Testing Postman APIs with Fuzzing

Postman Collections are a great way to document, test, and share your APIs.  Combined with Newman, Postman allows you to reuse your test suites to create a CI/CD pipeline so you can test at every push. Automated CI testing helps you put guard rails in place to ensure that errors are caught early in development instead of in a production incident!

With Mayhem, you can squeeze even more testing out of your existing Postman collections, without having to write any additional tests. As opposed to Newman which requires you to provide values for request parameters, Mayhem comes up with those values automatically!

Mayhem  generates all sorts of values for those parameters using a custom fuzzing engine without any assistance from you.

Did you test that your endpoints support non-printable characters or invalid UTF-8 �? Japanese characters ブーム? Emojis 💥 ? And did you test apostrophes or ‘../../’ don’t lead to security vulnerabilities? Yeah, neither did we until we had Mayhem.

{{api-cta}}

It’s a huge pain to test all the edge cases on every single endpoint and API parameters. If you did that, you’d face a combinatorial explosion of tests to handle every possibility. Those tests would become a pain to maintain, slowing down development significantly every time you have to make a change.

Using Mayhem to Test Your Postman Collection

Let’s go through an example together on how you’d use Mayhem to fuzz your Postman API. If you want to follow along, sign up for a 30-day no-strings-attached free trial. 

Here's a Postman collection for a demo API. It lists a few GET/POST/PUT endpoints like any other postman collections you might have. To fuzz it, you simply have to call Mayhem and give it the path to the postman collection as well as the URL where it’s running:

mapi run -i --url https://demo-api.mayhem4api.forallsecure.com/api/v3/
postman-demo 20 ~/Downloads/petstore.postman.json

You’ll start seeing the Mayhem terminal UI, and some red endpoints (indicating bugs!) show up almost immediately:

And here you go: Mayhem generates a ton of requests to your API  automatically, extending test coverage of your API. It tests the weird edge cases nobody wants to test manually.

If your API was running on localhost (either on your dev machine or in CI), Mayhem would send hundreds of requests per second to your API. If that’s not enough, you can use `-j` to parallelize the fuzzer (load testing anyone?)

If you want to see more details about the bugs, the request that triggered bugs are included in our junit and html reports. Those reports are especially useful in CI. Here’s what the html report looks like on this API after a couple minutes of fuzzing:

Want to test your own APIs? Head over to Mayhem & get started for free!