During one of our engagments, we observed a significant number of secrets being committed to Postman workspaces by the company's developers. Finding secrets through Postman collections is not new (see references), although when we looked into this deeper ourselves, we were surprised to see the amount of loot there was, even for many mature organizations.
Upon this realization, we noticed that existing tooling around Postman reconaissance was not catching most of the important results we were discovering, and lacked certain capabilities. These capabilities that we subsequently integrated into Porch Pirate enabled us to gain privileged access to production environments for several large retailers and internet service providers.
They also enabled us to discover a zero-day vulnerability in medical software after identifying sensitive "undocumented" API endpoints that were vulnerable to critical server-side vulnerabilties. Just a few of the organizations we discovered secrets for include: Walmart, Tesla, Walgreens, Nordstrom, Honda, Toyota, Coca-Cola, Comcast, Verizon, and many more.
According to Snyk, a secret is any piece of sensitive information that must be kept confidential and secure. This includes passwords, API keys, cryptographic keys, tokens, or other credentials used for authentication or authorization. Secrets may also include other types of sensitive data, such as financial or medical records, personally identifiable information (PII), or intellectual property.
Secrets need to be protected from unauthorized access or disclosure since they could be used to gain access to data or systems, or to impersonate a user or service.
Porch Pirate started as a tool to quickly uncover secrets published to Postman, and has slowly begun to evolve into a multi-purpose reconaissance framework for the platform. While existing tools are great proof of concepts, they only attempt to identify very specific keywords as "secrets", and in very limited locations, with no consideration to recon beyond secrets. We realized we required capabilities that were "secret-agnostic", and had enough flexibility to capture false-positives that still provided offensive value. Developed in house by MCG consultants Dominik Penner and Jake Bolam.
For the sake of clarity, we'll expand briefly on some Postman terminology. Postman operates with a heirarchy of "Entities" that can roughly be visualized with this list from top-down:
To better understand the prevalence of developer-error in Postman workspaces, we first identified where exactly these "secrets" or "loot" were being leaked within workspaces. While environment globals are a common place secrets leak (and a good indicator that more secrets are leaking in a workspace), they are far from the only attack surface worth exploring. Other threat vectors include:
Porch Pirate audits Postman entities from a top-down level for all of these issues, beginning at the provided entity-type. For example, providing Porch Pirate with a workspace will query all of the contents within that workspace. Each of the parent and child entities require auditing and relationalizing to ensure appropriate coverage of information leakage.
A fascinating detail we highlighted was that in many cases where secrets were "scrubbed" in one place, they were being leaked in another. We assume this is because developers got lazy and, while they were working within an individual request, ended up hardcoding tokens which stayed there. This appears to happen particularly frequently at large organizations who have vast development teams who collaborate, apparently on Postman.
Like with most OSINT, the results you get will only ever be as good as the keywords you use. Postman's search isn't actually very good - at least not for our purposes today. It can be difficult to find certain results at times, due to the ambiguous nature of Postman's backend search functionality that we won't get into in this blog. We built Porch Pirate with this in mind, and write this blog to enable easier hunting for other hackers. Porch Pirate can be installed from here.
There are various workflows that are successful with Porch Pirate. For this scenario, we'll assume you know the domain or organization you're hunting for. Our example will be "Coca Cola". Knowing this, we can use Porch Pirate to search for either "Coca Cola" as an organization, or simply their domain.
porch-pirate -s "coca-cola.com"
In the screenshot above, we can see several results with various properties. What immediately stands out, is the result with the coca-cola domain in the name. It's possible that the other search results have interesting information as well, but we'll start here.
We can see that this result is a request entity, that is located in the abd6bded-ac31-4dd5-87d6-aa4a399071b8 workspace. Let's use porch pirate to query this workspace. This command will display all of the request information from all of the collections within the provided workspace, highlighting potentially useful results.
porch-pirate -w abd6bded-ac31-4dd5-87d6-aa4a399071b8 --dump
In the above example, we see sensitive results including access tokens, session uuids, and an interesting referer and URL. In the second image, we see the efficacy of auditing pre-request scripts within individual requests. There are more results to show, but for brevity we'll skip to the next example. We found it extremely useful to be able to extract all of the URLs in either a collection or workspace. In the following example, we'll do that with a workspace we found related to Honda.
