesting using Prancer. It requires the creation of a GitHub repository and a new/existing GitHub access key. The Postman collection file to be tested must be added to the created repository. The configuration file must be updated by adding the APIScan field and configuring its fields with the relevant values, such as OpenAPI type and git direction provider. Once the configuration file is completed, the pentest can be run by clicking the start button on the PAC management screen. After completion of the pentest, the results can be viewed on the application security findings page.

Many developers use Postman to develop and test their APIs. PAC provides a feature to load all the API endpoints from Postman collections and use them to pentest the API application. The following tutorial will help you to create PAC Config, which is helpful to setup Open API to do Pentest for provided target machine And for provided API's under the OpenAPI file.


1) Create Github Repository private/public.

2) Generate new/Existing Github AccessKey, with several permission i.e clone project.

3) Postman Collection File to be added in above created Repo eg for sample.

  • Create PAC Config using following Steps

  • Create and upload a Git connector file using following Steps

Update the PAC Config file:

  • Open the PAC Management screen and click on PAC Configuration for which you want to add the script.


Add the APIScan field in the PAC configuration file.

  Type: OpenAPI             <----- It Must be OpenAPI
  DirectionProvider: git    <----- It must be git
  Connector: <<git-connector>>
  PostmanRemoteFile: <<git location for template file eg. remote_postman/postman_collection.json>>
  PostmanEnvRemoteFile: <<git location for template file eg. remote_postman/postman_environment.json>>
Field Value Description
Type* Type of Direction The Type contains either OpenAPI
DirectionProvider* Open API Direction Provider The Direction Provider contains either git
Connector* connector name the Connector name would be file name of git connector.
PostmanRemoteFile* template path Provide location on Git repository must have Postman Collection file located.
PostmanEnvRemoteFile params path Provide location on Git repository must have Postman environments file file located.

You can find Complete PAC File like this

Collection: aws_connection
ConnectionName: aws_connection_connector
CloudType: aws
ApplicatioName: postman_open_api
RiskLevel: safe
ApplicationType: APIScan
Schedule: onetime
Target: <<Target End Point >>
# You can use postman collection as code for running attack inside the prancer.
# PostmanCollectionRepo can include the repository of the postman collection.
# Postman remote files should include a path which has postman collection file and
# for postman env remote files, if you have environment variable file you can put
# the path inside the postmanEnvRemote file so prancer will go and extract the env
# variables and their values and merged it with postman collection.
  Type: OpenAPI
  DirectionProvider: git
  Connector: git_connector
  PostmanRemoteFile: postman-convertor/crAPI Accepted.postman_collection.json
  PostmanEnvRemoteFile: postman-convertor/Crapi.postman_environment.json
  exclude: []
  include: []
        AfterRun: delete
            AccountId: "<<Account Id >>"
            Region: us-west-2
            TaskDefinition: pentest-task
            ClusterName: pentest-cluster
            SecurityGroup: pentest-security-group
            ContainerName: prancer-scanner
            SubnetId: <<Subnet ID >>
AuthenticationMethod: jwtAuthentication
    UsernameSecretKey: crUsername
    PasswordSecretKey: crPassword
    LoginUrl: /identity/api/auth/login
    LogoutUrl: /identity/api/auth/logout
    LoginBodyTemplate: '{"email":"%username%","password":"%password%"}'
    LoginIndicator: ^.*token.*$
    AuthorizationType: Header
    AuthorizationKey: Authorization
    AuthorizationTokenType: Bearer
      SecretManager: arn:aws:secretsmanager:us-west-2:<account-id>:secret:<name>
      Region: us-west-2
      AccountId: "<<account-id>>"
# All the addons ID listed on link
#  - accessControl
#  - ascanrulesAlpha

Run the Pentest:

  • Click on start button to run the pentest.


  • After sometimes when the Pentest will complete then you can see the results by click on See Latest Results link.


  • It will open the Application Security Findings page.