Postman has an option to output curl commands such that folks can learn the curl commands easily. I used wget early on in my career, but now I live in curl. Great tool.
I'm also a big advocate of CLI tools to replace GUI ones, but I find that in this case it depends on the use-case. In a personal setting, absolutely, go for curl/httpie. In a work setting, I'll always advocate Postman or tools alike, because it's way easier to onboard people who are not as comfortable as you are with CLI tools and scripting languages. A big quality of Postman is that you can export a whole collection of tests, which people can simply import and play around with immediately. The adaptation margin would be more complicated if you gave them a bash script with hundreds of calls to curl, where you have to find the correct one to edit for your experimenting.
Most developers have never heard of Burp Suite. And while they may know and use Postman, there is a very good chance that security triage, QA, and program managers have not. But cURL is usually readily available. Heck, you now can find a version of cURL built into PowerShell on Windows! So while Burp is an awesome attack proxy for APIs, cURL allows you to get a little closer to the protocol level, giving you the flexibility to work on more complex vulnerabilities in a very lightweight way. It’s much easier to work with a simple bash script that uses cURL that you can attach to a API security vulnerability report than to write a huge document of screenshots showing how to set up a Burp session to do it. If you are hunting APIs for bug bounties, cURL becomes an essential tool to demonstrate the business impact of a vulnerability found in REST APIs. You can usually get a clearer dialog going with a bug bounty program’s security triage team when you can give them a small script of cURL commands that can showcase a weakness on an in-scope target API. And it becomes much easier to reproduce API vulnerabilities to the triage team… which means you are that much closer to a successful submission.
Most developers have never heard of Burp Suite. And while they may know and use Postman, there is a very good chance that security triage, QA, and program managers have not. But cURL is usually readily available. Heck, you now can find a version of cURL built into PowerShell on Windows! So while Burp is an awesome attack proxy for APIs, cURL allows you to get a little closer to the protocol level, giving you the flexibility to work on more complex vulnerabilities in a very lightweight way. It’s much easier to work with a simple bash script that uses cURL that you can attach to a API security vulnerability report than to write a huge document of screenshots showing how to set up a Burp session to do it.
Thanks for this very good video I just recently started working with web API’s and using postman (as advised by coworkers) seemed a little overkill and more complex than working with a cli tool such as curl for basic needs.
I actually had a conversation about this earlier. My mate, who is pretty Windows-centered, found it weird that his group in the group project decided to make a CLI frontend for a REST API, which wasn't interactive. Meanwhile I sit in my group with a 100 line shell script that does a crap ton of cURL commands for testing the API...
Unrelated to the content but.. I recently noticed in bspwm that if I have multiple windows open and use my key binding to close them all quickly (hold down super + q till all windows close) Compton/picom-Tyrone will crash. Can anyone reproduce this? It annoys the hell out of me and keeps me going back to i3 as i3 is less “touchy” Again, this only happens when closing more than 2 windows at a time by holding down the close/quit bspc binding.
@@tarekali7064 First result on google for curl websocket will show you how to do that and GraphQL isn't a different protocol it's just a front end for an HTTP request, you could even just use fetch in JS
@@BrodieRobertson Thanks; That's fair enough. Usually for graphql you need a special client of some sorts. UX of postman/women is still better though LUL
So … one sends a little bit of text (the request type, the headers, end endpoint, a bit of other data) to a server, but with the completely unneeded overhead of HTTP?! I very much dislike that.
How did you know! I installed postman just yesterday!!! Great vid as always.
Postman has an option to output curl commands such that folks can learn the curl commands easily. I used wget early on in my career, but now I live in curl. Great tool.
Oh that's neat
I'm also a big advocate of CLI tools to replace GUI ones, but I find that in this case it depends on the use-case. In a personal setting, absolutely, go for curl/httpie. In a work setting, I'll always advocate Postman or tools alike, because it's way easier to onboard people who are not as comfortable as you are with CLI tools and scripting languages.
A big quality of Postman is that you can export a whole collection of tests, which people can simply import and play around with immediately. The adaptation margin would be more complicated if you gave them a bash script with hundreds of calls to curl, where you have to find the correct one to edit for your experimenting.
Sure I'm not saying don't use postman, it probably super useful but it's cool that you already have a tool installed to do the job.
