Find & fix security issues in your GraphQL API with Postman
Improve the security of your GraphQL API with Escape and Postman
Are you tired of dealing with pesky API vulnerabilities? Want to take your GraphQL game to the next level? Introducing the perfect combo for GraphQL success - Escape and Postman.
Escape is a tool that helps developers automatically and continuously test their GraphQL API to discover vulnerabilities and suggest ways to fix them. Postman is a widely used software for designing, testing, and maintaining APIs, with solid support for GraphQL. With the integration between the two, it's easier than ever to find and fix security issues in your GraphQL API.
Our new Postman integration:
The need
Escape is designed specifically to help developers find and fix vulnerabilities in their GraphQL API. It provides detailed information on the issue and suggests ways to fix it. However, it can be difficult for developers to apply those fixes quickly.
The solution
That's where the integration with Postman comes in. It allows developers to import vulnerable queries in Postman, to reproduce them, so it's easier and quicker to fix.
No need to run a full security scan to check if your patch is working; send the query on the go and see results instantly!
How to find vulnerabilities and reproduce them in Postman?
- First, run a security test in the Escape app to identify vulnerabilities on your GraphQL API.
- Once it's done, check the scan result. For instance, here is a stripe secret that our scanner has found in an API:
- You can now export the results to Postman collection format, which will download a .json file.
- Then, import the collection into Postman.
- Once the collection is imported into Postman, it is organized into a clear directory structure, making it easy for developers to find and fix any issues.
- You can now use Postman to reproduce the vulnerable queries and find the root cause of the issue.
- ... and explore the query response to find what caused the issue and discover how to fix it.
- You can also check the integrated documentation to find out what security alert our scanner has detected:
Why Postman?
We chose to integrate with Postman for several reasons:
- It is a widely adopted tool among API development teams.
- It allows us to export all vulnerable queries in one single file with a clear directory structure using the Postman Collection specification.
- It is easy to use, with features like the ability to easily send requests and view responses.
- It has advanced features like sharing collections and including tests in your existing Postman setup.
- Other major API clients, such as Insomnia, also support the Postman Collection format.
Try it out:
New to GraphQL and Postman?
Check out our previous article, "Getting started with Postman for GraphQL" learn how to leverage Postman to build your GraphQL API.