Intigriti - Hack Hub
  • Misconfig Mapper Docs
    • Introduction
    • Supported Services
    • CLI Tool
    • Contributing
  • Services
    • GraphQL
      • GraphQL Introspection Query Enabled
    • Symfony PHP
      • Symfony Profiler Enabled
    • Postman API Platform
      • Public Workspaces
    • Salesforce
      • Salesforce Lightning Aura Components Enabled
    • Trello
      • View Permissions on Trello Boards
    • Figma
      • View access misconfiguration
    • Freshworks Freshservice
      • Open User Registration
    • Slack
      • No Admin Approval for Invitations
    • Atlassian Bitbucket
      • Publicly Accessible Private Repositories
    • Atlassian Confluence
      • Anonymous access to Remote API
      • Disabled XSRF Protection
      • User Email Visibility
      • Misconfigured Spaces
    • Atlassian Jira
      • Open User Registration
      • Atlassian Jira Email Visibility
      • Atlassian Jira Service Desk Open Signups
    • AWS S3
      • Misconfigured List Permissions
    • Cloudflare R2
      • R2.DEV Enabled
    • Google Groups
      • Misconfigured read permissions
    • Google Docs
      • Misconfigured read permissions
    • Google Cloud Storage Bucket
      • Misconfigured access controls
    • Google OAuth
      • Unrestricted email domains
    • Jenkins
      • Open Signups
      • Public Groovy Script Console
    • GitLab
      • Gitlab Private Source Code Snippets Exposed
    • Drupal
      • Drupal Nodes with Misconfigured Access Controls
    • Laravel
      • Debug Mode Enabled
      • Laravel Telescope Enabled In Production
Powered by GitBook
On this page

Was this helpful?

Edit on GitHub
  1. Services
  2. Postman API Platform

Public Workspaces

PreviousPostman API PlatformNextSalesforce

Last updated 12 months ago

Was this helpful?

Description:

Postman API is a popular collaboration platform used by developer teams to help them develop APIs faster. Workspaces are a way to share code between developers on Postman.

Postman Workspaces can contain hard-coded data that have been accidentally saved for testing purposes for example.

That means that your public Postman API workspace may expose sensitive data if you share your workspace with the public.

Testing:

You can cross-check if your target uses Postman API and if it has a public workspace by visiting their public Postman profile:

https://www.postman.com/{companyName}/?tab=workspaces

Remediation:

To change the visibility of your Postman API workspace:

  1. From your profile, go to your Workspaces:

  1. Next, open the Workspace you'd like to change the visibility of

  2. Click on Workspace Settings

  3. And click on Who can access this workspace? to unfold the available options

  4. Finally, make sure you select Only me to change the visibility of your workspace and make it only accessible to you.

Always follow best practices and never leave any hard-coded credentials in your code.

Potential Impact:

Hard-coded (testing) credentials and other sensitive data can often be used by bad actors for further exploitation or infiltration into your network. An example would be a hard-coded Github API key that provides access to private Github repositories.

References:

https://trufflesecurity.com/blog/postman-carries-lots-of-secrets
https://learning.postman.com/docs/collaborating-in-postman/public-api-network/sharing-your-workspace/
https://learning.postman.com/docs/collaborating-in-postman/using-workspaces/managing-workspaces/