Most developers have never heard of Burp Suite. And while they may know and use Postman, there is a very good chance that security triage, QA, and program managers have not.
But cURL is usually readily available. Heck, you now can find a version of cURL built into PowerShell on Windows! So while Burp is an awesome attack proxy for APIs, cURL allows you to get a little closer to the protocol level, giving you the flexibility to work on more complex vulnerabilities in a very lightweight way. It’s much easier to work with a simple bash script that uses cURL that you can attach to a API security vulnerability report than to write a huge document of screenshots showing how to set up a Burp session to do it.
If you are hunting APIs for bug bounties, cURL becomes an essential tool to demonstrate the business impact of a vulnerability found in REST APIs. You can usually get a clearer dialog going with a bug bounty program’s security triage team when you can give them a small script of cURL commands that can showcase a weakness on an in-scope target API.
And it becomes much easier to reproduce API vulnerabilities to the triage team… which means you are that much closer to a successful submission.
Most developers have never heard of Burp Suite. And while they may know and use Postman, there is a very good chance that security triage, QA, and program managers have not.
But cURL is usually readily available. Heck, you now can find a version of cURL built into PowerShell on Windows! So while Burp is an awesome attack proxy for APIs, cURL allows you to get a little closer to the protocol level, giving you the flexibility to work on more complex vulnerabilities in a very lightweight way. It’s much easier to work with a simple bash script that uses cURL that you can attach to a API security vulnerability report than to write a huge document of screenshots showing how to set up a Burp session to do it.
Thanks for this very good video I just recently started working with web API’s and using postman (as advised by coworkers) seemed a little overkill and more complex than working with a cli tool such as curl for basic needs.
Great vid! I like to use HTTPIE as my command line HTTP client.
Never heard of that one before
cURL was the only thing I could think of while I was looking at your beard ;)
I actually had a conversation about this earlier.
My mate, who is pretty Windows-centered, found it weird that his group in the group project decided to make a CLI frontend for a REST API, which wasn't interactive.
Meanwhile I sit in my group with a 100 line shell script that does a crap ton of cURL commands for testing the API...
Yeah curl's manpage has 2531 lines, thanks for the informative video mate!
This is one of those occasions where little videos that look at one idea are really useful
This video has convinced me that I'm unlikely to use this tool. Thanks
Burp repeater is much better than curl for crafting ad hoc or arbitrary requests. I wish there was an open source version that was equally good.
Great tutorial, thank you for sharing
Curl is just awesome :D
Chrome network inspector allows you to right click -> copy as cURL.
Oh that's neat
tip: try to use ctrl+pgup pgdown to switch between tabs in your browser , it works in programs like vscode vim too
If I'm switching between tabs with keybindings my go to is ctrl-tab and ctrl-shift-tab
great! can you do one video on how to use rest api on neovim, I would like to replace totally postman and use Neovim.
Unrelated to the content but..
I recently noticed in bspwm that if I have multiple windows open and use my key binding to close them all quickly (hold down super + q till all windows close) Compton/picom-Tyrone will crash.
Can anyone reproduce this? It annoys the hell out of me and keeps me going back to i3 as i3 is less “touchy”
Again, this only happens when closing more than 2 windows at a time by holding down the close/quit bspc binding.
What about graphql api querying and stuff like websocket testing? Postman and postwoman can do that; CURL can't.
Actually it can
@@BrodieRobertson wait whaaaaaa? Since when? And how?
@@tarekali7064 First result on google for curl websocket will show you how to do that and GraphQL isn't a different protocol it's just a front end for an HTTP request, you could even just use fetch in JS
@@BrodieRobertson Thanks; That's fair enough. Usually for graphql you need a special client of some sorts. UX of postman/women is still better though LUL
What if there are cookies involved
So … one sends a little bit of text (the request type, the headers, end endpoint, a bit of other data) to a server, but with the completely unneeded overhead of HTTP?! I very much dislike that.
Oh boy here he goes talking about gopher again
He will never give up on that....
Why can't we use curl for complex requests? It looks like a pretty robust tool
You can it's just going to be really fiddly
Comment to help with yt algorithm
It always helps, thank you
I created this script after watching this video: github.com/uyohn/getsh
I'm bash noob, but it seems to work pretty much ok
Digital maniac :-)
I'm not sure if that's supposed to be an insult or not