Here is a quick and easy tip on how to get the two most useful API hacking tools to work together: Postman and Burp Suite.
Suppose you have a list of API endpoints stored in a collection in Postman. Each of these endpoints has an http method, a URL, a list of request headers and maybe a request body. Now what if you want to use one of these endpoints in Burp Suite?
To move the full request into Burp Suite, taking along the method, URL, headers and body, you can use Postman’s proxy feature.
Check Burp Suite’s proxy settings
First make sure you have the right proxy settings. Start Burp Suite. In the Proxy tab, select the Proxy Settings sub-tab. The following panel will show up:
In the Proxy listeners box, you have the parameters to which Burp’s proxy listener is set. If you haven’t modified the default values, they should be similar to those in the screenshot above.
Also make sure the Running box is checked.
Now go back to the Intercept sub-tab under the Proxy tab and turn intercept on.
Set Postman’s proxy output
Back in Postman, click on the cog wheel icon at the top right of the interface and choose Settings.
In the Settings panel, go to Proxy , then tick the Add a custom proxy configuration box and enter the server and port values you noted in Burp Suite.
Note that in the example above, I have ticked the HTTP proxy type only. This is because I’m using the vAPI vulnerable app for this demonstration, that uses HTTP. In a real life scenario where you’re testing a production app that is likely using HTTPS, make sure you tick that proxy type also, otherwise HTTPS requests won’t be proxied.
Now close the box.
Select one of the endpoints from you collection, set the values you want for the request headers and fill in the request body you want to include.
Once you are done, click the Send button.
Burp Suite will intercept the request. You can now modify the request and send it through, or move it to Intruder or Repeater to play with it further.
To disconnect Postman from Burp’s proxy listener, just go back to Postman’s proxy settings and uncheck the Add a custom proxy configuration box.
That’s really all there is to it. Enjoy!