What can be achieved with a leaked Postman API key?

waike · December 31, 2019, 1:27pm

I found a leaked Postman API key for a Bugcrowd program. Is this a serious issue? What can be achieved?

geekspeed · January 8, 2020, 1:38pm

A fair bit.

Get all collections:

curl --location --request GET https://api.getpostman.com/collections’
–header 'X-Api-Key: [api key]

(You can also add/update/delete)

Get all environments
curl --location --request GET ‘https://api.getpostman.com/environments’
–header 'X-Api-Key: ’
(Add, update an delete as well)

Get the owner:
curl --location --request GET ‘https://api.getpostman.com/me’
–header 'X-Api-Key: ’

Get all the things (api)

curl --location --request GET ‘{{url}}/apis?workspace={{workspaceId}}’
–header ‘x-api-key: {{apiKey}}’
–header ‘Content-Type: application/json’

You can also just delete everything…

Take a gander here:

Fran1k · June 5, 2020, 1:22pm

It also going to use Postman as an API client to create requests to the API.

afkomstiglk · July 27, 2020, 10:20pm

Great articles thanks for sharing this awesome blogs

Topic		Replies	Views
Possible API Key Leak? Web Hacking	6	3935	July 20, 2022
API Key and OAuth Token Disclosure Web Hacking	0	1502	November 23, 2019
Need API hacking protips Starter Zone	1	6269	December 10, 2020
Sentry.io secret key exploitation Web Hacking	3	7151	May 2, 2020
Possible Access Control Bug? Web Hacking	6	1670	October 26, 2019