porch-pirate -w 3077ae41-efba-4a8b-8785-8821c8e584f8 --urls
Porch Pirate can be used to dump individual workspaces, or dump all relevant entities tied to specified search results. Usually, Postman's search will match requests, therefore it's critical to search the parent workspaces of the requests discovered, which we decided to implement as default behaviour. When doing a mass dump, if we know that the current workspace won't be interesting based on certain results that are appearing, we can press Ctrl-C to skip to the next workspace. The following commands can be used to perform mass operations:
porch-pirate -s payments --globals
porch-pirate -s payments --dump
porch-pirate -s payments --urls
For the next example, another useful technique is to query the global variables for all of the workspaces related to our provided search term. Being a Canadian organization, some of the first issues we disclosed were to Canadian Internet Service Providers. Here we will query all global environment variables related to the search term "bell.ca".
porch-pirate -s bell.ca --globals
This use case works extremely well when you want to quickly find a lot of sensitive results. For example, if you search "shopify", or "payments" with the globals flag applied, you'll see a lot of workspaces leaking payment keys in their workspaces. It's worth noting, this is only the tip of the iceberg. Most people know better than to commit environment variables to the globals, but not better than to omit them from individual requests or pre-request scripts.
When developing Porch Pirate, we wanted to make it really easy to navigate through everything displayed in the terminal, firstly for ease-of-use, but also to make reproduction steps for organizations very easy during the remediation process. For example, each result Porch Pirate returns can be further investigated with additional commands.
The following command can be used to view information relevant to the user or team with the handle "okta-eng", which is an Okta Engineering team. This command will return information such as:
porch-pirate -u okta-eng
We can also query individual users in order to see more about the entities they are exposing publicly.
porch-pirate -u restless-shuttle-4292
The following command can be used to query individual workspaces. One of the more subtle but powerful capabilities of Porch Pirate, is that it automatically will enumerate configured environments, whether they're active or not. As you'll see in this example, there are several environments defined in this workspace that are all leaking passwords.
porch-pirate -w 83223d94-6136-46fc-8341-b4893445fe06
Additionally, we can use the --collections command to collect more information around the collections in the workspace.
porch-pirate -w 83223d94-6136-46fc-8341-b4893445fe06 --collections
Most of the juicy information that you'll find will be coming from requests, therefore it's important to be able to query these results individually. In the --dump and search view, we're provided with request IDs, which we can feed to Porch Pirate to view their contents.
porch-pirate -r 11055256-b1529390-18d2-4dce-812f-ee4d33bffd38
In the above example, we see some Walmart keys leaking. You might be thinking, this information is really useful, but building this request will be such a pain... and you're right. Which is why we added the --curl option, which will automatically build requests based on various configurations. The output of this command can be copied and pasted to mimic the request.
porch-pirate -r 11055256-b1529390-18d2-4dce-812f-ee4d33bffd38 --curl
While this blog won't cover all of Porch Pirate's commands, there are a couple more important ones that can maximize results or help with troubleshooting or debugging. For a full list of commands, please refer to the GitHub repository. Porch Pirate is a work in progress, therefore there may be results that the client isn't showing you that you'd like to see. In this case, you can pass the --raw flag with any of the commands you use with Porch Pirate. Additionally, the --proxy command can be used to send Porch Pirate HTTP traffic to an HTTP proxy of your choice, such as Burp Suite. In the following example, we'll extract a workspace's raw JSON over a proxy connection, and then format that output with jq.
porch-pirate -w 83223d94-6136-46fc-8341-b4893445fe06 --raw --proxy 127.0.0.1:8080 | jq
In this blog, we've demonstrated and hopefully brought awareness to the prevalence and extreme risks of leaking secrets on Postman. There are simply so many secrets that are leaking, that there is not enough time in the world for one individual or entity to report them all. With that in mind, we do hope that Porch Pirate will be used primarily by responsible parties who share the same mission to make the world a safer place.
Porch Pirate is a work in progress, and we do have plans to bring more flexibility to it. If you have feature requests, feel free to file a feature request issue in the GitHub repository. There are a few that are currently in the works, such as workspace / collection export, HTML reporting, among others. We're pleased to mention that this post serves as an introduction to some deeper research we have been performing on the Postman platform.
I'd like to extend a special thanks to a few individuals with diverse experiences, who were kind enough to be willing to take the time out of their own busy schedules to offer feedback on both this post, and the tool itself. The community support has helped contribute to Porch Pirate's overall quality, and we intend to improve it further with additional feedback upon release.