Products
In-IDE
IDE extension that lets you fix coding issues before they exist!
Discover SonarLint
SaaS
Setup is effortless and analysis is automatic for most languages
Discover SonarCloud
Self-Hosted
Fast, accurate analysis; enterprise scalability
Discover SonarQube

Secrets static code analysis

Unique rules to find Vulnerabilities in your source code and language agnostic config files

All rules 91

Vulnerability91

Filtered: 91 rules found

cwe

Impact

Clean code attribute

Postman tokens should not be disclosed

responsibility - trustworthy

security

Vulnerability

BlockerSonarSource default severity
click to learn more

Postman is an API development and testing platform that allows developers to design, build, and test APIs. Postman tokens are used for authentication and authorization purposes when making API requests.

Secret leaks often occur when a sensitive piece of authentication data is stored with the source code of an application. Considering the source code is intended to be deployed across multiple assets, including source code repositories or application hosting servers, the secrets might get exposed to an unintended audience.

Why is this an issue?

How can I fix it?

More Info

In most cases, trust boundaries are violated when a secret is exposed in a source code repository or an uncontrolled deployment environment. Unintended people who don’t need to know the secret might get access to it. They might then be able to use it to gain unwanted access to associated services or resources.

The trust issue can be more or less severe depending on the people’s role and entitlement.

What is the potential impact?

If a Postman token is leaked or compromised, it can lead to several security issues and risks. Here are some potential consequences:

Unauthorized access

An attacker who gains access to a leaked token can use it to impersonate the legitimate user or application associated with the token. This can result in unauthorized access to sensitive data or functionality within the API.

Data breaches

If the leaked token provides access to sensitive data, an attacker can use it to retrieve or manipulate that data. This can lead to data breaches that compromise the confidentiality and integrity of the information. Depending on the type of data that is compromised, it could lead to privacy violations, identity theft, financial loss, or other negative outcomes.

In most cases, a company suffering a sensitive data compromise will face a reputational loss when the security issue is publicly disclosed.

API abuse

With a leaked token, an attacker can abuse the API by making unauthorized requests, consuming excessive resources, or performing malicious actions. This can disrupt the API’s regular operation, impact performance, or even cause denial-of-service (DoS) attacks.

Privilege escalation

Depending on the permissions and scope associated with the token, an attacker may be able to escalate their privileges within the API. They can gain access to additional resources or perform actions that they are not authorized to do.

Breach of trust in non-repudiation and disruption of the audit trail

When such a secret is compromised, malicious actors might have the possibility to send malicious event objects, causing discrepancies in the audit trail. This can make it difficult to trace and verify the sequence of events, impacting the ability to investigate and identify unauthorized or fraudulent activity.

All in all, this can lead to problems in proving the validity of transactions or actions performed, potentially leading to disputes and legal complications.

Reputation damage

If a token is leaked and used for malicious purposes, it can damage the reputation of the API provider. Users may lose trust in the security of the API, leading to a loss of business and credibility.

Available In:

Catch issues on the fly,
in your IDE

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

Analyze code in your
on-premise CI

In-IDE

SaaS

Self-Hosted