Documentation
  • 🍻Intro
    • Why API Security is Critical?
    • Pynt at a Glance
    • Who Should Use Pynt?
  • 👩‍💻API Security Testing
    • Security Testing Overview
    • Prerequisites for Running Pynt Scans
    • How to Install Pynt CLI
    • How to install Pynt Binary (Linux only)
    • Pynt CLI Modes
      • 🔵Pynt Command CLI Mode
      • 🔵Pynt Listen CLI Mode
    • Pynt Security Tests Coverage
      • Business Logic Tests
      • Injection Tests
      • Authentication Bypass Tests
      • Mass Assignment Tests
      • Server-Side Request Forgery Tests
      • Stack Trace In Response
      • Lack of Resources and Rate Limiting
      • File Path Manipulation
      • GraphQL Introspection Vulnerability
      • GraphQL Alias Overloading
      • LLM APIs Vulnerabilities
      • Insecure Transport Scheme
      • Basic Authentication
      • HTTP Desynchronization (Desync) Attack
    • Sensitive Data Exposure Detection
    • Pynt Scans Troubleshooting
      • Pynt CLI Troubleshooting
      • Pynt for Postman Troubleshooting
        • Troubleshoot Pynt Container not Running Error
        • Troubleshoot Empty API Key Error
        • Troubleshoot Unauthorized API Key Error
        • Troubleshoot Collection Not Found Error
        • Troubleshoot Non-Unique Collection Name Error
        • Troubleshoot Empty Collection Identifier Error
        • Troubleshoot Unreachable Target Error
        • Troubleshoot Target Responds with Errors Error
        • Troubleshoot Unresolved Target Domain Error
        • Troubleshoot Unresolved Variable Error
        • Troubleshoot TLS Handshake Fail Error
        • Troubleshoot Few Requests Error
        • Troubleshoot One User Only Error
        • Troubleshoot Failed Assertions Error
    • How To
      • How to Run Business Logic Tests with Pynt
      • How to associate a Pynt scan to an Application in Pynt Dashboard
      • How to tag a scan in Pynt
    • Benchmarks
      • Pynt vs OWASP crAPI
  • 🤲Security Testing Integrations
    • 🟠Pynt with API Testing Tools
      • 🔘Pynt for Postman
        • Fork Pynt Collection
        • Run Pynt Container
        • Run Pynt in Postman
        • View Scan Results in Postman
      • 🔘Pynt for Insomnia
      • 🔘Pynt for ReadyAPI
    • 🟠Pynt with API Testing CLIs
      • 🔘Pynt for Newman (Postman CLI)
      • 🔘Pynt for TestRunner (ReadyAPI CLI)
    • 🟠Pynt with Testing Frameworks
      • 🔘Pynt for .NET (xUnit)
      • 🔘Pynt for Selenium
      • 🔘Pynt for Rest Assured
      • 🔘Pynt for Jest
      • 🔘Pynt for pytest
      • 🔘Pynt for Go
      • 🔘Pynt for JMeter
    • 🟠Pynt on CI/CD
      • ❗How to get Pynt ID for CI/CD Authentication
      • 🔘Pynt for GitHub Actions
      • 🔘Pynt for Azure DevOps Pipelines
      • 🔘Pynt for GitLab
      • 🔘Pynt for Jenkins
    • 🟠Pynt with Burp Suite
    • 🟠Pynt with Browsers
      • 🔘Pynt for Firefox Browser
    • 🟠Live Traffic Connectors
      • 🔘eBPF
        • 🔘Key Components
      • 🔘Traffic Mirroring
    • 🟠Advanced Pynt Examples
      • 🔘Pynt as a Standalone Container
      • 🔘Pynt with Prerecorded Har Files
      • 🔘Pynt with cURL
  • 🈸Applications View
    • Application View Overview
    • Manage Applications
      • Add Application
      • Delete Application
      • Rename Application
    • Manage Sources for API Discovery
      • Add Source
      • Delete Source
      • View Source Info
      • Source Categories
        • API Documentation
          • Swagger
          • Postman Collection
        • API Gateways
          • AWS API Gateway
          • Azure API Gateway
          • Kong API Gateway
          • GCP API Gateway
          • Gravitee API Gateway
        • Testing (API Security Scans)
        • Live Traffic
          • Data Collection with eBPF
          • ALB Traffic Capture with AWS Traffic Mirroring
        • Code Repository
    • Application Dashboard
    • Generate Pentest Report
  • 📚API Catalog
    • API Catalog Overview
    • Navigate API Catalog
      • Filtering API Catalog by Application
      • API Catalog Customization
      • API Related Info
      • APIs at Risk
    • Manage API Source Gaps
      • New APIs
      • Untested APIs
      • Shadow APIs
      • Undocumented APIs
    • View Detailed Endpoint Info
  • ⏪Scan History
    • Scan History Overview
    • Navigate Scan History
      • Associating Scans with Specific Application
      • Filtering by Application
      • Scan Related Info
      • Scan History Customization
    • View Detailed Scan Info
    • Associate Vulnerabilities to Tickets with JIRA
  • Account Management
    • Single Sign-On (SSO)
      • Setting up Okta
      • Setting up Entra ID
Powered by GitBook
On this page
  • How to Run Business Logic Tests with Pynt
  • Understanding Input Requirements
  • Providing Input for Business Logic Tests
  • Checking Captured Users in the Traffic
  • Verification
  1. API Security Testing
  2. How To

