# Pynt for Playwright

### What is Playwright?

{% hint style="info" %}
💡 Playwright is a powerful framework for automating modern web applications across Chromium, Firefox, and WebKit. It is widely used for E2E testing, providing rich features like headless mode, multiple browser support, and network interception. Playwright is ideal for simulating real-world user behavior in CI environments.
{% endhint %}

<figure><img src="https://playwright.dev/img/playwright-logo.svg" alt="" width="188"><figcaption></figcaption></figure>

#### Pynt’s Integration with Playwright

As part of its dynamic API security suite, Pynt integrates with Playwright by observing the traffic generated during test execution. By running Playwright tests behind Pynt’s proxy, the APIs invoked during test flows are captured and analyzed for vulnerabilities.

***

> Pynt works by intercepting HTTP(S) traffic. It launches your test script with a local proxy and then analyzes the captured API interactions.

***

### Configuring Proxy in Playwright

When `RUNNING_FROM_PYNT=true`(set automatically by Pynt CLI, you will need to export it for Pynt Binary)  you should configure the browser to route traffic through Pynt’s proxy with the following configuration:

```javascript
    launchOptions.proxy = {
      server: 'http://127.0.0.1:6666',
      bypass: '<-loopback>'
    };
```

And ignore TLS errors :

```javascript
  const launchOptions = {
    headless: false,
    args: ['--ignore-certificate-errors']
  };
```

Here's a Java Script example with all configurations:

```js
(async () => {
  const useProxy = process.env.RUNNING_FROM_PYNT === 'true';

  const launchOptions = {
    headless: false
  };

  if (useProxy) {
    launchOptions.proxy = {
      server: 'http://127.0.0.1:6666',
      bypass: '<-loopback>'
    };
  }

  const browser = await chromium.launch(launchOptions);
  const page = await browser.newPage();
  
  // Actual playwright test here ...
  
  await context.close();
  await browser.close();
})();
```

***

### Example: Running Pynt against DVWA

DVWA (Damn Vulnerable Web Application) is a good demo target for Pynt + Playwright integration.

This example shows how to setup DVWA and run a short playwright test with **Pynt** to find the **MySQL Injection vulnerability**&#x20;

1. **Run DVWA locally via Docker**:

   ```bash
   docker run -it --rm -p 80:80 vulnerables/web-dvwa
   ```
2. **Download DVWA Playwright files**:
   * [test.js](https://raw.githubusercontent.com/pynt-io/pynt/refs/heads/main/DVWA%20examples/Bitbucket/test.js) - the test script
   * [package.json](https://raw.githubusercontent.com/pynt-io/pynt/refs/heads/main/DVWA%20examples/Bitbucket/package.json)
3. **Setup:**&#x20;

```bash
npm install
npx playwright install
```

4. **Run Pynt:**

```bash
pynt command --cmd "npm run test" --captured-domains "*localhost*"
```

The scan should look like this:

<figure><img src="https://3462681674-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FZKwBF6q0tAGXlIih38HL%2Fuploads%2F4tw2TsuSIrZ9ACeKsLAn%2Fimage.png?alt=media&#x26;token=145f85eb-25fe-4ce8-828f-f9bb56a3cbb4" alt=""><figcaption><p>Pynt scan in progress</p></figcaption></figure>

### Understanding the Results

Once your test finishes, Pynt will scan all APIs it observed during the Playwright test session. The results Will look like this:

<figure><img src="https://3462681674-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FZKwBF6q0tAGXlIih38HL%2Fuploads%2FoP4R4dxFY9Gy0tPxbVF4%2Fimage.png?alt=media&#x26;token=5e0a8335-ed06-499b-a65b-e85c2c2ab081" alt=""><figcaption><p>Pynt report showing the MySQL Injection</p></figcaption></figure>

***

### 💬 Need Help?

For further assistance, visit the Pynt CLI Troubleshooting Guide or ask the community on Pynt Community Support.