4/29/2023 0 Comments Insomnia api toolSelect the first drop down to the right and click ‘POST. Let’s start by right clicking the left column and selecting ‘New Request’. What do we do in order to build a POST request? For this next example, we are calling out our API to create some content on the site. You can click and drag your API requests to folders as you create them on the main Insomnia screen. In this example, we can right click the very left column and select ‘New Folder’. With this, we may want to setup a folder for easy visual identification. For example, we can append /3 to request data attached to ID #3. This will provide a drop down that allows you to see what errors you might be receiving, such as authentication errors or misspellings in the URL.Īs an owner of the application, we may know that multiple methods or additions can be added to our API to get specific data. If you did not receive a response, click the timestamp in the upper right corner. Afterwards, click the ‘Create’ link.Įnter the URL into the space next to the HTTP method (GET in this case).Īfter clicking the ‘Send’ button, you should be able to see the response in the ‘Preview’ window. Give the API request a name and select the HTTP Method associated with it (most often a GET, POST, PUT, or DELETE). In this example, we want to call the ToDo list within our API. We can start to add APIs to this workspace by clicking the ‘New Request’ button in the right column or by right-clicking the left column and clicking ‘New Request’. For the purposes of this blog post, we are going to use the default workspace that Insomnia generates. This workspace will contain every method that can be called within an API endpoint (creating, modifying, and deleting data would count as three methods in this example). When you open Insomnia, you are dropped into a new blank ‘workspace’. There may be a welcome screen but feel free to close it, as all steps listed in this blog will bypass the welcome screen. If you want to try curl out in your own environment, use as a practice API server.Īfter installing the Insomnia client for your operating system, start it up. We are going to go through some of the basic components and build a simple curl request for three REST API actions – one to fetch a ‘to do’ list, one to post a comment, and finally one to delete a comment. There are many more features within Insomnia if you want to dig into the documentation, but this will be what you need to get off the ground. These instructions are the bare minimum sets of data in order to provide test data for a pentest. If you already use Insomnia within your environment and want to provide the data for pentesting, please scroll down to the ‘Exporting Insomnia Workspaces’ section. How to Use Insomnia To Create Data for Pentesting Oftentimes Insomnia does not need to be used again after performing the initial API call. From there, pentesters use the Intercepting Proxy to perform various active and manual testing by interacting with the API directly. Using pre-built test data will greatly speed up the pentesting timeframe, often lowers the pentest project cost, and provides higher pentest report quality. Very simply, Insomnia is used to proxy pre-built and known good API calls into various Intercepting Proxy tools (such as Burp or OWASP ZAP). It is often selected due to its free and open source nature. It supports REST APIs, along with importing Curl and Swagger files. About InsomniaĪccording to their website, Insomnia (and more specifically Insomnia Core) is a free “cross-platform desktop application that takes the pain out of interacting with HTTP-based APIs.” Developers can use Insomnia to share ‘workspaces’ of API calls to perform QA testing of their application. In this post, we will focus on using the Insomnia program to provide data. As such, pentesters should ask for test data and the ability to access the API for security testing. It may not be possible to provide a URL to a pentester and say test everything underneath this. However, an API may not be as straightforward to test as a web application. Similar to web applications, web APIs (Application Programming Interfaces) should undergo security testing to determine whether or not any vulnerabilities exist. Check back in the near future for additional content. This is one part of a series of posts on how to prepare your API for a pentest.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |