🔘Pynt for Selenium

Integrate Pynt with Selenium to enhance API security testing. Automate security scans within your Selenium test suites to detect and mitigate vulnerabilities effectively.

Using Selenium for UI testing in combination with Pynt for automated API security testing is a powerful approach to enhance the security of your web applications. Here’s a step-by-step guide on how you can integrate Selenium with Pynt to create automated API security tests:

Setup Pynt

Follow the instructions to install Pynt here

This integration is based on pynt command in which Pynt is running the command given in the --cmd argument through a proxy, captures the traffic and runs API security tests on the APIs seen in the traffic.

Setup Selenium for integrating with Pynt

Since the Chromium browser does not honor the HTTPS_PROXY environment variables set by Pynt, you need to manually configure your Selenium test to use the Pynt proxy.

To configure Selenium chrome web driver to go through a Proxy, add the following lines to your webdriver setup:

chrome_options.add_argument('--proxy-server=http://127.0.0.1:6666')
chrome_options.add_argument('--proxy-bypass-list=<-loopback>')
chrome_options.add_argument("--ignore-certificate-errors")

Here's an example of a Python function that creates a Chrome WebDriver with a proxy, utilizing the RUNNING_FROM_PYNT environment variable set by the Pynt CLI to conditionally apply the proxy settings:

def get_webdriver(browser):
    if browser == "CHROME":
        chrome_options = webdriver.ChromeOptions()
        pynt = os.environ.get("RUNNING_FROM_PYNT", "")
        if pynt == "True":
            # This section is only when running with Pynt
            chrome_options.add_argument('--proxy-server=http://127.0.0.1:6666')
            chrome_options.add_argument('--proxy-bypass-list=<-loopback>')
            chrome_options.add_argument("--ignore-certificate-errors")
    
        return webdriver.Chrome(options=chrome_options) 

Example

Here's a detailed guide to setting up and running a Selenium test with crAPI (Completely Ridiculous API), a vulnerable web application created by OWASP, and then using this test to run Pynt API Security tests to find Business Logic vulnerabilities in crAPI.

Setting up our target (crAPI)

This link includes instructions for setting up crAPI on Windows, Mac, or Linux. For example in linux the install flow is:

curl -o docker-compose.yml https://raw.githubusercontent.com/OWASP/crAPI/main/deploy/docker/docker-compose.yml

docker-compose pull

docker-compose -f docker-compose.yml --compatibility up -d

Wait for crAPI to start, verify by going to http://localhost:8888

Setting up the Selenium test

Download crapi_selenium.py from here:

wget https://raw.githubusercontent.com/pynt-io/pynt/main/goat_functional_tests/selenium/crapi_selenium.py
wget https://raw.githubusercontent.com/pynt-io/pynt/main/goat_functional_tests/selenium/requirements.txt
pip install requirements.txt

Run the Selenium test

python3 crapi_selenium.py

Flow of the selenium test:

  1. Setup the chrome driver

  2. Register a new user

  3. Register a new vehicle for that user

  4. Login

  5. Go to dashboard and view vehicle location

  6. Close the chrome driver

  7. Repeat the same process for another user

Run the Selenium test with Pynt

Now that the selenium test is setup we can run Security tests:

pynt command --cmd "python3 sel.py" --no-proxy-export

You should see the Selenium test executes and then Pynt will begin to scan the APIs and show the report once its done, the flag --no-proxy-export is telling Pynt not to export HTTPS_PROXY environment variables as it will cause Selenium configuration traffic to also be captured by Pynt.

Understanding the results

The UI test focuses solely on the login and dashboard pages, rather than covering the entire crAPI application. Despite this limitation, it provides sufficient data for Pynt to detect a Business Logic vulnerability (BOLA) related to vehicle location. This specific vulnerability enables an attacker to query the locations of vehicles owned by other users.

Last updated