Idea: Postman Workspace Spider

[domwhewell-sage]

Description I have seen a few OSINT reports of late with secrets obtained via public postman workspaces. Many organizations with API's may use postman and by signing up to a free account saves all the users workspaces online. There is a privacy toggle in postman but I believe by default this is disabled. It may be a good place to look for secrets

An organization can be determined from the DNS_NAME event, pop this organization into a GET request https://www.postman.com/search?q=$organization&scope=all&type=workspace and spider all the returned workspaces.

It could be a source of email address's and secrets.

Here is a link to a medium article on the subject https://medium.com/@utkarshporwal24/exposed-postman-collections-ed6086b96ba5

[TheTechromancer]

I 100% support this idea. This relates back to your suggestion about trufflehog because ideally we want to have a single module responsible for extracting secrets/goodies from text, which would consume data from multiple other modules like httpx, github, and postman. This would simplify this module since all it would need to do is retrieve the data itself.

[domwhewell-sage]

Yeh my thinking with this one is it could be exactly like the current github.py module but tailored to look at postman workspaces and produce URL_UNVERIFIED events that could be consumed later down the chain.

Again we would need some way to verify that the discovered postman workspace is actually in-scope before it's pillaged. But that shouldn't be to difficult.

[TheTechromancer]

Migrating to discussion.