How to Run Business Logic Tests with Pynt

PreviousHow ToNextHow to associate a Pynt scan to an Application in Pynt Dashboard

Last updated 4 months ago

How to Run Business Logic Tests with Pynt

Business logic tests are essential for identifying vulnerabilities like those in the OWASP API Top 10. Pynt simplifies this process but may require specific inputs to test certain vulnerabilities. This guide explains how to provide the necessary input and run business logic tests effectively.

Understanding Input Requirements

If your scan results indicate that vulnerabilities like OWASP 2023:API1 or OWASP 2023:API5 were not tested due to a lack of input, it often means that Pynt needs API traffic from at least two different authenticated users. This diversity in traffic enables Pynt to analyze multi-user interactions, which are critical for detecting certain vulnerabilities.

About OWASP 2023:API1 - Broken Object Level Authorization

This vulnerability occurs when an API improperly verifies if a user is authorized to access a particular object. Attackers can exploit this by manipulating object identifiers to access data they shouldn’t have access to, such as another user’s personal information or sensitive business data.

Testing for this vulnerability requires multiple authenticated users to demonstrate whether proper object-level authorization checks are in place.

About OWASP 2023:API5 - Broken Function Level Authorization

This vulnerability arises when APIs fail to enforce function-level restrictions properly. Users with lower privileges may exploit this to execute unauthorized actions by invoking high-privilege API endpoints.

To test for this, Pynt requires requests from users with different privilege levels to evaluate whether function-level authorization is enforced consistently.

Providing Input for Business Logic Tests

Example 1: Using Postman Collections with Requests from Two Users

  1. Create a Postman collection containing requests from two authenticated users.

    • For example, in the Goat example application, include login and activity requests from User A and User B in the same collection.

  2. Run the scan using the Postman collection with Pynt.

    pynt newman --collection collection.json

Example 2: Using Postman Environments for Multiple Users

  1. Create two Postman environment files, each containing the credentials of one authenticated user:

    • env1.json for User A

    • env2.json for User B

  2. Run Pynt with both environment files:

    pynt newman --collection collection.json --environment env1.json env2.json

    In this setup:

    • Pynt runs the collection twice, once per user.

    • This provides the required multi-user traffic for testing.

Example 3: Using Browser with Pynt Listen

  1. Start Pynt in listen mode to capture API traffic:

    pynt listen --captured-domains <domain>
  2. Open a browser and log in to the tested web application using two different users:

    • Open two separate browser tabs or windows.

    • Log in as User A in one tab.

    • Log in as User B in the other tab.

  3. Perform relevant actions for both users to generate API traffic.

  4. Stop Pynt after capturing the traffic by pressing Enter in the terminal.

  5. Run the scan with the captured traffic.

Checking Captured Users in the Traffic

To see how many users Pynt captured in the API traffic:

  1. Open the Pynt HTML report generated after the scan.

  2. Navigate to the Functional Tests By Endpoints section at the end of the report.

  3. Review the number of users discovered for each endpoint in the traffic.

This information helps verify if sufficient multi-user traffic was captured for comprehensive testing.

Verification

After running the business logic tests:

  • Verify that vulnerabilities like OWASP 2023:API1 and OWASP 2023:API5 are now tested.

By ensuring diverse, authenticated traffic, Pynt can effectively test for business logic vulnerabilities. Let me know if you need further clarification or additional examples!

👩‍💻
Testing crAPI for business Logic issues with two browser windows