I want to make a request to verify people's ID using laravel. Since it's very credential, I want to make it available only if they verify it from their mobiles.
So it must be prevented that the IDs are verified from postman request.
Is there a way to detect that a request is sent from postman or not?
Any idea would be very appreaciated :).
Thank you before
Postman has a tendency to send a header called something like postman-token so you could block the request if such a header exists.
Edit Note that this header can be turned off in postman settingss
As #EdwardChew wrote, this does NOT prevent people from using postman/curl/python/anything else. adding authentication to the endpoint is the best approach.
Sample postman request:
GET /api/car HTTP/1.1
Host: localhost:8080
Content-Type: application/json
cache-control: no-cache
Postman-Token: 05f5c492-3697-41b1-be0f-fb9bc4499b96
Since postman has the "code" feature, if the request is blocked it is simple to copy it as a curl command:
curl -X GET \
http://localhost:8080/api/car \
-H 'Content-Type: application/json' \
-H 'Postman-Token: e37790ea-a3a5-40cf-ac4c-b80184801f94' \
-H 'cache-control: no-cache'
and just deleting the line with the Postman-Token header. I normally do so when experimenting with APIs.
If you look at the Laravel doucmentation, there is a section on authorization: https://laravel.com/docs/5.8/api-authentication
which would force users to add a header token something like this: Authorization: Bearer 8fyew8f9yefo7o9yg98gyr and you would then be able to verify the caller
So it must be prevented that the IDs are verified from postman request.
Is there a way to detect that a request is sent from postman or not?
Checking that it comes from Postman is easy for requests sent from Postman where the boxes are checked for Postman-Token and/or User-Agent:
So you would add a check for them in your backend, but then the attacker would not send the Postman-Token header and for the User-Agent we will just send exactly the same one your mobile app/browser sends, thus easily bypassing your checks. By the way Postman is not the only tool, others exist like Insomnia, and then you also need to remember that requests may also come from a Proxy like mitmproxy, burp, zap, charlie, and many others. Do you get the point... it's not feasible to rely on headers to identify what is doing the request.
I highlighted the word what because who is in the request for your API backend is not the same as what is doing it.
The Difference Between WHO and WHAT is Accessing the API Server
In an article I wrote, entitled Why Does Your Mobile App Need An Api Key? you can read more about the difference between who and what is accessing your API server, but i will I quote the following from it:
The what is the thing making the request to the API server. Is it really a genuine instance of your mobile app, or is it a bot, an automated script or an attacker manually poking around your API server with a tool like Postman?
The who is the user of the mobile app that we can authenticate, authorize and identify in several ways, like using OpenID Connect or OAUTH2 flows.
So the who is the user of your API server that you will be able to Authenticate and Authorize access to the data, and the what is the software making that request in behalf of the user, your genuine web/mobile app, a tampered one, an automated script or someone manually poking around with your API via cURL, Postman or other similar tools.
By now I hope that you have enough knowledge to understand why the user(who) authentication is not the same as app(what) authentication/attestation.
POSSIBLE SOLUTIONS
I want to make a request to verify people's ID using laravel. Since it's very credential, I want to make it available only if they verify it from their mobiles.
It's not clear if you mean from a mobile browser or mobile app, but I will provide possible solutions for both.
For Mobile Apps
To learn how you can lock your API server to your mobile app I recommend you to read my answer to the question How to secure an API REST for mobile app? for the sections on Securing the API Server and A Possible Better Solution.
For web apps
Due to the nature of how the web was built, all you need is to hit F12 or inspect the page source, and then search for whatever you need to access the API server from another tool.
To learn some useful techniques to try that your API server only responds to requests coming from What you expect, your genuine web app, I invite you to read my answer to the question Secure api data from calls out of the app, specially the section dedicated to Defending the API Server.
DO YOU WANT TO GO THE EXTRA MILE?
I don't know if you already read some of the OWASP resources I am about to link, but in any response for a security question I like to reference the amazing work from the OWASP foundation ;)
For Web Apps
OWASP Web Top 10 Risks
The OWASP Top 10 is a powerful awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications. Project members include a variety of security experts from around the world who have shared their expertise to produce this list.
