TLDR; Use a combination of tools to offset other tools weaknesses. Insomnia makes switching HTTP proxies easier than Postman when performing exploratory testing
In my recent HTTP REST API application testing I have been using a combination of tools:
- Postman for interactive requirement and documentation based testing
- Java and REST Assured for automating the API
- Insomnia REST for more exploratory API testing
In this post I’ll describe, and show, how I do that.
A Basic Process Overview
In Postman I build a collection with my main requests and examples.
When I find a ‘thing’ and need to explore in more detail I move over to Insomnia.
I either export my Postman collection and imported into Insomnia as a Workspace, or I convert a Request in Postman to a cURL request using the code generation facility in Postman. I can then copy the cURL request from Postman and paste it into the URL bar in Insomnia which does a really good job of creating a request in Insomnia.
Insomnia makes working with API documentation easy as well since many of the API examples are presented in cURL I can copy and paste the examples into Insomnia for experimentation.
Why move to Insomnia?
I use Insomnia because the preferences dialog allows me toeasily feed Insomnia through an HTTP Debug proxy like Burpsuite or Owasp Zap.
Postman will now route traffic through a system hook proxy like Charles or Fiddler, but it can be a little more troublesome to feed Postman through a proxy, and certainly is not as easy to toggle between proxies without exiting the Postman app.
Often when I’m exploratory testing I’ll want to use different proxies e.g. Burpsuite and Owasp Zap have different filtering abilities and different Fuzzers, and I like the option of switching between them all without losing testing focus and restarting the app.
I also find the JSON filtering of result payloads in Insomnia quite useful.
Use tools in combination
I use tools in combination.
- Collections in Postman
- Data Driven testing from data files in Postman with the Runner and csv files
- Exporting collections to insomnia for easier experimentation with requests through a proxy
- Proxy for ‘extreme’ payload manipulation and fuzzing
- Proxy for capturing the traffic and helping me document my testing
I don’t try to find the ‘one true tool’. I try to identify the strengths of each tool, and the weaknesses. Then figure out what I can do to augment the weaknesses with other tools.
You can see the tools in action in combination in this Youtube video: