20 April, 2020

Getting Started API Penetration Testing with Insomnia

Getting Started API Penetration Testing with Insomnia
Mic Whitehorn
Author: Mic Whitehorn

1. Getting Insomnia

The main website for Insomnia is insomnia.rest, which has downloads for Windows, Mac, and Linux versions of the application. If you want to contribute to the project, or would rather get the source, you can go to their GitHub repo. It’s also available in some package managers and app stores, such as Snapcraft.io. If you’re following along, get and install Insomnia whichever way suits you.

2. Creating your first Request

Before we set up our proxy, we want to have a test request ready to verify that it’s working. Launch Insomnia, and create a new request as seen below.

example 1
To create the request, either press ctrl+n or click the plus with down-arrow example 2 icon on the sidebar and select New Request.

Give the request a name, and click Create.

example 3

And now you need a valid URL. If you have an API that you’re getting ready to test, a simple request to it may do the trick. I’m going to use an unauthenticated public API with a Lorem Ipsum generator for this demonstration.

example 4
Enter the URL for the API endpoint, select the method if necessary, and click Send.
example 5
It should be pretty obvious that it worked if you look in the right-side response pane in Insomnia.

Note that it shows the HTTP response code, response time, and size. In my case, I get a chunk of Lorem Ipsum text.

3. Proxy Insomnia through Burp

I’ll assume you installed Burp Suite already. If not, then it’s available from the PortSwigger website.

Start Burp and either create a Temporary Project if you’re just trying this out, or create one on disk if you’re starting an actual test. Default Settings are fine, unless you have some custom settings you already use.

example 6

In Burp Suite:

  1. Go to the Proxy tab…
  2. …then the Options subtab.
  3. Note the IP and port for your proxy interface – mine is on port 8080
  4. Note that the Running checkbox is checked. If this is unchecked, the default port was probably in use when you started Burp, and you can either edit the listener to change the port, or stop the application that was using it and check the box.

Also, go to the Intercept subtab and turn Intercept Off, unless you already have it off by default.

example 7

Insomnia natively supports proxy configurations, allowing you to simply configure the proxy settings inside of it.  With Insomnia open, browse to the Application -> Preferences dialog.

example 8

This will open a massive modal dialog full of options. The ones you care about are annotated below.

example 9
  1. Put your proxy interface into the HTTP Proxy and HTTPS Proxy text boxes. In my case, you see localhost, corresponding to through my /etc/hosts file. For typical setups, this will work fine. If you have an odd setup where you’re proxying through Burp on a different machine, then the IP and port will work in the form of
  2. Check the box to Enable proxy, so that Insomnia proxies.
  3. You probably want to uncheck Validate certificates. This is the easiest and fastest way to prevent certificate trust issues when HTTPS traffic is proxied and re-signed with the self-signed Burp Certificate Authority (CA) from your Burp instance. If your Burp CA is trusted on your system, you may not require this step.
  4. You may want to think about Disabling JS in the HTML previewer. You normally won’t want or need it for testing web services.

Once these are set, run your request again and see that it completes in Insomnia and shows up in Burp. I usually look under Proxy -> HTTP History.

example 10

If you’re not getting a response, retrace back through the steps again and check that your Proxy Listener is listening, your host and port are correct in both applications, and Intercept is off in Burp.

Once it’s all working together, you can use Insomnia as your clean-state client for API requests. This allows you to take advantage of Repeater and Intruder for tampering and fuzzing in Burp, respectively, along with it’s extensive security-oriented plugin ecosystem.

Further Reading

If you’re coming from Postman and are used to scripting the ability to pick-up bearer tokens and set them to environment variables, you may want to look at Insomnia’s Request Chaining documentation, which is how they currently approach that problem: https://support.insomnia.rest/article/43-chaining-requests

Part 4 of the Better API Penetration Testing with Postman blog series deals with Burp plugins I like for API testing. These are just as applicable with Insomnia.

Join the professionally evil newsletter

Related Resources