Inspiration

Web servers sometimes disclose more information than they should. A lot of web servers disclose information like the technology/version running and this makes it easy for hackers to leverage exploits against them. They are still using outdated technology versions which have well-known bugs and are vulnerable as a result. We wanted to make it easy for developers and pentesters alike to enumerate and understand the severity of these vulnerabilities and take appropriate action by preventing information disclosure, upgrading the technology version etc. We want to increase awareness around this.

What it does

For a particular technology and version, our Pentesting with Postman collection outputs a list of related CVEs(Common Vulnerabilities and Exposures) along with their severity. We have 3 requests in our main collection.

GET technologies request

Given a URL, this request tries to sniff technologies and versions, This is a rudimentary script and may not produce results for every URL. More sophisticated tools, NMAP and Nikto for example may be used for this step.

For the demo video we use an intentionally vulnerable URL.

GET CPE request

CPE is a standardized method of describing and identifying classes of applications, operating systems, and hardware devices. We use CPEs to search for CVEs rather than directly using the keyword search so as to obtain greater accuracy.

In the demo the result has a single CPE, but there may be multiple. In this case we need to choose the CPE that best matches the component.

GET CVE request

Here we search and display CVEs associated with the CPE supplied.

How we built it

We mainly used free public APIs provided by the NVD(National Vulnerability Database). The documentation for this API can be found in these PDFs CPE and CVE.

In our workspace we have also included an alternative API collection published by CVE-search which is a nice project that also provides APIs centered on CVEs and CPEs. Note that all CVE-Search endpoints in the collection are not public; they can be hosted locally and used in case the NVD endpoints are down by using a docker image as outlined in the GitHub page.

Challenges we ran into

Not being advanced users of Postman we found it challenging to get started but we made progress with the help of tutorials and documentation.

What's next for Pentesting with Postman

  • Downloading the result table as a PDF would be a useful feature to have.
  • Better ways to import data-perhaps directly from NMAP/Nikto scans
Share this project:

Updates