How to Run Business Logic Tests with Pynt

Business logic tests are essential for identifying vulnerabilities like those in the OWASP API Top 10. Pynt simplifies this process but may require specific inputs to test certain vulnerabilities. This guide explains how to provide the necessary input and run business logic tests effectively.

Understanding Input Requirements

If your scan results indicate that vulnerabilities like OWASP 2023:API1 or OWASP 2023:API5 were not tested due to a lack of input, it often means that Pynt needs API traffic from at least two different authenticated users. This diversity in traffic enables Pynt to analyze multi-user interactions, which are critical for detecting certain vulnerabilities.

About OWASP 2023:API1 - Broken Object Level Authorization
This vulnerability occurs when an API improperly verifies if a user is authorized to access a particular object. Attackers can exploit this by manipulating object identifiers to access data they shouldn’t have access to, such as another user’s personal information or sensitive business data.
Testing for this vulnerability requires multiple authenticated users to demonstrate whether proper object-level authorization checks are in place.

About OWASP 2023:API5 - Broken Function Level Authorization
This vulnerability arises when APIs fail to enforce function-level restrictions properly. Users with lower privileges may exploit this to execute unauthorized actions by invoking high-privilege API endpoints.
To test for this, Pynt requires requests from users with different privilege levels to evaluate whether function-level authorization is enforced consistently.

Providing Input for Business Logic Tests

Example 1: Using Postman Collections with Requests from Two Users

Create a Postman collection containing requests from two authenticated users.
- For example, in the Goat example application, include login and activity requests from User A and User B in the same collection.
Run the scan using the Postman collection with Pynt.
```
pynt newman --collection collection.json
```

Example 2: Using Postman Environments for Multiple Users

Create two Postman environment files, each containing the credentials of one authenticated user:
- env1.json for User A
- env2.json for User B
Run Pynt with both environment files:
```
pynt newman --collection collection.json --environment env1.json env2.json
```
In this setup:
- Pynt runs the collection twice, once per user.
- This provides the required multi-user traffic for testing.

Example 3: Using Browser with Pynt Listen

Start Pynt in listen mode to capture API traffic:
```
pynt listen --captured-domains <domain>
```
Open a browser and log in to the tested web application using two different users:
- Open two separate browser tabs or windows.
- Log in as User A in one tab.
- Log in as User B in the other tab.
Perform relevant actions for both users to generate API traffic.
Stop Pynt after capturing the traffic by pressing Enter in the terminal.
Run the scan with the captured traffic.

Checking Captured Users in the Traffic

To see how many users Pynt captured in the API traffic:

Open the Pynt HTML report generated after the scan.
Navigate to the Functional Tests By Endpoints section at the end of the report.
Review the number of users discovered for each endpoint in the traffic.

This information helps verify if sufficient multi-user traffic was captured for comprehensive testing.

Verification

After running the business logic tests:

Verify that vulnerabilities like OWASP 2023:API1 and OWASP 2023:API5 are now tested.

By ensuring diverse, authenticated traffic, Pynt can effectively test for business logic vulnerabilities. Let me know if you need further clarification or additional examples!

PreviousHow To NextHow to associate a Pynt scan to an Application in Pynt Dashboard

Last updated 4 months ago