Porch Pirate: Mining API Secrets from Postman's Public Workspace Graveyard

Hook

Every time a developer clicks 'Share to Public Workspace' in Postman, they might be exposing production API keys, internal endpoints, and authentication schemes to anyone who knows where to look. Porch Pirate knows exactly where to look.

Context

Postman has become the de facto standard for API development, with over 20 million users storing collections, environment variables, and request configurations in the cloud. The platform encourages collaboration through workspace sharing, but the line between 'shared with my team' and 'shared with the entire internet' is dangerously thin. Developers regularly commit sensitive data—API keys, OAuth tokens, internal URLs, authentication headers—to Postman collections, often forgetting that 'public' means truly public and indexed by Postman's own search API.

The security community has long understood that secrets leak through git repositories, but Postman represents a different attack surface entirely. Unlike GitHub, where tools like GitLeaks and TruffleHog have matured over years, Postman enumeration remained largely manual: security researchers would craft specific API queries, manually traverse workspace hierarchies, and tediously extract potentially sensitive data. Porch Pirate emerged to automate this OSINT workflow, transforming what used to require hours of manual API calls into a streamlined reconnaissance pipeline. It's both a security auditor's asset for finding your own organization's exposure and a red teamer's reconnaissance tool for discovering attack surfaces before exploitation.

Technical Insight

Porch Pirate's architecture leverages a cascading enumeration pattern that mirrors Postman's entity hierarchy. At the foundation, it uses Postman's public search API to discover workspaces based on keywords, email domains, or entity IDs. Each discovered workspace becomes an entry point for deeper enumeration: collections within workspaces, requests within collections, and finally the extraction of URLs, headers, authorization configurations, and variables at each level.

The tool operates in two distinct modes. As a CLI client, you can perform immediate reconnaissance with commands like porch-pirate -s "company.com" to search for all public workspaces associated with a domain. As a Python library, it integrates into custom security automation. Here's a practical example of using Porch Pirate programmatically to enumerate a specific workspace and extract all unique API endpoints:

from porch_pirate import PorchPirate

# Initialize with optional Postman API key for higher rate limits
pp = PorchPirate(api_key="your_postman_api_key")

# Search for workspaces by keyword
workspaces = pp.search_workspaces("acme-corp")

all_endpoints = set()
for workspace in workspaces:
    # Get all collections in the workspace
    collections = pp.get_workspace_collections(workspace['id'])
    
    for collection in collections:
        # Extract requests from each collection
        requests = pp.get_collection_requests(collection['id'])
        
        for request in requests:
            # Extract URL and method
            if 'url' in request and 'raw' in request['url']:
                endpoint = f"{request.get('method', 'GET')} {request['url']['raw']}"
                all_endpoints.add(endpoint)
                
                # Check for authorization headers
                if 'auth' in request:
                    print(f"[!] Auth found in {endpoint}: {request['auth']['type']}")

# Export for further testing
with open('discovered_endpoints.txt', 'w') as f:
    f.write('\n'.join(sorted(all_endpoints)))

What makes Porch Pirate particularly powerful is its 'secrets-agnostic' extraction philosophy. Rather than relying solely on regex patterns for known secret formats (AWS keys, JWT tokens, etc.), it captures the entire context of each request: query parameters, path variables, header configurations, pre-request scripts, and environment variable references. This approach recognizes that OSINT value extends beyond finding a leaked API key—understanding an organization's API architecture, authentication flows, and internal naming conventions provides reconnaissance value even when no traditional 'secret' is present.

The tool also implements practical output transformations that bridge reconnaissance to exploitation. The --curl flag converts extracted Postman requests into ready-to-execute curl commands, while --urls outputs a clean list of endpoints perfect for piping into fuzzing tools like ffuf or Burp Suite's Intruder. This integration mindset transforms Porch Pirate from a simple data dumper into a genuine workflow accelerator.

Under the hood, Porch Pirate handles Postman's API rate limiting through intelligent throttling and optional authenticated requests (using a Postman API key increases rate limits substantially). The codebase uses Python's requests library with session management for connection pooling, and implements recursive data structure traversal to handle Postman's nested collection format—collections can contain folders, which contain more folders, which finally contain requests.

Gotcha

Porch Pirate's effectiveness is fundamentally constrained by what users have accidentally made public. It cannot bypass Postman's authentication or access private workspaces without credentials—this isn't an exploitation tool but a reconnaissance framework that surfaces existing misconfigurations. If an organization has properly configured workspace permissions, Porch Pirate will find nothing. This means results are inherently unpredictable: you might discover dozens of exposed workspaces for one target and zero for another, regardless of organization size.

The secret extraction functionality, while comprehensive, generates false positives that require human judgment. A string matching the pattern of an API key might be an example placeholder value ('sk_test_EXAMPLE_KEY_DO_NOT_USE'), a reference to documentation, or an actual production credential. The tool prioritizes recall over precision—better to surface 100 potential secrets and manually review them than to miss the one production AWS key that grants S3 access. Budget time for triaging results rather than expecting a clean list of confirmed credentials. Additionally, Porch Pirate provides a point-in-time snapshot; it doesn't monitor for new public workspaces over time, meaning ongoing reconnaissance requires scheduling repeated scans or building your own monitoring wrapper around the library.

Verdict

Use Porch Pirate if you're conducting security assessments or red team engagements where API reconnaissance is critical, performing security audits to discover what your own organization has accidentally exposed in public Postman workspaces, or building automated OSINT pipelines that need Postman enumeration as one data source among many. The dual-mode design makes it equally valuable for one-off investigations and programmatic integration. Skip it if you need guaranteed access to private workspace content (consider social engineering or insider access instead), require zero-false-positive secret detection without manual review (no tool truly solves this), or are looking for real-time monitoring rather than point-in-time enumeration (you'll need to build a scheduling layer). This tool excels at quickly answering the question 'what has my target organization accidentally made public in Postman?'—and that question alone has ended many penetration tests early with critical findings.