The Web Security Testing Guide:
The OWASP Web Security Testing Guide includes a "best practice" penetration testing framework which users can implement in their own organizations and a "low level" penetration testing guide that describes techniques for testing most common web application and web service security issues.
For Mobile Apps
OWASP Mobile Security Project - Top 10 risks
The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation.
OWASP - Mobile Security Testing Guide:
The Mobile Security Testing Guide (MSTG) is a comprehensive manual for mobile app security development, testing and reverse engineering.
For APIS
OWASP API Security Top 10
The OWASP API Security Project seeks to provide value to software developers and security assessors by underscoring the potential risks in insecure APIs, and illustrating how these risks may be mitigated. In order to facilitate this goal, the OWASP API Security Project will create and maintain a Top 10 API Security Risks document, as well as a documentation portal for best practices when creating or assessing APIs.
I think instead of detecting whether the request comes from Postman, it is better for you to protect the endpoint with authentication.
With this, even tho the user submitted a request through postman, you can still make sure that it is the user itself who made the request.
Please do let me know if there are actually other concerns bothering you. Cheers :)
I created a REST API with Spring and want to test it. I saw WireMock but I dont really know how this library can help me. Can I use it to test my Rest API or ist it to mock another API my API uses, so that I can ensure that a mistake is coming from my Service?
What exactly do you mean by "want to test it"? How would you be "testing" your API? What would a pass/failure look like?
WireMock is a mock server service. It acts as an API that can feed in responses that you have defined (or even proxy an existing API and feed in responses it gets from there.) I usually use it in place of an unreliable API, to act as the back end for the app that I am using.
If you are looking for a library that you can use to ping your API, I've had success using REST-Assured. If you are looking for a program you can use to ping your API, Postman is my app of choice.
So, I set up a couple Lambdas and the API gateway. I got it all working! Cool, so then the next step was to require an API key. Ok cool plenty of resources out there on how to set it up.
So I got that working as well and I could POST using postman and python (requests). I can provide the 'x-api-key' in the headers of the POST and it works, no issues.
HOWEVER, and here's the problem: The program I'm going to ultimately be using to POST to my gateway API doesn't allow you to edit the details of your POST. The program is called splunk, here's what it looks like. Basically it posts some payload for you, the headers/auth/body can't be edited by you, it just sends some pre-configured thing. You just provide the endpoint and it does the rest. This works if I do not require an API key.
So I started thinking, ok no huge problem, I have seen APIs before where you provide the API-Key in the URL and it authenticates you fine. So this would be something like:
https://exampleAPI/sendmydata?x-api-key=12345
However, I cannot get this to work in AWS for the life of me. I haven't found anything by googling. Is this something that's even possible?
Thank you!
If you must use API key usage plans, you could consider getting the posted API key parameter to API Gateway endpoint A from LambdaA and proxy it with the relevant headers to API Gateway endpoint B.
I am performing load testing of my web based application.
The service page is working fine on Advance Rest Client application but it is giving 404 page not found error on Jmeter.
Please guide me how to resolve.
404 means your url is probably wrong.
Show your configuration of Test plan for further details.
Add View Results Tree listener to inspect request and response details, HTTP 404 response code usually stands for non-existent URL.
Most likely you'll also have to add HTTP Header Manager to send the relevant Content-Type header as your request might not be properly handled due to missing or incorrect content type.
I would recommend using a sniffer tool like Wireshark to compare what's being send by the "Advance Rest Client" and by JMeter and tweak JMeter test accordingly. If you fail to figure that out by yourself - you can upload captured traffic files somewhere so we could take a look.
See Testing SOAP/REST Web Services Using JMeter guide for baseline JMeter configuration for testing web services.
I am making an app using PhoneGap and I am sending a POST request to a web service. Now I need to analyze the request that is being sent. What tool should I use to do that - Wireshark ?
I'm using a Mac.
An easy way to see what the post looks like is to post it to something like http://requestb.in/. That way you can test it from your app itself. Bascially change where your posting to, to the post bin you create.
Wire shark can do that but its does lot more than monitoring HTTP based requests.
Try using Fiddler for that.
http://www.fiddler2.com/fiddler2/version.asp