Mand Consulting Group

!-- Include PrismJS JavaScript -->

Plundering Postman with Porch Pirate

by zer0pwn - Nov 2023



During one of our engagments, we observed a significant number of secrets being committed to Postman workspaces by the company's developers. Finding secrets through Postman collections is not new (see references), although when we looked into this deeper ourselves, we were surprised to see the amount of loot there was, even for many mature organizations.

Upon this realization, we noticed that existing tooling around Postman reconaissance was not catching most of the important results we were discovering, and lacked certain capabilities. These capabilities that we subsequently integrated into Porch Pirate enabled us to gain privileged access to production environments for several large retailers and internet service providers.

They also enabled us to discover a zero-day vulnerability in medical software after identifying sensitive "undocumented" API endpoints that were vulnerable to critical server-side vulnerabilties. Just a few of the organizations we discovered secrets for include: Walmart, Tesla, Walgreens, Nordstrom, Honda, Toyota, Coca-Cola, Comcast, Verizon, and many more.

What are secrets?

According to Snyk, a secret is any piece of sensitive information that must be kept confidential and secure. This includes passwords, API keys, cryptographic keys, tokens, or other credentials used for authentication or authorization. Secrets may also include other types of sensitive data, such as financial or medical records, personally identifiable information (PII), or intellectual property.

Secrets need to be protected from unauthorized access or disclosure since they could be used to gain access to data or systems, or to impersonate a user or service.

What is Porch Pirate?

Porch Pirate started as a tool to quickly uncover secrets published to Postman, and has slowly begun to evolve into a multi-purpose reconaissance framework for the platform. While existing tools are great proof of concepts, they only attempt to identify very specific keywords as "secrets", and in very limited locations, with no consideration to recon beyond secrets. We realized we required capabilities that were "secret-agnostic", and had enough flexibility to capture false-positives that still provided offensive value. Developed in house by MCG consultants Dominik Penner and Jake Bolam.

Use Cases

  • Bug Bounty: Extract secrets, endpoints and other previously undiscovered attack surface from public Postman entities.
  • Penetration Testing: Use Porch Pirate to yield unique results during engagments with access to leaking proprietary data.
  • Threat Hunting: Discover and audit C2 or other malicious API workspaces used by attackers.
  • Generic OSINT: Quickly discover leaking API keys for platforms such as Shodan, Shopify, and others.
  • CI/CD Auditing: Ensure your organization is taking appropriate measures during development processes and collaboration by monitoring workspaces and collections.
  • Social Engineering: Analyze an organization/team's development practices, naming conventions, or other details to craft powerful social engineering campaigns.

Terminology Breakdown

For the sake of clarity, we'll expand briefly on some Postman terminology. Postman operates with a heirarchy of "Entities" that can roughly be visualized with this list from top-down:

  • Team
  • User
  • Workspace
  • Collection
  • Request

Understanding the problem

To better understand the prevalence of developer-error in Postman workspaces, we first identified where exactly these "secrets" or "loot" were being leaked within workspaces. While environment globals are a common place secrets leak (and a good indicator that more secrets are leaking in a workspace), they are far from the only attack surface worth exploring. Other threat vectors include:

  • Secrets / identifiers defined in Globals
  • Secrets / identifiers defined in inactive environments
  • Secrets embedded in URL paths
  • Cookies / sessions in headers
  • Authorization tokens in headers
  • Other unique identifiers in headers
  • Hidden / undocumented API endpoints
  • Hidden / undocumented API methods
  • Secrets / identifiers in POST data
  • Secrets / identifiers in pre-request scripts
  • Sensitive information in comments or changelogs
  • Sensitive information in Tests

How it works

Porch Pirate audits Postman entities from a top-down level for all of these issues, beginning at the provided entity-type. For example, providing Porch Pirate with a workspace will query all of the contents within that workspace. Each of the parent and child entities require auditing and relationalizing to ensure appropriate coverage of information leakage.

A fascinating detail we highlighted was that in many cases where secrets were "scrubbed" in one place, they were being leaked in another. We assume this is because developers got lazy and, while they were working within an individual request, ended up hardcoding tokens which stayed there. This appears to happen particularly frequently at large organizations who have vast development teams who collaborate, apparently on Postman.


  • Easily navigate Postman workspaces, collections and teams
  • Uncover secrets and identifiers within collections, workspaces, teams, requests, pre-request scripts, variables, tests, authorization tabs, and others.
  • Scrape and identify commonly misconfigured attack surface based on specific search terms
  • Convert requests into curl cli format with --curl for quick testing
  • List a team, workspace's users and identify those user's other potentially leaking entities
  • Extract URLs, request data, or other specified indices to narrow-down discoveries or pipe into additional tooling
  • Analyze a workspace or collection's commit history
  • Evaluate all active and inactive environments and extract their environment variables
  • Filter search results based on entity types
  • Evaluate a workspace or collection's comments for secrets or identifiers
  • Return raw JSON for any of Porch Pirate's requests with the --raw command

Using Porch Pirate

Like with most OSINT, the results you get will only ever be as good as the keywords you use. Postman's search isn't actually very good - at least not for our purposes today. It can be difficult to find certain results at times, due to the ambiguous nature of Postman's backend search functionality that we won't get into in this blog. We built Porch Pirate with this in mind, and write this blog to enable easier hunting for other hackers. Porch Pirate can be installed from here.

Searching for results

There are various workflows that are successful with Porch Pirate. For this scenario, we'll assume you know the domain or organization you're hunting for. Our example will be "Coca Cola". Knowing this, we can use Porch Pirate to search for either "Coca Cola" as an organization, or simply their domain.

porch-pirate -s ""


Dumping Workspaces

In the screenshot above, we can see several results with various properties. What immediately stands out, is the result with the coca-cola domain in the name. It's possible that the other search results have interesting information as well, but we'll start here.

