🔘Pynt for Selenium
Integrate Pynt with Selenium to enhance API security testing. Automate security scans within your Selenium test suites to detect and mitigate vulnerabilities effectively.
Using Selenium for UI testing in combination with Pynt for automated API security testing is a powerful approach to enhance the security of your web applications. Here’s a step-by-step guide on how you can integrate Selenium with Pynt to create automated API security tests:
Setup Pynt
Follow the instructions to install Pynt here
This integration is based on pynt command
in which Pynt is running the command given in the --cmd
argument through a proxy, captures the traffic and runs API security tests on the APIs seen in the traffic.
Setup Selenium for integrating with Pynt
Since the Chromium browser does not honor the HTTPS_PROXY
environment variables set by Pynt, you need to manually configure your Selenium test to use the Pynt proxy.
To configure Selenium chrome web driver to go through a Proxy, add the following lines to your webdriver setup:
Here's an example of a Python function that creates a Chrome WebDriver with a proxy, utilizing the RUNNING_FROM_PYNT
environment variable set by the Pynt CLI to conditionally apply the proxy settings:
Example
Here's a detailed guide to setting up and running a Selenium test with crAPI (Completely Ridiculous API), a vulnerable web application created by OWASP, and then using this test to run Pynt API Security tests to find Business Logic vulnerabilities in crAPI.
Setting up our target (crAPI)
This link includes instructions for setting up crAPI on Windows, Mac, or Linux. For example in linux the install flow is:
Wait for crAPI to start, verify by going to http://localhost:8888
Setting up the Selenium test
Download crapi_selenium.py from here:
Run the Selenium test
python3 crapi_selenium.py
Flow of the selenium test:
Setup the chrome driver
Register a new user
Register a new vehicle for that user
Login
Go to dashboard and view vehicle location
Close the chrome driver
Repeat the same process for another user
Run the Selenium test with Pynt
Now that the selenium test is setup we can run Security tests:
You should see the Selenium test executes and then Pynt will begin to scan the APIs and show the report once its done, the flag --no-proxy-export
is telling Pynt not to export HTTPS_PROXY
environment variables as it will cause Selenium configuration traffic to also be captured by Pynt.
Understanding the results
The UI test focuses solely on the login and dashboard pages, rather than covering the entire crAPI application. Despite this limitation, it provides sufficient data for Pynt to detect a Business Logic vulnerability (BOLA) related to vehicle location. This specific vulnerability enables an attacker to query the locations of vehicles owned by other users.
Last updated