We can see that this result is a request entity, that is located in the abd6bded-ac31-4dd5-87d6-aa4a399071b8 workspace. Let's use porch pirate to query this workspace. This command will display all of the request information from all of the collections within the provided workspace, highlighting potentially useful results.

porch-pirate -w abd6bded-ac31-4dd5-87d6-aa4a399071b8 --dump



Extracting Endpoints

In the above example, we see sensitive results including access tokens, session uuids, and an interesting referer and URL. In the second image, we see the efficacy of auditing pre-request scripts within individual requests. There are more results to show, but for brevity we'll skip to the next example. We found it extremely useful to be able to extract all of the URLs in either a collection or workspace. In the following example, we'll do that with a workspace we found related to Honda.

porch-pirate -w 3077ae41-efba-4a8b-8785-8821c8e584f8 --urls

Mass Operations

Porch Pirate can be used to dump individual workspaces, or dump all relevant entities tied to specified search results. Usually, Postman's search will match requests, therefore it's critical to search the parent workspaces of the requests discovered, which we decided to implement as default behaviour. When doing a mass dump, if we know that the current workspace won't be interesting based on certain results that are appearing, we can press Ctrl-C to skip to the next workspace. The following commands can be used to perform mass operations:

porch-pirate -s payments --globals

porch-pirate -s payments --dump

porch-pirate -s payments --urls

Dumping Environment Variables

For the next example, another useful technique is to query the global variables for all of the workspaces related to our provided search term. Being a Canadian organization, some of the first issues we disclosed were to Canadian Internet Service Providers. Here we will query all global environment variables related to the search term "".

porch-pirate -s --globals


This use case works extremely well when you want to quickly find a lot of sensitive results. For example, if you search "shopify", or "payments" with the globals flag applied, you'll see a lot of workspaces leaking payment keys in their workspaces. It's worth noting, this is only the tip of the iceberg. Most people know better than to commit environment variables to the globals, but not better than to omit them from individual requests or pre-request scripts.

Querying Individual Entities

When developing Porch Pirate, we wanted to make it really easy to navigate through everything displayed in the terminal, firstly for ease-of-use, but also to make reproduction steps for organizations very easy during the remediation process. For example, each result Porch Pirate returns can be further investigated with additional commands.

Querying Users and Teams

The following command can be used to view information relevant to the user or team with the handle "okta-eng", which is an Okta Engineering team. This command will return information such as:

  • Team name
  • Team ID
  • Collections
  • Workspaces
  • Members

porch-pirate -u okta-eng


We can also query individual users in order to see more about the entities they are exposing publicly.

porch-pirate -u restless-shuttle-4292


Querying Workspaces

The following command can be used to query individual workspaces. One of the more subtle but powerful capabilities of Porch Pirate, is that it automatically will enumerate configured environments, whether they're active or not. As you'll see in this example, there are several environments defined in this workspace that are all leaking passwords.

porch-pirate -w 83223d94-6136-46fc-8341-b4893445fe06


Additionally, we can use the --collections command to collect more information around the collections in the workspace.

porch-pirate -w 83223d94-6136-46fc-8341-b4893445fe06 --collections


Querying Requests

Most of the juicy information that you'll find will be coming from requests, therefore it's important to be able to query these results individually. In the --dump and search view, we're provided with request IDs, which we can feed to Porch Pirate to view their contents.

porch-pirate -r 11055256-b1529390-18d2-4dce-812f-ee4d33bffd38


In the above example, we see some Walmart keys leaking. You might be thinking, this information is really useful, but building this request will be such a pain... and you're right. Which is why we added the --curl option, which will automatically build requests based on various configurations. The output of this command can be copied and pasted to mimic the request.

porch-pirate -r 11055256-b1529390-18d2-4dce-812f-ee4d33bffd38 --curl


Other Useful Commands

While this blog won't cover all of Porch Pirate's commands, there are a couple more important ones that can maximize results or help with troubleshooting or debugging. For a full list of commands, please refer to the GitHub repository. Porch Pirate is a work in progress, therefore there may be results that the client isn't showing you that you'd like to see. In this case, you can pass the --raw flag with any of the commands you use with Porch Pirate. Additionally, the --proxy command can be used to send Porch Pirate HTTP traffic to an HTTP proxy of your choice, such as Burp Suite. In the following example, we'll extract a workspace's raw JSON over a proxy connection, and then format that output with jq.

porch-pirate -w 83223d94-6136-46fc-8341-b4893445fe06 --raw --proxy | jq


What's next?

In this blog, we've demonstrated and hopefully brought awareness to the prevalence and extreme risks of leaking secrets on Postman. There are simply so many secrets that are leaking, that there is not enough time in the world for one individual or entity to report them all. With that in mind, we do hope that Porch Pirate will be used primarily by responsible parties who share the same mission to make the world a safer place.

Porch Pirate is a work in progress, and we do have plans to bring more flexibility to it. If you have feature requests, feel free to file a feature request issue in the GitHub repository. There are a few that are currently in the works, such as workspace / collection export, HTML reporting, among others. We're pleased to mention that this post serves as an introduction to some deeper research we have been performing on the Postman platform.

Special Thanks

I'd like to extend a special thanks to a few individuals with diverse experiences, who were kind enough to be willing to take the time out of their own busy schedules to offer feedback on both this post, and the tool itself. The community support has helped contribute to Porch Pirate's overall quality, and we intend to improve it further with additional feedback upon release.


Contact Form Demo (#5)